DNSSEC and Wildcard/Asterisk CNAME Records not working together on Windows Server 2019 DNS Server RRS feed

  • Frage

  • Hey Folks,

    I've got an issue with a Signed DNS Zone (DNSSEC). The problem is quite tricky but reproduceable and I'm questioning myself if i'm doing something wrong, or if I found a bug.
    I got
    a Domain named ""
    a DNS-SubDomain named "
    a Webserver named ""
    a Client (CL-1) on which DNSSEC-validation for is enforced via GPO.

    I have an CNAME record with a wildcard/asterisk name pointing to the webservers name:


    When I now use "nslookup" from the Client to verify the entry, I get the IP as expected:


    When I use the PoSh CMDlet "Resolve-DNSName" I get the CNAME record, the expected RRSig-Entry, and Some NSEC3 Entrys but NOT the expected IP of the Webserver:


    When I now browse with any Browser (tested with Chrome, Edge and IE) I get an Error "Name not resolved":


    And now to buggy stuff. This does WORK when I either:

    • unsign the namezone OR

    • when I exchange the wildcard CNAME entry with an A Record OR (see screenshots below)

    • when I exchange the wildcard CNAME entry with an "explicit" CNAME record (see screenshots below)

    So this seems to me like a Major bug. If I had some good experiences is the last few years with Microsoft Support, i would open a ticket/call. But even with premier-support it was always worse than the Community here. So help me out people. Can anyone confirm thats a BUG witing DNSSEC on WIndows Server DNS-Server?

    there was a somewhat similiar issue with Server 2012R2:
    But that doesn't apply in my case. I have an brand new Windows server 2019 and as a Client i tried Windows 10 and Windows 11... both the same issue.

    Thanks in advance for any answer to this Post.

    (also duplicated this Question to here:
    because here I can only Post the Question in the "german" Part of technet. The English Section/Part only allows me to ask Questions about "How to use this forum"... seems broken to me)

    • Bearbeitet Reittier Donnerstag, 18. November 2021 15:25
    Donnerstag, 18. November 2021 10:39

Alle Antworten

  • Hello LimitlessTechnology1, 

    See: You already wrote that here.

    I already wrote you, but will tell you again: I already have seen this Update and patch, as you can read in my Post... i even use the SAME link to reference the KB-Article. Moreover there is no BIND involved and no Server 2012R2.
    So you are not helpful. For reference, see: Your "Post" again.

    But thanks anyway. At least you tried.

    • Bearbeitet Reittier Montag, 22. November 2021 07:27
    Freitag, 19. November 2021 11:11