none
DNSSEC and Wildcard/Asterisk CNAME Records not working together on Windows Server 2019 DNS Server RRS feed

  • Frage

  • Hey Folks,

    I've got an issue with a Signed DNS Zone (DNSSEC). The problem is quite tricky but reproduceable and I'm questioning myself if i'm doing something wrong, or if I found a bug.
    I got
    a Domain named "testdomain.de"
    a DNS-SubDomain named "test.testdomain.de
    a Webserver named "web.testdomain.de"
    a Client (CL-1) on which DNSSEC-validation for .testdomain.de is enforced via GPO.


    I have an CNAME record with a wildcard/asterisk name pointing to the webservers name:

    150256-image.png

    When I now use "nslookup" from the Client to verify the entry, I get the IP as expected:

    150262-image.png

    When I use the PoSh CMDlet "Resolve-DNSName" I get the CNAME record, the expected RRSig-Entry, and Some NSEC3 Entrys but NOT the expected IP of the Webserver:

    150321-image.png

    When I now browse with any Browser (tested with Chrome, Edge and IE) I get an Error "Name not resolved":

    150206-image.png

    And now to buggy stuff. This does WORK when I either:

    • unsign the namezone OR

    • when I exchange the wildcard CNAME entry with an A Record OR (see screenshots below)
      150315-image.png
      150228-image.png

    • when I exchange the wildcard CNAME entry with an "explicit" CNAME record (see screenshots below)
      150322-image.png
      150243-image.png
      150257-image.png

    So this seems to me like a Major bug. If I had some good experiences is the last few years with Microsoft Support, i would open a ticket/call. But even with premier-support it was always worse than the Community here. So help me out people. Can anyone confirm thats a BUG witing DNSSEC on WIndows Server DNS-Server?

    there was a somewhat similiar issue with Server 2012R2: https://support.microsoft.com/en-us/topic/incorrect-response-when-dns-server-uses-wildcard-cname-and-dnssec-validation-failures-in-windows-server-2012-r2-0ae3bce8-6611-e489-ec97-d66ce7f66bf2
    But that doesn't apply in my case. I have an brand new Windows server 2019 and as a Client i tried Windows 10 and Windows 11... both the same issue.

    Thanks in advance for any answer to this Post.

    (also duplicated this Question to here: 
    https://docs.microsoft.com/en-us/answers/questions/631092/dnssec-and-wildcardasterisk-cname-records-not-work.html
    because here I can only Post the Question in the "german" Part of technet. The English Section/Part only allows me to ask Questions about "How to use this forum"... seems broken to me)


    www.netlogix.de



    • Bearbeitet Reittier Donnerstag, 18. November 2021 15:25
    Donnerstag, 18. November 2021 10:39

Alle Antworten

  • Hello LimitlessTechnology1, 

    See: You already wrote that here.

    I already wrote you, but will tell you again: I already have seen this Update and patch, as you can read in my Post... i even use the SAME link to reference the KB-Article. Moreover there is no BIND involved and no Server 2012R2.
    So you are not helpful. For reference, see: Your "Post" again.

    But thanks anyway. At least you tried.

    www.netlogix.de


    • Bearbeitet Reittier Montag, 22. November 2021 07:27
    Freitag, 19. November 2021 11:11