DNS wildcards eli5

Do lart me if this is too off topic.

I have the following entries in my zone:

*.test  60s  IN  CNAME  example.com.
_acme-challenge.sub.test  60s  IN  CNAME  _acme-challenge.example.com. 

This leads to (in both NSD version 4.12.0 and BIND 9.20.15):

$ host -t cname _acme-challenge.sub.test.humilis.net localhost
[..]
_acme-challenge.sub.test.humilis.net is an alias for _acme-challenge.example.com.

$ host -t cname sub.test.humilis.net localhost
[..]
sub.test.humilis.net has no CNAME record

$ host -t cname foo.test.humilis.net localhost
[..]
foo.test.humilis.net is an alias for example.com.

If I remove the _acme-challenge.sub.test entry, sub.test.humilis.net resolves.

Why does sub.test.humilis.net not resolve with the _acme-challenge.sub.test entry?

The answer must be in RFC 4592: The Role of Wildcards in the Domain Name System but it apparently is too english for me.

Hi @sander and welcome!

Just remember that wildcards match labels that do not exist.

When _acme-challenge.sub.test is there, sub.test exists and it is an empty non-terminal (no records there).

When _acme-challenge.sub.test is not there, sub.test does not exist and the first CNAME in your zone can answer for it.