Problems with TXT record in combination with other Records

Question

I have currently the following DNS setup.

Domain: domain.tld Example IPv4: 1.2.3.4 Example IPv6: fe80::1

Host Type Destination 
* A 1.2.3.4
* AAAA fe80::1

This setup works perfectly as expected. If I open any software and enter notexisting.domain.tld I get a valid resolve of 1.2.3.4

Now to the problem: If I now simply add a TXT record for a Let's Encrypt DNS Validation with the following content:

Host Type Destination
_acme-challenge.notexisting TXT XrcC2WczNeJNvhNfbLFjE0iawzIZTlR6BEmD4OxF-pw

After the TTL gets invalidated and I query the zone again I get the following result:

Only a SOA and TXT is returned for the notexisting.domain.tld. This is weird in my opinion because if I add another subdomain to my zone the DNS will fail for the period of DNS validation. How can I prevent this from happening?

I tested with Bind and PowerDNS software and got the same result.

Answer 1

This sounds like expected behavior considering how wildcards are supposed to work.

Wildcards only apply to branches of the tree that do not exist. After you add that record for _acme-challenge.notexisting the notexisting branch exists, ie, the wildcard no longer applies there.

What you want is to add the relevant records for notexisting rather than relying on that wildcard. (Maybe a wildcard was not the correct solution in the first place?)

If the use-case here involves adding new subdomains on the fly, both BIND and PowerDNS support dynamic updates (RFC2136), alternatively PowerDNS also has a REST API. So programmatic addition of records should be readily available for both.