diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index d589ee31a..38f16a22f 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		rfc2136
-PLUGIN_VERSION=		1.9
-PLUGIN_REVISION=	5
+PLUGIN_VERSION=		1.10
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/pkg-descr b/dns/rfc2136/pkg-descr
index 0d2e2341c..f4a71e2ff 100644
--- a/dns/rfc2136/pkg-descr
+++ b/dns/rfc2136/pkg-descr
@@ -3,6 +3,10 @@ Support for RFC-2136 based dynamic DNS updates using Bind
 Plugin Changelog
 ================
 
+1.10
+
+* Allow a leading "*." in the hostname to update a wildcard record
+
 1.9
 
 * Add support for interface map in newwanip event
diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 2f36beac2..9ef6f27a9 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -84,7 +84,10 @@ function rfc2136_cache_file($dnsupdate, $ipver = 4)
 {
     $ipver = $ipver == 6 ? '_v6' : '';
 
-    return "/var/cache/rfc2136_{$dnsupdate['interface']}_{$dnsupdate['host']}_{$dnsupdate['server']}{$ipver}.cache";
+    /* rawurlencode is identity on the LDH+underscore set is_domain() accepts; only "*." gets encoded */
+    $host = rawurlencode($dnsupdate['host']);
+
+    return "/var/cache/rfc2136_{$dnsupdate['interface']}_{$host}_{$dnsupdate['server']}{$ipver}.cache";
 }
 
 function rfc2136_configure_do($verbose = false, $int = null, $updatehost = '', $forced = false)
diff --git a/dns/rfc2136/src/www/services_rfc2136_edit.php b/dns/rfc2136/src/www/services_rfc2136_edit.php
index 5dd4614f7..4751c7d35 100644
--- a/dns/rfc2136/src/www/services_rfc2136_edit.php
+++ b/dns/rfc2136/src/www/services_rfc2136_edit.php
@@ -81,8 +81,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 
     do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
 
-    if (!empty($pconfig['host']) && !is_domain($pconfig['host'])) {
-        $input_errors[] = gettext("The DNS update host name contains invalid characters.");
+    if (!empty($pconfig['host'])) {
+        /* allow a leading "*." to designate a wildcard record */
+        $host_to_check = str_starts_with($pconfig['host'], '*.') ? substr($pconfig['host'], 2) : $pconfig['host'];
+        if (!is_domain($host_to_check)) {
+            $input_errors[] = gettext("The DNS update host name contains invalid characters.");
+        }
     }
     if (!empty($pconfig['ttl']) && !is_numericint($pconfig['ttl'])) {
         $input_errors[] = gettext("The DNS update TTL must be an integer.");
@@ -176,7 +180,7 @@ include("head.inc");
                     <td>
                       <input name="host" type="text" id="host" value="<?=$pconfig['host'];?>" />
                       <div class="hidden" data-for="help_for_host">
-                        <?= gettext('Fully qualified hostname of the host to be updated.') ?>
+                        <?= gettext('Fully qualified hostname of the host to be updated. A leading "*." may be used to update a wildcard record (e.g. "*.example.org"); the DNS server must permit wildcard updates in its update policy.') ?>
                       </div>
                     </td>
                   </tr>