I recommend anyone who wants to deploy wildards to go read https://slack.engineering/what-happened-during-slacks-dnssec-rollout/
There are lots of learning points there. You can skip to the "Solving the mystery" section if you are familiar with the cover of the Hitchhiker's guide to the Galaxy. Yes, wildcards exist and can be signed. But there are some non-obvious failure modes you might miss. Using wildcards is not trivial. Yet often (always?) sold in as a simple workaround for something. There is nothing simple about wildcards. It's one of the most complex things people have put into the DNS. There's a reason they got their own section in RFC1912. Which predates DNSSEC and is only a couple of months younger than the AAAA type, but still explains the mystery if you read it carefully with that in mind. I understand that a wildcard PTR record might look like a simple way to replace a large number of records with a single one. But anyone actually *using* a PTR record will want to validate that PTR by doing a forward lookup. Now, what does that mean? Right... Having *.e.d.0.c.d.a.b.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR whatevername.example.com. you'll also need whatevername.example.com. AAAA 2001:db8:bad:c0de:: AAAA 2001:db8:bad:c0de::1 AAAA 2001:db8:bad:c0de::2 ; ... AAAA 2001:db8:bad:c0de:ffff:ffff:ffff:fffe AAAA 2001:db8:bad:c0de:ffff:ffff:ffff:ffff Totalling 2^64 AAAA records. Which you don't "just" have to somehow host on your DNS server. You'll also have to reply with all of those AAAA records to anyone asking for whatevername.example.com. Good luck with that. In case there is any doubt: A one-way PTR entry is worse than no PTR entry. It's actual proof that you are attempting to use a name you don't control. Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users