From f8363e5ea73a3ac3e187718e9e38a2c8b74d6277 Mon Sep 17 00:00:00 2001
From: Ryan Malloy <ryan@supported.systems>
Date: Mon, 18 May 2026 18:34:51 -0600
Subject: [PATCH] zones: add explicit CNAME-to-apex for RFC 4592
 empty-non-terminals
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wildcards in DNS only synthesize for names that don't already exist
in the zone tree. A `_acme-challenge.<sub>` TXT record makes <sub>
an "empty non-terminal" — exists in the tree (as a parent node) but
has no records of its own. Per RFC 4592 §2.2.3, wildcards skip these,
so RFC-compliant resolvers (HE, BIND) return NODATA for <sub> even
when the zone has `* CNAME @`.

Fix: for each <sub> that's an empty non-terminal in a zone with a
wildcard, add an explicit `<sub> CNAME @` so the resolution outcome
matches what the wildcard would have produced. Zero-knowledge — no
need to identify the specific service IP per name.

30 records added across 14 zones:
  acrazy.org (langfuse.dootie)
  context.bet (studio)
  copper-springs.online (docs.butler.dev)
  demostar.io (cw.cw, doom, meet)
  home-inspector.store (api, dashboard, mailpit)
  inspect.pics (admin)
  log.doctor (app, docs)
  malloys.us (cp, cp-sandbox, mary)
  nielsen-inspections.com (calendar, cw, files, v2-calendar)
  qubeseptic.com (api.dispatch, dispatch, leads, mail.dispatch,
                  rentcache.dispatch)
  ryanmalloy.com (c4ai)
  sidejob.pro (api)
  upc.llc (catalog, minio.or, or, s3)

CoreDNS (lenient) was returning the wildcard CNAME for these names
anyway; HE (strict RFC-compliant) was returning empty. After this
change, both behave identically.
---
 zones/acrazy.org.zone              | 5 ++++-
 zones/context.bet.zone             | 5 ++++-
 zones/copper-springs.online.zone   | 5 ++++-
 zones/demostar.io.zone             | 7 ++++++-
 zones/home-inspector.store.zone    | 7 ++++++-
 zones/inspect.pics.zone            | 5 ++++-
 zones/log.doctor.zone              | 6 +++++-
 zones/malloys.us.zone              | 7 ++++++-
 zones/nielsen-inspections.com.zone | 8 +++++++-
 zones/qubeseptic.com.zone          | 9 ++++++++-
 zones/ryanmalloy.com.zone          | 5 ++++-
 zones/sidejob.pro.zone             | 5 ++++-
 zones/upc.llc.zone                 | 8 +++++++-
 13 files changed, 69 insertions(+), 13 deletions(-)

diff --git a/zones/acrazy.org.zone b/zones/acrazy.org.zone
index 6e2d000..5747ffe 100644
--- a/zones/acrazy.org.zone
+++ b/zones/acrazy.org.zone
@@ -38,4 +38,7 @@ _acme-challenge.l	300	IN	TXT	"WmE8LR03vR1ua26QK58PxCmfxQ-_369sXIezIr8cNoM"
 _acme-challenge.l	300	IN	TXT	"Ike1gqcB3VI7WwKoH3T8zqbpYSo2qRPrq0iqzB5wmFU"
 _acme-challenge.langfuse.dootie	300	IN	TXT	"1WJ-mHJ2SQuuC5CgxbYY6euwiMZm1dVicfIkeluovTY"
 _acme-challenge.dootie.l	300	IN	TXT	"uW30ozl6AKA_q9FWPlvaxuwbgBJ-TgTsXxA3JFtn0tg"
-_acme-challenge.langfuse.dootie.l	300	IN	TXT	"P6tOVfwB8OBbI6AqnIuHXKQc05FjuABhGihUHwzpMOs"
\ No newline at end of file
+_acme-challenge.langfuse.dootie.l	300	IN	TXT	"P6tOVfwB8OBbI6AqnIuHXKQc05FjuABhGihUHwzpMOs"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+langfuse.dootie	300	IN	CNAME	acrazy.org
diff --git a/zones/context.bet.zone b/zones/context.bet.zone
index 381dc04..62cd0c7 100644
--- a/zones/context.bet.zone
+++ b/zones/context.bet.zone
@@ -29,4 +29,7 @@ _acme-challenge	300	IN	TXT	"8lJ4Ury26qHtSwLaABC9UB_ZdFja3ZmujmUg7-5Y4Bg"
 _acme-challenge	300	IN	TXT	"FSMb7Ru6xgzIIUvlzSzzVnOsGQD2Dgxm_qhx6hyymnE"
 _acme-challenge	300	IN	TXT	"yB9kMNkHqVDe5vMvkgN5SFxiXgDSlSyUgldfW971BXw"
 _acme-challenge	300	IN	TXT	"dpheXmHW0vH_NW5t8Ie_OWXiJkZT0l2U2Yu9w5n5uZg"
-_acme-challenge	300	IN	TXT	"K6DYSkbn2Fk_P0fA1fxbIZszce4NzjTtgodaUNxDS1w"
\ No newline at end of file
+_acme-challenge	300	IN	TXT	"K6DYSkbn2Fk_P0fA1fxbIZszce4NzjTtgodaUNxDS1w"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+studio	300	IN	CNAME	context.bet
diff --git a/zones/copper-springs.online.zone b/zones/copper-springs.online.zone
index edb55b9..0a30820 100644
--- a/zones/copper-springs.online.zone
+++ b/zones/copper-springs.online.zone
@@ -10,4 +10,7 @@ dev	300	IN	CNAME	rpm-bullet.mer.idahomuellers.net
 *	300	IN	CNAME	copper-springs.online
 *.dev	300	IN	CNAME	dev.copper-springs.online
 	300	IN	MX	10	copper-springs.online
-_acme-challenge.docs.butler.dev	300	IN	TXT	"JcIKn8HyUtQMwY_q0FNdj-XfacQS9Tn5SQiwTKB79VE"
\ No newline at end of file
+_acme-challenge.docs.butler.dev	300	IN	TXT	"JcIKn8HyUtQMwY_q0FNdj-XfacQS9Tn5SQiwTKB79VE"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+docs.butler.dev	300	IN	CNAME	copper-springs.online
diff --git a/zones/demostar.io.zone b/zones/demostar.io.zone
index 087143a..acdfd7c 100644
--- a/zones/demostar.io.zone
+++ b/zones/demostar.io.zone
@@ -31,4 +31,9 @@ _acme-challenge.vdo	300	IN	TXT	"BlvVWIzjIj4o73qkYNfNdF_Q8MW13vxV6HTgO0-NzmM"
 _acme-challenge.vdo	300	IN	TXT	"slcvr2gvi6ahNucyzfzLvInL-l0L1P93I2p3vQ3ytrU"
 _acme-challenge.vdo	300	IN	TXT	"cGxfMICfHYD7QiQmsAuWuVN-hQQoZ38GcvDTigsioWQ"
 _acme-challenge.cw.cw	300	IN	TXT	"Y0ahdJHcKysWxYNQG8aXQuWr0uSp7WVlwxkdWYHcrIM"
-_acme-challenge.cw	300	IN	TXT	"e7IRkthq2cwpEJHEjbAsQwqkvQGHl831X6luH3ct6uc"
\ No newline at end of file
+_acme-challenge.cw	300	IN	TXT	"e7IRkthq2cwpEJHEjbAsQwqkvQGHl831X6luH3ct6uc"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+cw.cw	300	IN	CNAME	demostar.io
+doom	300	IN	CNAME	demostar.io
+meet	300	IN	CNAME	demostar.io
diff --git a/zones/home-inspector.store.zone b/zones/home-inspector.store.zone
index 9125dac..d805bfe 100644
--- a/zones/home-inspector.store.zone
+++ b/zones/home-inspector.store.zone
@@ -12,4 +12,9 @@ _acme-challenge.dashboard	300	IN	TXT	"TLTjv7weswoJMxQ8K897MGeez7RJlTTay7sJ5_OQY-
 _acme-challenge	300	IN	TXT	"qtDNogktSbMLdjkIQNciTHAIIKIIO7CKaOhIvg2PY7U"
 _acme-challenge.dashboard	300	IN	TXT	"U3yUObG_I0bU4lEiBQz_saa-U9ysq0lSRCqJcBwJi2I"
 _acme-challenge.api	300	IN	TXT	"LwzNwdpFoJsKzXbGhaV7nenwRFj9vDyIAokNLdV4zwE"
-_acme-challenge.mailpit	300	IN	TXT	"ZAfKxXBLnghzsFKBTXOIdFvEzgfu4zOny_Kqv3cF3AM"
\ No newline at end of file
+_acme-challenge.mailpit	300	IN	TXT	"ZAfKxXBLnghzsFKBTXOIdFvEzgfu4zOny_Kqv3cF3AM"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+api	300	IN	CNAME	home-inspector.store
+dashboard	300	IN	CNAME	home-inspector.store
+mailpit	300	IN	CNAME	home-inspector.store
diff --git a/zones/inspect.pics.zone b/zones/inspect.pics.zone
index b137a74..ac2ad6f 100644
--- a/zones/inspect.pics.zone
+++ b/zones/inspect.pics.zone
@@ -12,4 +12,7 @@ l	300	IN	A	127.0.0.1
 	300	IN	MX	10	inspect.pics
 _acme-challenge	300	IN	TXT	"O76KUDoUq834H7foiWV2VXVO-XWWAx2mGm1Gt3YJtvQ"
 _acme-challenge	300	IN	TXT	"0QRoK7IMPLfLffpv8aH8afyw6f9ssDb9NPbWJSJ66q8"
-_acme-challenge.admin	300	IN	TXT	"i5VYntrsr97R142m7Xj7FJR4huFX1KGlQPgnQjHEeTk"
\ No newline at end of file
+_acme-challenge.admin	300	IN	TXT	"i5VYntrsr97R142m7Xj7FJR4huFX1KGlQPgnQjHEeTk"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+admin	300	IN	CNAME	inspect.pics
diff --git a/zones/log.doctor.zone b/zones/log.doctor.zone
index 0669013..ee9af7b 100644
--- a/zones/log.doctor.zone
+++ b/zones/log.doctor.zone
@@ -9,4 +9,8 @@ $TTL 3600
 *	300	IN	CNAME	log.doctor
 	300	IN	MX	10	log.doctor
 _acme-challenge.app	300	IN	TXT	"y2ZR60rA40x7LtMubTbAZNNubTCIHm36_FT0dTZ6e9E"
-_acme-challenge.docs	300	IN	TXT	"5lVC4dW_6dd8ir0eNION32rSBVTl1WXL69QRzaiJ8ds"
\ No newline at end of file
+_acme-challenge.docs	300	IN	TXT	"5lVC4dW_6dd8ir0eNION32rSBVTl1WXL69QRzaiJ8ds"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+app	300	IN	CNAME	log.doctor
+docs	300	IN	CNAME	log.doctor
diff --git a/zones/malloys.us.zone b/zones/malloys.us.zone
index 1634d77..e794eda 100644
--- a/zones/malloys.us.zone
+++ b/zones/malloys.us.zone
@@ -38,4 +38,9 @@ _acme-challenge	300	IN	TXT	"hPz_OIZGc2qyHrNMGkPCXDf4ML4bv67P_ojmb-ed6gM"
 _acme-challenge	300	IN	TXT	"mzrirf7ykU_V_6mh38Q664h_yg3AEVA88tQRE7YGOUc"
 _acme-challenge	300	IN	TXT	"v4oJppz3N-D9IEBw0faQ54pg7WsLmDNua7bVgQWVmpw"
 _acme-challenge	300	IN	TXT	"OlN30ETZq9etulzl9lOMTDvWQ4Frpq2NlyGOx5kpB_I"
-	300	IN	TXT	"openai-domain-verification=dv-pa82Ps1fOTq50Ad2crkhWWTv"
\ No newline at end of file
+	300	IN	TXT	"openai-domain-verification=dv-pa82Ps1fOTq50Ad2crkhWWTv"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+cp	300	IN	CNAME	malloys.us
+cp-sandbox	300	IN	CNAME	malloys.us
+mary	300	IN	CNAME	malloys.us
diff --git a/zones/nielsen-inspections.com.zone b/zones/nielsen-inspections.com.zone
index b7a8600..f39fb8c 100644
--- a/zones/nielsen-inspections.com.zone
+++ b/zones/nielsen-inspections.com.zone
@@ -41,4 +41,10 @@ _acme-challenge	300	IN	TXT	"rf2G1O-_2lWOD3YVIDzsCf-3SjeOW4xQkijU6S-peg8"
 _acme-challenge	300	IN	TXT	"_OarPKPxYMpsvT_VuAKVkJoxP1vQmqMMRESOwpPflbg"
 _acme-challenge	300	IN	TXT	"06at-8AT6CKT6Cbn5JEfASqOyiqx2T-PfvYlg4O86Bo"
 _acme-challenge	300	IN	TXT	"8YYbiZ4dEbfK0KKrVWl81ZCdamED1a9b_3we2JEl-rE"
-_acme-challenge.files	300	IN	TXT	"nckNo7UBhAFgevwMvQ85niQIiXuU37FoLK3XVECZzfk"
\ No newline at end of file
+_acme-challenge.files	300	IN	TXT	"nckNo7UBhAFgevwMvQ85niQIiXuU37FoLK3XVECZzfk"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+calendar	300	IN	CNAME	nielsen-inspections.com
+cw	300	IN	CNAME	nielsen-inspections.com
+files	300	IN	CNAME	nielsen-inspections.com
+v2-calendar	300	IN	CNAME	nielsen-inspections.com
diff --git a/zones/qubeseptic.com.zone b/zones/qubeseptic.com.zone
index aa0ef10..e89347f 100644
--- a/zones/qubeseptic.com.zone
+++ b/zones/qubeseptic.com.zone
@@ -49,4 +49,11 @@ _submission._tcp	600	IN	SRV	20	0	587	mail.supported.systems
 _autodiscover._tcp	600	IN	SRV	10	0	443	mail.supported.systems
 _submissions._tcp	600	IN	SRV	10	0	465	mail.supported.systems
 _imaps._tcp	600	IN	SRV	10	0	993	mail.supported.systems
-_pop3s._tcp	600	IN	SRV	10	0	995	mail.supported.systems
\ No newline at end of file
+_pop3s._tcp	600	IN	SRV	10	0	995	mail.supported.systems
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+api.dispatch	300	IN	CNAME	qubeseptic.com
+dispatch	300	IN	CNAME	qubeseptic.com
+leads	300	IN	CNAME	qubeseptic.com
+mail.dispatch	300	IN	CNAME	qubeseptic.com
+rentcache.dispatch	300	IN	CNAME	qubeseptic.com
diff --git a/zones/ryanmalloy.com.zone b/zones/ryanmalloy.com.zone
index ad61570..42a91b4 100644
--- a/zones/ryanmalloy.com.zone
+++ b/zones/ryanmalloy.com.zone
@@ -15,4 +15,7 @@ _dmarc	3600	IN	TXT	"v=DMARC1; p=quarantine; rua=mailto:reports@ryanmalloy.com; a
 _acme-challenge.c4ai	300	IN	TXT	"sjdm_4JFJfjMQL2ZFb6k-S99gKOnxloIlDrAj15uNkQ"
 _acme-challenge.timelinize.l	300	IN	TXT	"vX4WW3y7aZ6rmPnXWbxTtA5F5ZLE7559bvxbBTXm_Bc"
 _acme-challenge.timelinize.l	300	IN	TXT	"pDaP_rq_CuetBDXERK4V_z80uXS2MKptX4dS-hsuzEk"
-_acme-challenge.timelinize.l	300	IN	TXT	"bqdeHmt500XGMWUJ3zHrCd1MPmlBN_ySGyTTQWO5vJs"
\ No newline at end of file
+_acme-challenge.timelinize.l	300	IN	TXT	"bqdeHmt500XGMWUJ3zHrCd1MPmlBN_ySGyTTQWO5vJs"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+c4ai	300	IN	CNAME	ryanmalloy.com
diff --git a/zones/sidejob.pro.zone b/zones/sidejob.pro.zone
index e12025b..80e6b09 100644
--- a/zones/sidejob.pro.zone
+++ b/zones/sidejob.pro.zone
@@ -12,4 +12,7 @@ l	300	IN	CNAME	rpm-bullet.mer.idahomuellers.net
 	300	IN	MX	10	sidejob.pro
 _acme-challenge.api	300	IN	TXT	"a1zkQ7ukvloDCOuB5kCsxC1TWH2rRXKCCI88GJrwV84"
 _acme-challenge.api	300	IN	TXT	"UIKc6hzCSLphH1kQtdGMspvWKcG-k4hXcPOOV6HrydA"
-_acme-challenge.api	300	IN	TXT	"GySOUk0DnGhgDKXDgUM-ggQudeENlQIi6jBPtb2O0EE"
\ No newline at end of file
+_acme-challenge.api	300	IN	TXT	"GySOUk0DnGhgDKXDgUM-ggQudeENlQIi6jBPtb2O0EE"
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+api	300	IN	CNAME	sidejob.pro
diff --git a/zones/upc.llc.zone b/zones/upc.llc.zone
index 1fda208..163926d 100644
--- a/zones/upc.llc.zone
+++ b/zones/upc.llc.zone
@@ -42,4 +42,10 @@ _submission._tcp	600	IN	SRV	20	0	587	mail.upc.llc.
 _autodiscover._tcp	600	IN	SRV	10	0	443	mail.upc.llc.
 _submissions._tcp	600	IN	SRV	10	0	465	mail.upc.llc.
 _imaps._tcp	600	IN	SRV	10	0	993	mail.upc.llc.
-_pop3s._tcp	600	IN	SRV	10	0	995	mail.upc.llc.
\ No newline at end of file
+_pop3s._tcp	600	IN	SRV	10	0	995	mail.upc.llc.
+; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
+; (parent name has _acme-challenge children, so wildcard would skip it)
+catalog	300	IN	CNAME	upc.llc
+minio.or	300	IN	CNAME	upc.llc
+or	300	IN	CNAME	upc.llc
+s3	300	IN	CNAME	upc.llc