CNAME wildcards?

[cfcs]

See https://groups.google.com/forum/#!topic/public-dns-discuss/M982l7Lz9uA

$ dig -t TLSA  _443._tcp.www.bartschnet.de

; <<>> DiG 9.11.5-P1-2-Debian <<>> -t TLSA _443._tcp.www.bartschnet.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16652
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_443._tcp.www.bartschnet.de.   IN  TLSA

;; ANSWER SECTION:
_443._tcp.www.bartschnet.de. 3599 IN    CNAME   *._tcp.bartschnet.de.
*._tcp.bartschnet.de.   3599    IN  TLSA    1 1 1 23ECDA1BAFF3350ADE5752800A79DAC0D91A121FCE40ED0D997B123D 2863D453

;; AUTHORITY SECTION:
bartschnet.de.      21599   IN  NS  ns2.core-networks.eu.
bartschnet.de.      21599   IN  NS  ns3.core-networks.com.
bartschnet.de.      21599   IN  NS  ns1.core-networks.de.

;; Query time: 191 msec
;; SERVER: 10.137.2.1#53(10.137.2.1)
;; WHEN: Sat Mar 09 19:09:08 CET 2019
;; MSG SIZE  rcvd: 225

$ odns.exe tlsa _443._tcp.www.bartschnet.de
odns.exe: [ERROR] Failed to lookup _443._tcp.www.bartschnet.de: err: Error parsing response: bad content *._tcp.bartschnet.de

Is this something we want to handle?

[hannesm]

handling this would mean: allowing '*' in service names. the whole letters-digits-hyphen seems to be more painful than worth it, esp. in respect to https://tools.ietf.org/html/rfc2181#section-11 -- we can talk and discuss how to move forward (the initial reason to be as strict as possible is no longer a concern, rather: what would we want to have and who's responsible checking for proper domain-names?)

[cfcs]

I think I used wildcards (and implemented a multimap that supported it) for my tlstunnel load-balancing branch, so that's one potential use-case.

I don't really have an opinion.