Can a DNS client distinguish if the answer they received was based on a wildcard record or a specific match?
I had a quick look to see if all the authoritative nameservers have synced.
$ dig +nssearch fm.mg
SOA ns1.hartwig-at.de. hostmaster.hartwig-at.de. 2015022400 86400 10800 2419200 3600 from server 217.70.177.40 in 8 ms.
SOA ns1.hartwig-at.de. hostmaster.hartwig-at.de. 2015060502 86400 10800 2419200 3600 from server 2a00:1158:3::b6 in 25 ms.
SOA ns1.hartwig-at.de. hostmaster.hartwig-at.de. 2015060502 86400 10800 2419200 3600 from server 134.119.4.37 in 26 ms.
SOA ns1.hartwig-at.de. hostmaster.hartwig-at.de. 2015060502 86400 10800 2419200 3600 from server 37.200.99.108 in 28 ms.
SOA ns1.hartwig-at.de. hostmaster.hartwig-at.de. 2015060502 86400 10800 2419200 3600 from server 2a00:1158:3::87 in 28 ms.
$
It appears that 217.70.177.40
is serving an older version of the zone, which probably explains the variations in results.
If you are not using DNSSEC there is no definitive way for the client to see if a reply was produced by a *
record in the zone or by an exact match.
The client could use heuristic by comparing the answers produced by looking up the desired name to the answers produced by looking up a random string of characters. If the answers are identical it is likely a *
record and if the answers are different it is likely not a *
record.
If the zone is signed offline with DNSSEC it is however possible for a client to see if a *
record was used. This is because the name used in the signature will actually contain a literal *
character, which will prove that the answer was produced using a *
record. Additionally NSEC3 can provide a signature showing that the requested name could not be answered without using the *
record.