robur-coop
CNAME wildcards?
See https://groups.google.com/forum/#!topic/public-dns-discuss/M982l7Lz9uA
$ dig -t TLSA _443._tcp.www.bartschnet.de
; <<>> DiG 9.11.5-P1-2-Debian <<>> -t TLSA _443._tcp.www.bartschnet.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16652
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_443._tcp.www.bartschnet.de. IN TLSA
;; ANSWER SECTION:
_443._tcp.www.bartschnet.de. 3599 IN CNAME *._tcp.bartschnet.de.
*._tcp.bartschnet.de. 3599 IN TLSA 1 1 1 23ECDA1BAFF3350ADE5752800A79DAC0D91A121FCE40ED0D997B123D 2863D453
;; AUTHORITY SECTION:
bartschnet.de. 21599 IN NS ns2.core-networks.eu.
bartschnet.de. 21599 IN NS ns3.core-networks.com.
bartschnet.de. 21599 IN NS ns1.core-networks.de.
;; Query time: 191 msec
;; SERVER: 10.137.2.1#53(10.137.2.1)
;; WHEN: Sat Mar 09 19:09:08 CET 2019
;; MSG SIZE rcvd: 225
$ odns.exe tlsa _443._tcp.www.bartschnet.de
odns.exe: [ERROR] Failed to lookup _443._tcp.www.bartschnet.de: err: Error parsing response: bad content *._tcp.bartschnet.de
Is this something we want to handle?
handling this would mean: allowing '*' in service names. the whole letters-digits-hyphen seems to be more painful than worth it, esp. in respect to https://tools.ietf.org/html/rfc2181#section-11 -- we can talk and discuss how to move forward (the initial reason to be as strict as possible is no longer a concern, rather: what would we want to have and who's responsible checking for proper domain-names?)
I think I used wildcards (and implemented a multimap that supported it) for my tlstunnel load-balancing branch, so that's one potential use-case.
I don't really have an opinion.