2

I would like to enable DANE/TLSA on *.example.com for https.

To activate it on example.com I can do that (I used TYPE52 instead of TLSA because my DNS provider is not DANE-aware):

_443._tcp.example. IN TYPE52 # 35 01010102d50459538b4c549014266824948c9294da322581e51a0f0e79ce8aea0def89

Wildcard are not allowed in the middle so I can't do that (right?) :

_443._tcp.*.example. IN TYPE52 # 35 01010102d50459538b4c549014266824948c9294da322581e51a0f0e79ce8aea0def89

But activate it on *.example.com the only way I found is (the first line was already there to redirect *.example.com on the same IPs) :

*                         IN CNAME  example.com.
example.com.              IN TYPE52 # 35 01010102d50459538b4c549014266824948c9294da322581e51a0f0e79ce8aea0def89

It works but it falsely enable it for all protocols/ports (ssh, imaps, ...)

Did I miss something ?

Should I explicitly add all sub-domains instead of using a wildcard ?

Tom
  • 511
  • 3
  • 15

1 Answers1

2

I don't believe you missed anything. At least not for a nameserver that serves static data, which is probably your only option anyway as you need DNSSEC.

In general, if it's feasible you probably should add the names that are actually in use rather than use wildcards. (It's clearly better from a technical perspective, however it's usually business demands that drive people to use wildcards.)

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • Thank you. I know I could manage my own DNS nameserver but I really don't want to manage the DNSSEC part! I think I'll remove the wildcard. And as the website doesn't has a wildcard certificate and has HSTS preload, inexistent subdomains are not accessible anyway. – Tom Aug 11 '15 at 15:31
  • I'd like to revisit this question. If I have a wildcard `*.domain TLSA` then it will be returned for any subdomain like `_443._tcp.RANDOMSUBDOMAIN.domain` because even though its three labels, it matches the wildcard. However, this TLSA doesn't validate and I suspect it its because the DNSSEC signs the `'*'` literally and perhaps this is not getting resolved properly. – pinhead Jul 07 '20 at 19:03
  • 1
    @pinhead I'd think the problem rather is that `RANDOMSUBDOMAIN.domain` presumably exists, right? Which makes `*.domain` not match `RANDOMSUBDOMAIN.domain` (or for that matter `_443._tcp.RANDOMSUBDOMAIN.domain`). Wildcards only ever expand to names that do not exist (regardless of type). – Håkan Lindqvist Jul 07 '20 at 23:16