How to create wildcard CNAME record

5 views
Skip to first unread message

Simon F

unread,
Jun 5, 2025, 9:09:05 AMJun 5
to DNSControl-discuss
I want to create a wildcard CNAME record:

```
CNAME("*abc", "*def.gh.acm-validations.aws."),
```

Which should be support according ot rf4592 (https://www.ietf.org/rfc/rfc4592.txt), but `dnscontrol preview` gives me a "invalid char" error:

```
2025/06/05 15:01:50 ERROR: in CNAME *abc.www.XXX.com: target (*def.gh.acm-validations.aws.) includes invalid char

```

Any ideas on how to fix this?

Thank you so much!

Tom Limoncelli

unread,
Jun 5, 2025, 9:35:19 AMJun 5
to Simon F, DNSControl-discuss
Are you able to create the record via the AWS control panel?

Tom 

Simon F

unread,
Jun 5, 2025, 9:44:06 AMJun 5
to DNSControl-discuss
Yes. The record actually already exists.

Imported the zone via `dnscontrol get-zones`

- Simon

Tom Limoncelli

unread,
Jun 5, 2025, 10:04:14 AMJun 5
to Simon F, DNSControl-discuss
On Thu, Jun 5, 2025 at 9:44 AM 'Simon F' via DNSControl-discuss <dnscontro...@googlegroups.com> wrote:
Yes. The record actually already exists.

Imported the zone via `dnscontrol get-zones`

That error comes from DNS Control:

```
$ grep -B1 'includes invalid char' pkg/normalize/validate.go
if strings.ContainsAny(target, `'" +,|!£$%&()=?^*ç°§;:<>[]()@`) {
return fmt.Errorf("target (%v) includes invalid char", target)
--
if !strings.HasSuffix(target, ".in-addr.arpa.") && strings.Contains(target, "/") {
return fmt.Errorf("target (%v) includes invalid char", target)
```

While a record with those wildcards are RFC-compliant, DNSControl flags it as invalid because it is rather unusual. (See Opinion #3: dnsconfig.js are not zonefiles).

The short-term fix would be to maintain the record via the AWS web portal and include an IGNORE() to work around it.

```
   IGNORE("*abc", CNAME),
or maybe
   IGNORE("", CNAME, "**.acm-validations.aws"),
```

The long-term fix would be to add a way to disable this validation.  Something like CNAME(foo, bar, { permit_scary_targets: true } ).  The `func checkLabel()` has `skip_fqdn_check` but I guess we never added one for targets.  If you'd like to submit a PR, I think the community would appreciate this feature.  (Especially the AWS community, if this is a common thing.)

Best,
Tom 
Reply all
Reply to author
Forward
0 new messages