Wildcard DNS on Mac OSX Server 10.8

I’m having this problem where I can’t get the CNAME *.domain.tld working on Mac OSX server 10.8

Let’s set up a new “Primary Zone” with an “A Record”.










That’s great, now we can find the domain by visiting the browser, but how about www.domain.tld?

No can do….

Let’s add a CNAME (or “alias Record”)



Now we can find domain.tld as well as www.domain.tld in the browser.

Now I want to add *.domain.tld so I can find all.these.sub.domains.domain.tld as well, of maybe just dev.domain.tld or test.domain.tld or even www2.domain.tld

De by most people much beloved GUI does not accept the * so I’ll just type “asteriks” in stead and change it in the terminal later.

Let’s dive underwater..


The “GUI” now reflects the zonefile.

I can now find anything.domain.tld, but not for long…

The problem

The problem is that periodically or after a service/machine restart, the *.domain.tld CNAME will be undone because Apple does not like it when I change things I’m not supposed to change.

The issue I have with this problem is that *.domain.tld is widely accepted in Bind/DNS systems *except* for Mac OSX server.

Incom”Apple”ble…..

Join the Conversation

25 Comments

  1. Finally someone else who’s had the same problem!
    Do you know what file I need to modify to add a wildcard domain entry to the ‘Additional Domains’ section of the Website service? You used to be able to do this in Lion Server – but not in Mountain Lion.
    I haven’t had to much trouble with the wildcard domain reseting – but that was in Lion, we’re using ML now. I don’t suppose you found a fix?

    1. Hi Glen, unfortunately when you alter /private/var/named/db.domain.tld to add your *.domain.tld CNAME to domain.tld it’s only working temporarily until you change something else.
      ML just simply deletes the record….. :-@

      The only workaround I have at this moment is to add all possible domain aliasses my hand through the ‘so beloved GUI’ interface..

      I hate Apple for this…

        1. Nice one Glen!

          Haven’t tried that and I will give that a try (& post my findings here).

          🙂

        2. Hi Glen,

          Unfortunately the system just deletes the file and recreates it with 644 posix permissions.

          🙁

    1. Hi William,

      This has nothing to do with certificates, but with the DNS system itself.

      Of course if you add a Wildcard certificate for *.domain.tld then all domain aliasses registered in that zone are secured with SSL, but you’ll still have to enter all subdomains (aliasses) individually in DNS: www2.domain.tld, shop.domain.tld, etc.domain.tld.

      In normal DNS systems you can just enter *.domain.tld after which all subdomains are resolved:
      all.sub.domains.are.resolved.domain.tld CNAME domain.tld
      domain.tld A 127.0.0.1

  2. I’ve run into this annoyance as well. Given I don’t want to be bothered by web developers who want to add new sub-domains to partition their work across different clients, I’m biting the bullet and just remembering to re-edit the zone files that have wildcard entries in them whenever I need to modify DNS. Not an ideal solution. I also noticed that the DNS GUI tool does not create all the data needed to allow a secondary DNS server to properly perform reverse-DNS-lookups. The reverse-lookup zone files it creates do NOT allow for a secondary server. So I had to hand-edit those files as well. Fortunately, the GUI does not appear to clobber that data when it re-creates the zone files. Annoying since it was actual extra code written to clobber data in the zone files.

  3. Or, if you see some custom content you like, but
    you don’t like the Sanitarium, you can follow the links to get that item. It’s annoying because it’s boring, and it’s boring because you’re annoyed, and all the pointing and clicking can’t
    fix it, no matter how hard you try. Another interesting feature to note is that while using any gun in iron
    sights there is a different audio mix than normal.

  4. While far from a game-changing film, Despicable Me blindsided audiences
    with its humor, artistic quality and heart.
    From now until August 31, Florida residents can save $10
    on any Annual Pass with the UPC code from
    specially-marked Coca-Cola products. For a 4th of July weekend silver screen intake, that rivals second place holder Spider-Man 2 (2004)
    owning $88.

  5. A computer, which has dial-up as the primary way to gain Internet access, will take much longer
    to get games downloaded. When you reach the end of a Candy Crush Saga section, you need three tickets from
    friends before you can move on. Chris Powell separates twins for the premiere of Extreme Weight Loss (video).

  6. The simplest way to do this is in tournament where by you may restrict your losses for your entry fee and stretch out your taking part in dollar
    on the maximum benefit for studying. They are able in order to play at
    rooms with buyins as little as one hundred, a few thous – Zynga Online
    poker Casino Gold & Chips Hack, or millions of Zynga Poker
    Casino Gold & Potato chips Hack Poker Casino Platinum
    & Chips Hack chips. For more information about the application you can click here.

  7. Appreciating the time and energy you put into your blog and in depth information you
    offer. It’s great to come across a blog every once in a while that isn’t the same old rehashed material.

    Wonderful read! I’ve bookmarked your site and I’m including your
    RSS feeds to my Google account.

    1. I quit working for the office who deployed apple server in their office, now I’m working with real *nix machines!

  8. A way of preventing the Server to change it back, is to lock the file with the DNS records from the Get Info panel.
    You need to open a finder window as root user to do that though. (Google is your friend)

    1. Thanks for that! Would also be possible using the terminal as root and chmod the h*** out of it 😉 or maybe even set a sticky bit.

  9. I came upon this after searching all week for help with wildcard DNS in OS X Server for Yosemite. It doesn’t look like the file is being overwritten, but the wildcard items are being ignored. Would love it if someone has gotten this to work.

  10. I had some luck! There is an additional edit I performed. On your first line of the db.domain.tld file, you should see something similar to this:

    domain.tld 10800 IN SOA domain.tld admin.domain.tle (

    Before the parenthesis, add your wildcard listing like so:

    domain.tld 10800 IN SOA domain.tld *.domain.tld admin.domain.tle (

    I then performed this file lock in Terminal:

    sudo chmod 444 db.domain.tld

    …and restarted the web server:

    sudo serveradmin stop web
    sudo serveradmin start web

    So far, so good!

    1. Sorry, the edit of the first line was a temporary fix. Yosemite Server doesn’t like that and will tell you there’s an error the first time you try to view DNS panel after that. Back to the drawing board….

Leave a comment

Your email address will not be published. Required fields are marked *