Path: csiph.com!weretis.net!feeder7.news.weretis.net!newsfeed.xs3.de!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Reindl Harald <h.reindl@thelounge.net>
Newsgroups: comp.protocols.dns.bind
Subject: Re: CNAME restrictions
Date: Tue, 4 Aug 2020 19:50:08 +0200
Organization: the lounge interactive design
Lines: 22
Approved: bind-users@lists.isc.org
Message-ID: <mailman.800.1597048674.942.bind-users@lists.isc.org>
References: <YQXPR01MB38780C7AAD14F0009B63741CCD4A0@YQXPR01MB3878.CANPRD01.PROD.OUTLOOK.COM> <YQXPR01MB3878DEDA813E42EE01166478CD4A0@YQXPR01MB3878.CANPRD01.PROD.OUTLOOK.COM> <20200804173448.GA10336@fantomas.sk> <cfca2c4e-9bd2-b4d7-3b2e-eaf7365f7afa@thelounge.net>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Trace: usenet.stanford.edu 1597048719 15646 149.20.1.60 (10 Aug 2020 08:38:39 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bind-users@lists.isc.org
Return-Path: <h.reindl@thelounge.net>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
In-Reply-To: <20200804173448.GA10336@fantomas.sk>
Content-Language: en-US
X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-Mailman-Approved-At: Mon, 10 Aug 2020 08:37:49 +0000
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <cfca2c4e-9bd2-b4d7-3b2e-eaf7365f7afa@thelounge.net>
X-Mailman-Original-References: <YQXPR01MB38780C7AAD14F0009B63741CCD4A0@YQXPR01MB3878.CANPRD01.PROD.OUTLOOK.COM> <YQXPR01MB3878DEDA813E42EE01166478CD4A0@YQXPR01MB3878.CANPRD01.PROD.OUTLOOK.COM> <20200804173448.GA10336@fantomas.sk>
Xref: csiph.com comp.protocols.dns.bind:16048



Am 04.08.20 um 19:34 schrieb Matus UHLAR - fantomas:
> On 04.08.20 17:29, Leroy Tennison wrote:
>> I have a situation where, due to the system's location (IP subnet),
>> its DNS
>> name is <webserver>.<internal subdomain>.datavoiceint.com.  We have a
>> certificate for *.datavoiceint.com which we prefer to use
> 
> wildcard in certificates only covers one level of subdomains, so
> *.datavoiceint.com will cover <internal subdomain>.datavoiceint.com but not
> anything under it.
> 
> you will have to strip the  <webserver> part or get other certificate

proper wildcard certifiocates are looking like this

X509v3 Subject Alternative Name: DNS:*.buildserver.thelounge.net
DNS:*.thelounge.net
DNS:thelounge.net

in other words: you have "*.domain.tld" and "domain.tld" in your SAN