Non-dot-wildcard (*-foo.example.com) for bind?

domain-name-system bind wildcard-subdomain

The reason why it doesn't work is because it's not defined behavior within the RFCs. It must be implemented as an extension of the software you're using. RFC4592 cements the definition of a wildcard record pretty firmly:

2.1.1. Wildcard Domain Name and Asterisk Label

A "wildcard domain name" is defined by having its initial (i.e.,
leftmost or least significant) label be, in binary format:

  0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)

Note the term label here. A label is the dot separated entity. If you have anything other than the asterisk in the label, it's not a wildcard.

You're kinda stuck here. Working within DNS, you need that dot that you're trying to avoid. Everything else is extensions to the server software and implementation specific.


RFC 6125 prevents having a generic certificate for nested subdomains. RFC 4592 and RFC 1034 prevent from having *-xxx.domain.com as a DNS entry.

So you only have two alternatives (which is not nice when trying to automate) :

  • Create a certificate per subdomain (there are free alternatives but might be complicated depending on your platform).
  • Create a full DNS entry per sub-service (which won't be sub-subdomains).

Related

SAS vs. Nearline/MDL SAS - What is the difference?
Storage Space vs Disk Management Mirroring
open file descriptor limits.conf setting isn't read by ulimit even when pam_limits.so is required
Migrate Sonatype Nexus repo from one machine to another
PHP-FPM does not automatically start after reboot
How does Ethernet know how long a frame is?
Is smartd properly configured to send alerts by email?
nginx: directly send from location to another named location
Why was my ping answered by a different IP address than the one pinged?
Should I 'run in' one disk of a new RAID 1 pair to decrease the chance of a similar failure time?
Delegation not found at parent...?
"SSL input filter read failed" Apache and 443