rsp2k/coredns
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

zones: add explicit CNAME-to-apex for RFC 4592 empty-non-terminals

Browse Source 
Wildcards in DNS only synthesize for names that don't already exist
in the zone tree. A `_acme-challenge.<sub>` TXT record makes <sub>
an "empty non-terminal" — exists in the tree (as a parent node) but
has no records of its own. Per RFC 4592 §2.2.3, wildcards skip these,
so RFC-compliant resolvers (HE, BIND) return NODATA for <sub> even
when the zone has `* CNAME @`.

Fix: for each <sub> that's an empty non-terminal in a zone with a
wildcard, add an explicit `<sub> CNAME @` so the resolution outcome
matches what the wildcard would have produced. Zero-knowledge — no
need to identify the specific service IP per name.

30 records added across 14 zones:
  acrazy.org (langfuse.dootie)
  context.bet (studio)
  copper-springs.online (docs.butler.dev)
  demostar.io (cw.cw, doom, meet)
  home-inspector.store (api, dashboard, mailpit)
  inspect.pics (admin)
  log.doctor (app, docs)
  malloys.us (cp, cp-sandbox, mary)
  nielsen-inspections.com (calendar, cw, files, v2-calendar)
  qubeseptic.com (api.dispatch, dispatch, leads, mail.dispatch,
                  rentcache.dispatch)
  ryanmalloy.com (c4ai)
  sidejob.pro (api)
  upc.llc (catalog, minio.or, or, s3)

CoreDNS (lenient) was returning the wildcard CNAME for these names
anyway; HE (strict RFC-compliant) was returning empty. After this
change, both behave identically.
This commit is contained in:
Ryan Malloy 2026-05-18 18:34:51 -06:00
parent c19df5d0a5
commit f8363e5ea7
13 changed files with 69 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
zones/acrazy.org.zone
View File

@ -38,4 +38,7 @@ _acme-challenge.l 300 IN TXT "WmE8LR03vR1ua26QK58PxCmfxQ-_369sXIezIr8cNoM"
_acme-challenge.l 300 IN TXT "Ike1gqcB3VI7WwKoH3T8zqbpYSo2qRPrq0iqzB5wmFU"
_acme-challenge.langfuse.dootie 300 IN TXT "1WJ-mHJ2SQuuC5CgxbYY6euwiMZm1dVicfIkeluovTY"
_acme-challenge.dootie.l 300 IN TXT "uW30ozl6AKA_q9FWPlvaxuwbgBJ-TgTsXxA3JFtn0tg"
_acme-challenge.langfuse.dootie.l 300 IN TXT "P6tOVfwB8OBbI6AqnIuHXKQc05FjuABhGihUHwzpMOs"
_acme-challenge.langfuse.dootie.l 300 IN TXT "P6tOVfwB8OBbI6AqnIuHXKQc05FjuABhGihUHwzpMOs"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
langfuse.dootie 300 IN CNAME acrazy.org

5
zones/context.bet.zone
View File

@ -29,4 +29,7 @@ _acme-challenge 300 IN TXT "8lJ4Ury26qHtSwLaABC9UB_ZdFja3ZmujmUg7-5Y4Bg"
_acme-challenge 300 IN TXT "FSMb7Ru6xgzIIUvlzSzzVnOsGQD2Dgxm_qhx6hyymnE"
_acme-challenge 300 IN TXT "yB9kMNkHqVDe5vMvkgN5SFxiXgDSlSyUgldfW971BXw"
_acme-challenge 300 IN TXT "dpheXmHW0vH_NW5t8Ie_OWXiJkZT0l2U2Yu9w5n5uZg"
_acme-challenge 300 IN TXT "K6DYSkbn2Fk_P0fA1fxbIZszce4NzjTtgodaUNxDS1w"
_acme-challenge 300 IN TXT "K6DYSkbn2Fk_P0fA1fxbIZszce4NzjTtgodaUNxDS1w"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
studio 300 IN CNAME context.bet

5
zones/copper-springs.online.zone
View File

@ -10,4 +10,7 @@ dev 300 IN CNAME rpm-bullet.mer.idahomuellers.net
* 300 IN CNAME copper-springs.online
*.dev 300 IN CNAME dev.copper-springs.online
300 IN MX 10 copper-springs.online
_acme-challenge.docs.butler.dev 300 IN TXT "JcIKn8HyUtQMwY_q0FNdj-XfacQS9Tn5SQiwTKB79VE"
_acme-challenge.docs.butler.dev 300 IN TXT "JcIKn8HyUtQMwY_q0FNdj-XfacQS9Tn5SQiwTKB79VE"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
docs.butler.dev 300 IN CNAME copper-springs.online

7
zones/demostar.io.zone
View File

@ -31,4 +31,9 @@ _acme-challenge.vdo 300 IN TXT "BlvVWIzjIj4o73qkYNfNdF_Q8MW13vxV6HTgO0-NzmM"
_acme-challenge.vdo 300 IN TXT "slcvr2gvi6ahNucyzfzLvInL-l0L1P93I2p3vQ3ytrU"
_acme-challenge.vdo 300 IN TXT "cGxfMICfHYD7QiQmsAuWuVN-hQQoZ38GcvDTigsioWQ"
_acme-challenge.cw.cw 300 IN TXT "Y0ahdJHcKysWxYNQG8aXQuWr0uSp7WVlwxkdWYHcrIM"
_acme-challenge.cw 300 IN TXT "e7IRkthq2cwpEJHEjbAsQwqkvQGHl831X6luH3ct6uc"
_acme-challenge.cw 300 IN TXT "e7IRkthq2cwpEJHEjbAsQwqkvQGHl831X6luH3ct6uc"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
cw.cw 300 IN CNAME demostar.io
doom 300 IN CNAME demostar.io
meet 300 IN CNAME demostar.io

7
zones/home-inspector.store.zone
View File

@ -12,4 +12,9 @@ _acme-challenge.dashboard 300 IN TXT "TLTjv7weswoJMxQ8K897MGeez7RJlTTay7sJ5_OQY-
_acme-challenge 300 IN TXT "qtDNogktSbMLdjkIQNciTHAIIKIIO7CKaOhIvg2PY7U"
_acme-challenge.dashboard 300 IN TXT "U3yUObG_I0bU4lEiBQz_saa-U9ysq0lSRCqJcBwJi2I"
_acme-challenge.api 300 IN TXT "LwzNwdpFoJsKzXbGhaV7nenwRFj9vDyIAokNLdV4zwE"
_acme-challenge.mailpit 300 IN TXT "ZAfKxXBLnghzsFKBTXOIdFvEzgfu4zOny_Kqv3cF3AM"
_acme-challenge.mailpit 300 IN TXT "ZAfKxXBLnghzsFKBTXOIdFvEzgfu4zOny_Kqv3cF3AM"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
api 300 IN CNAME home-inspector.store
dashboard 300 IN CNAME home-inspector.store
mailpit 300 IN CNAME home-inspector.store

5
zones/inspect.pics.zone
View File

@ -12,4 +12,7 @@ l 300 IN A 127.0.0.1
300 IN MX 10 inspect.pics
_acme-challenge 300 IN TXT "O76KUDoUq834H7foiWV2VXVO-XWWAx2mGm1Gt3YJtvQ"
_acme-challenge 300 IN TXT "0QRoK7IMPLfLffpv8aH8afyw6f9ssDb9NPbWJSJ66q8"
_acme-challenge.admin 300 IN TXT "i5VYntrsr97R142m7Xj7FJR4huFX1KGlQPgnQjHEeTk"
_acme-challenge.admin 300 IN TXT "i5VYntrsr97R142m7Xj7FJR4huFX1KGlQPgnQjHEeTk"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
admin 300 IN CNAME inspect.pics

6
zones/log.doctor.zone
View File

@ -9,4 +9,8 @@ $TTL 3600
* 300 IN CNAME log.doctor
300 IN MX 10 log.doctor
_acme-challenge.app 300 IN TXT "y2ZR60rA40x7LtMubTbAZNNubTCIHm36_FT0dTZ6e9E"
_acme-challenge.docs 300 IN TXT "5lVC4dW_6dd8ir0eNION32rSBVTl1WXL69QRzaiJ8ds"
_acme-challenge.docs 300 IN TXT "5lVC4dW_6dd8ir0eNION32rSBVTl1WXL69QRzaiJ8ds"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
app 300 IN CNAME log.doctor
docs 300 IN CNAME log.doctor

7
zones/malloys.us.zone
View File

@ -38,4 +38,9 @@ _acme-challenge 300 IN TXT "hPz_OIZGc2qyHrNMGkPCXDf4ML4bv67P_ojmb-ed6gM"
_acme-challenge 300 IN TXT "mzrirf7ykU_V_6mh38Q664h_yg3AEVA88tQRE7YGOUc"
_acme-challenge 300 IN TXT "v4oJppz3N-D9IEBw0faQ54pg7WsLmDNua7bVgQWVmpw"
_acme-challenge 300 IN TXT "OlN30ETZq9etulzl9lOMTDvWQ4Frpq2NlyGOx5kpB_I"
300 IN TXT "openai-domain-verification=dv-pa82Ps1fOTq50Ad2crkhWWTv"
300 IN TXT "openai-domain-verification=dv-pa82Ps1fOTq50Ad2crkhWWTv"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
cp 300 IN CNAME malloys.us
cp-sandbox 300 IN CNAME malloys.us
mary 300 IN CNAME malloys.us

8
zones/nielsen-inspections.com.zone
View File

@ -41,4 +41,10 @@ _acme-challenge 300 IN TXT "rf2G1O-_2lWOD3YVIDzsCf-3SjeOW4xQkijU6S-peg8"
_acme-challenge 300 IN TXT "_OarPKPxYMpsvT_VuAKVkJoxP1vQmqMMRESOwpPflbg"
_acme-challenge 300 IN TXT "06at-8AT6CKT6Cbn5JEfASqOyiqx2T-PfvYlg4O86Bo"
_acme-challenge 300 IN TXT "8YYbiZ4dEbfK0KKrVWl81ZCdamED1a9b_3we2JEl-rE"
_acme-challenge.files 300 IN TXT "nckNo7UBhAFgevwMvQ85niQIiXuU37FoLK3XVECZzfk"
_acme-challenge.files 300 IN TXT "nckNo7UBhAFgevwMvQ85niQIiXuU37FoLK3XVECZzfk"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
calendar 300 IN CNAME nielsen-inspections.com
cw 300 IN CNAME nielsen-inspections.com
files 300 IN CNAME nielsen-inspections.com
v2-calendar 300 IN CNAME nielsen-inspections.com

9
zones/qubeseptic.com.zone
View File

@ -49,4 +49,11 @@ _submission._tcp 600 IN SRV 20 0 587 mail.supported.systems
_autodiscover._tcp 600 IN SRV 10 0 443 mail.supported.systems
_submissions._tcp 600 IN SRV 10 0 465 mail.supported.systems
_imaps._tcp 600 IN SRV 10 0 993 mail.supported.systems
_pop3s._tcp 600 IN SRV 10 0 995 mail.supported.systems
_pop3s._tcp 600 IN SRV 10 0 995 mail.supported.systems
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
api.dispatch 300 IN CNAME qubeseptic.com
dispatch 300 IN CNAME qubeseptic.com
leads 300 IN CNAME qubeseptic.com
mail.dispatch 300 IN CNAME qubeseptic.com
rentcache.dispatch 300 IN CNAME qubeseptic.com

5
zones/ryanmalloy.com.zone
View File

@ -15,4 +15,7 @@ _dmarc 3600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:reports@ryanmalloy.com; a
_acme-challenge.c4ai 300 IN TXT "sjdm_4JFJfjMQL2ZFb6k-S99gKOnxloIlDrAj15uNkQ"
_acme-challenge.timelinize.l 300 IN TXT "vX4WW3y7aZ6rmPnXWbxTtA5F5ZLE7559bvxbBTXm_Bc"
_acme-challenge.timelinize.l 300 IN TXT "pDaP_rq_CuetBDXERK4V_z80uXS2MKptX4dS-hsuzEk"
_acme-challenge.timelinize.l 300 IN TXT "bqdeHmt500XGMWUJ3zHrCd1MPmlBN_ySGyTTQWO5vJs"
_acme-challenge.timelinize.l 300 IN TXT "bqdeHmt500XGMWUJ3zHrCd1MPmlBN_ySGyTTQWO5vJs"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
c4ai 300 IN CNAME ryanmalloy.com

5
zones/sidejob.pro.zone
View File

@ -12,4 +12,7 @@ l 300 IN CNAME rpm-bullet.mer.idahomuellers.net
300 IN MX 10 sidejob.pro
_acme-challenge.api 300 IN TXT "a1zkQ7ukvloDCOuB5kCsxC1TWH2rRXKCCI88GJrwV84"
_acme-challenge.api 300 IN TXT "UIKc6hzCSLphH1kQtdGMspvWKcG-k4hXcPOOV6HrydA"
_acme-challenge.api 300 IN TXT "GySOUk0DnGhgDKXDgUM-ggQudeENlQIi6jBPtb2O0EE"
_acme-challenge.api 300 IN TXT "GySOUk0DnGhgDKXDgUM-ggQudeENlQIi6jBPtb2O0EE"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
api 300 IN CNAME sidejob.pro

8
zones/upc.llc.zone
View File

@ -42,4 +42,10 @@ _submission._tcp 600 IN SRV 20 0 587 mail.upc.llc.
_autodiscover._tcp 600 IN SRV 10 0 443 mail.upc.llc.
_submissions._tcp 600 IN SRV 10 0 465 mail.upc.llc.
_imaps._tcp 600 IN SRV 10 0 993 mail.upc.llc.
_pop3s._tcp 600 IN SRV 10 0 995 mail.upc.llc.
_pop3s._tcp 600 IN SRV 10 0 995 mail.upc.llc.
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
catalog 300 IN CNAME upc.llc
minio.or 300 IN CNAME upc.llc
or 300 IN CNAME upc.llc
s3 300 IN CNAME upc.llc