Help with understanding wildcards for multiple, second level subdomains

greylinux · January 5, 2026, 12:06pm

I’m trying to wrap my head around multiple wildcard entries for a couple of second level subdomains, I’m hoping I have it right based on forum searches and using a search engine.

This is what I have so far

one subdomain created on Desec

example.dedyn.io

A record pointing to my home IP

Type     Subname     IPv4 Address

A                    My IP

then a CNAME for each second level sub domain

Type     Subname      Target Domain Name

CNAME    test1        example.dedyn.io.

Type     Subname      Target Domain Name

CNAME    test2        example.dydyn.io.

so for the wildcard part another 2 CNAME entries

Type     Subname      Target Domain Name

CNAME    *.test1        example.dedyn.io.

Type     Subname      Target Domain Name

CNAME    *.test2        example.dedyn.io.

Is this how it should be done to obtain a lets encrypt cert for test1.example.dedyn.io and test2.example.dedyn.io but also wildcard certs for both test1 and test2?

fiwswe · January 5, 2026, 12:43pm

I have never used wildcard certificates. So I’ll leave any comments to others with more experience.

However for HTTP-01 ACME challenges for test1.example.dedyn.io and test2.example.dedyn.io the first 2 CNAMEs you mentioned (test1 → example.dedyn.io and test2 → example.dedyn.io) are sufficient.

Your DNS wildcard CNAMEs would allow e.g. xyz.test1.example.dedyn.io → example.dedyn.io, etc. So I’m not sure how that would help.

HTH
fiwswe

greylinux · January 5, 2026, 1:18pm

The end goal that I would want is to have 2 second level subdomains with letsencrypt certs and also wild card certs for both second level subdomains

so one subdomain with wildcard points to one service and the other second level subdomain with wildcard points to another service.

maybe I’ve over complicating things.

originally I had one service the entry looked like this

Type     Subname     IPv4 Address

A                    My IP


Type     Subname      Target Domain Name

CNAME    *            example.dedyn.io.

now to my understanding I could leave it like this and have service one with entries

groups.example.dedyn.io
chat.example.dedyn.io
another_example.example.dedyn.io

another service with entries like

nextcloud.example.dedyn.io
caldav.example.dedyn.io

all this could be resolved in a reverse proxy that points to the individual service, but that would require me to know every second level subdomain that each service would use and redirect it in the reverse proxy. So to simplify things I thought I could have one second level subdomain for one service and one for the other, but with wildcard entries for say groups. chat etc

I did this originally with duckdns by adding different subdomains for each service, but with Desec, which I prefer as a service, I’m limited to one subdomain(understandably) and this is what I’m trying to solve.

fiwswe · January 5, 2026, 5:09pm

That looks correct for a wildcard DNS name representing all subdomains of example.dedyn.io. I.e. test1.example.dedyn.io, test2.example.dedyn.io, etc…

I’m not sure what would be needed for a wildcard certificate but I suspect it would not need a wildcard label in DNS.

Yes. Assuming DNS resolves A/AAAA records to your host, the software on that host would decide how to process the requests for these hostnames. Even to the point of providing different TLS certificates depending on the hostname if that is what you want.

So you could have individual certificates for each hostname, certificates with alternate names for a group of hostnames and/or a wildcard certificate matching all hostnames. Or various combinations of these variants.

Conceptually you need to separate DNS and the hostnames a certificate is valid for.

I’m not sure I understand? Did you originally have e.g. example1.domain.tld and example2.domain.tld at duckdns? If so, what is the difference to having test1.example.dedyn.io and test2.example.dedyn.io?

You are limited to one subdomain of dedyn.io (example.dedyn.io), true. But you can have a large number of subdomains of that domain, or even subdomains of those subdomains if you want them.

You could also register your own domain somewhere and delegate DNS to deSEC, effectively replacing example.dedyn.io with your own domain.

None of this seems relevant to your original questions though.

greylinux · January 5, 2026, 5:42pm

This is my existing setup that I know works for the one service I have running I use certbot to obtain a wildcard cert using the DNS-01 challenge.

What I want to do now is create another service with its own domain name.

So ideally I would do the same as I have above, except one level down therefore creating two second level subdomains.

here is what I would like to do

Type     Subname     IPv4 Address

A                    My IP

Type     Subname      Target Domain Name

CNAME    test1        example.dedyn.io.

Type     Subname      Target Domain Name

CNAME    test2        example.dydyn.io.

Type     Subname      Target Domain Name

CNAME    *            test1.example.dedyn.io.

Type     Subname      Target Domain Name

CNAME    *            test2.example.dedyn.io.

which in my mind would allow me to have 2 second level sub domains with wildcard entries, but I can’t have two CNAME entries with subname *

sorry that’s my fault I didn’t explain, in the past I did this exact thing using DuckDNS, creating two subdomain entries one for each service ( wildcard was handled automatically), I didn’t have to add anything other than the subdomain names in the GUI.

on Desec I can only have one subdomain, so as you said I want to use the second level subdomain to achieve the same as when using DuckDNS , but in Desec’s GUI, I have to add other entries like CNAME, this is where my understanding fails.

sorry about this, my knowledge of DNS is still developing, its only recently I learned of multi level subdomains.

fiwswe · January 5, 2026, 5:49pm

I missed this before.

You could create multiple certificates for the same hostname. E.g. one of them being a wildcard certificate. But whatever service is running will only be able to present one of them. You’ll need to decide which one to use when configuring that service.

Of course you could have different services (using different ports) running on the same hostname and have them use different certificates. So there might be valid uses for multiple certificates for a single hostname.

black · January 5, 2026, 7:32pm

When deSEC uses the term “subname”, it means every DNS label “below” your domain (or what deSEC considers your domain, to be more precise). In this case, your domain is example.dedyn.io.
You can, of course, have multiple wildcard RRSets, but they must have different subnames. Your example above only has * as the subname, for which you can not have two RRSets (of the same type). You want one CNAME at the subname *.test1 and another one at *.test2.

greylinux · January 5, 2026, 7:48pm

So would that be the same as my example given in the first post? or would the target domain name be different than example.dedyn.io that I used ?

black · January 5, 2026, 9:22pm

example.dedyn.io as the CNAME target of all relevant records sounds correct, if you want all names to point to the same (dynamically changing) IP address.
Use nslookup whatever.test1.example.dedyn.io (or something to that end) to check if the records resolve correctly. Once the names point to the IP you need, tackle certificate issuance.
Remember that CNAME records not only affect A/AAAA lookups, but also TXT lookups. This may affect your ACME challenge handling.