How should second-level wildcard subdomain entry look like?

So far have:

A/AAAA /Subname empty\ IPv4/6. - this should be for second-level domain

A/AAAA * IPv4/6. - this for first-level subdomain under second-level domain

An finally:

A/AAAA *.app IPv4/6 - this for second-level subdomain under second-level domain.

But I’m not sure, should this rather be a double entry instead?

Like:

A/AAAA app IPv4/6. - adding this also instead just the *.app

A/AAAA *.app IPv4/6. - and this for *

Looking at the certificate obtained - there are in Subject Alt Names listed all the three levels (domain, and first/second level sub-domains).

So what I have working well.

The app.somedomain.com itself is not intended to be used at all - since only one service could used it anyway when I do need more.

The double entry thus would be useful only in case precisely the app.somedomain.com is needed?

Seems to me both ways are correct. Is there any convention with this?

Correct. Note however that without its own entries, app will not use the * wildcard records, because by the rules of the wildcard record, it doesn’t apply to labels that implicitly exist, and app exists due to the *.app wildcard records. Anything under app will resolve according to the *.app records, anything directly under the second-level domain will resolve according to the * records, but app itself will not resolve at all (not NXDOMAIN but no records). This is what you want if you don’t use the app subdomain on its own, but can be a surprise and bite you in other cases.