rsp2k/coredns
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
coredns/zones/demostar.io.zone
Ryan Malloy f8363e5ea7 zones: add explicit CNAME-to-apex for RFC 4592 empty-non-terminals 
Wildcards in DNS only synthesize for names that don't already exist
in the zone tree. A `_acme-challenge.<sub>` TXT record makes <sub>
an "empty non-terminal" — exists in the tree (as a parent node) but
has no records of its own. Per RFC 4592 §2.2.3, wildcards skip these,
so RFC-compliant resolvers (HE, BIND) return NODATA for <sub> even
when the zone has `* CNAME @`.

Fix: for each <sub> that's an empty non-terminal in a zone with a
wildcard, add an explicit `<sub> CNAME @` so the resolution outcome
matches what the wildcard would have produced. Zero-knowledge — no
need to identify the specific service IP per name.

30 records added across 14 zones:
  acrazy.org (langfuse.dootie)
  context.bet (studio)
  copper-springs.online (docs.butler.dev)
  demostar.io (cw.cw, doom, meet)
  home-inspector.store (api, dashboard, mailpit)
  inspect.pics (admin)
  log.doctor (app, docs)
  malloys.us (cp, cp-sandbox, mary)
  nielsen-inspections.com (calendar, cw, files, v2-calendar)
  qubeseptic.com (api.dispatch, dispatch, leads, mail.dispatch,
                  rentcache.dispatch)
  ryanmalloy.com (c4ai)
  sidejob.pro (api)
  upc.llc (catalog, minio.or, or, s3)

CoreDNS (lenient) was returning the wildcard CNAME for these names
anyway; HE (strict RFC-compliant) was returning empty. After this
change, both behave identically.
2026-05-18 18:34:51 -06:00

40 lines
1.9 KiB
Dns
Raw Blame History

; Zone file for demostar.io
; Generated by mcp-vultr
$ORIGIN demostar.io.
$TTL 3600
300 IN NS ns1.vultr.com
300 IN NS ns2.vultr.com
300 IN A 74.91.22.230
ph 300 IN A 144.202.60.236
or 300 IN A 74.91.22.233
vdo 300 IN A 74.91.22.230
dev 300 IN CNAME rpm-bullet.mer.idahomuellers.net
* 300 IN CNAME demostar.io
shynet 300 IN CNAME demostar.io
oo-sandbox 300 IN CNAME oo.demostar.io
oo 300 IN CNAME demostar.io
cw 3600 IN CNAME demostar.io
300 IN MX 10 mail.supported.systems
3600 IN TXT "v=spf1 mx a:mail.supported.systems ~all"
3600 IN TXT "google-site-verification=2O9jXz4H-nx0oRi2hVdFCWnPudISRlpT2nWE0xF-U14"
_acme-challenge.meet 300 IN TXT "6ZSVw9yrMNjG2z-KqLP77_FW7w0I7embcfCLc9g6CRs"
_acme-challenge.oo-sandbox 300 IN TXT "o8a0j9u2-CmTCkAPJ9audd0SSh2KFv90vXPgLOoib_c"
_acme-challenge 300 IN TXT "xfcM1eMV0DRZMxHWzY5_l4v8sEHe064XmrJpBn7KZik"
_acme-challenge.oo 300 IN TXT "gAOPbIejEwGN7ezOSIcRfcVK074atnfDvJbwtfzM97w"
_acme-challenge.doom 300 IN TXT "MgsgpGJ5E5uWyoc8ajpVoIdtt_kPs1x9qwf6v83kEGU"
_acme-challenge.oo 300 IN TXT "FT54HjF0ts_30oroEBuyKQa1hnzh_D6mpFpEFGMjBTo"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:reports@demostar.io; adkim=s; aspf=s;"
demostar.io._report._dmarc.mail 3600 IN TXT "v=DMARC1;"
_acme-challenge.shynet 300 IN TXT "y3fyKhW2Uiq1Nu9Zcd9detto90IvEZ852h2TvAIQCsA"
_acme-challenge.vdo 300 IN TXT "BlvVWIzjIj4o73qkYNfNdF_Q8MW13vxV6HTgO0-NzmM"
_acme-challenge.vdo 300 IN TXT "slcvr2gvi6ahNucyzfzLvInL-l0L1P93I2p3vQ3ytrU"
_acme-challenge.vdo 300 IN TXT "cGxfMICfHYD7QiQmsAuWuVN-hQQoZ38GcvDTigsioWQ"
_acme-challenge.cw.cw 300 IN TXT "Y0ahdJHcKysWxYNQG8aXQuWr0uSp7WVlwxkdWYHcrIM"
_acme-challenge.cw 300 IN TXT "e7IRkthq2cwpEJHEjbAsQwqkvQGHl831X6luH3ct6uc"
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
cw.cw 300 IN CNAME demostar.io
doom 300 IN CNAME demostar.io
meet 300 IN CNAME demostar.io
Reference in New Issue View Git Blame Copy Permalink