Does UCS DNS understand "*" records?

UCS - Univention Corporate Server
#1

Hello. In Windows DNS server is normal to create “star” host record for zone, and then it resolves normally names like: a.zone.com., b.zone.com. c.zone.com etc to same (‘star’) ip address.
For some reason it doesn’t work in UCS:
** server can’t find myhostname.zonewithstar.dom.com: NXDOMAIN

As I remember, UCS DNS is Bind based and Bind supports “star” records.
And I see in /var/log/syslog:
named[5798]: zone zonewithstar.dom.com/IN: refresh: unexpected rcode (SERVFAIL) from master 127.0.0.1#7777 (source 0.0.0.0#0)

Also I used your check-dns-zone-syntax.py script, and it says this particular zone is invalid, but I don’t understand, why it is invalid ?

When I do:
grep -B10 “not loaded due to errors” /var/log/daemon.log
output is:
zone zonewithstar.dom.com/IN: NS ‘idm1.dom.com.zonewithstar.dom.com’ has no address records (A or AAAA)

and I don’t understand what does it mean, why NS is so strange looking ?

#2

Yes, wildcard DNS entries do work in UCS:

# udm dns/forward_zone list --filter zone=xxx.dev.
DN: zoneName=xxx.dev,cn=dns,dc=phahn50,dc=qa
  contact: root@phahn50.qa.
  expire: 7 days
  nameserver: dc20.phahn50.qa.
  refresh: 8 hours
  retry: 2 hours
  serial: 2
  ttl: 3 hours
  zone: xxx.dev
  zonettl: 3 hours

# udm dns/txt_record list --superordinate zoneName=xxx.dev,cn=dns,dc=phahn50,dc=qa
DN: relativeDomainName=*,zoneName=xxx.dev,cn=dns,dc=phahn50,dc=qa
  name: *
  txt: test
  zonettl: 22 hours

# dig @localhost foo.xxx.dev. txt
;foo.xxx.dev.                   IN      TXT
foo.xxx.dev.            79200   IN      TXT     "test"
xxx.dev.                10800   IN      NS      dc20.phahn50.qa.
dc20.phahn50.qa.        80600   IN      A       10.200.17.20

zone zonewithstar.dom.com/IN: NS ‘idm1.dom.com.zonewithstar.dom.com’ has no address records (A or AAAA)

You probably forgot to append the trailing dot for the name server in the SOA entry of your zone: If a label does not end with a dot, BIND appends the zone name again. As your DNS server lives in a different domain make sure the trailing dot is there!

#3

Thank you, that was a real reason. Marked this as “solution”

Mastodon