juanferreras
CDCloudflare Developers
•Created by juanferreras on 9/3/2024 in #general-help
Intermittent slowness on one specific ISP using Worker as Origin (proxy) / maybe all Cloudflare
9 replies
CDCloudflare Developers
•Created by juanferreras on 9/3/2024 in #general-help
Intermittent slowness on one specific ISP using Worker as Origin (proxy) / maybe all Cloudflare
always
colo=EZE
good context on it not being security (TBH this was my major concern in terms of something that could potentially affect more users – I don't really mind if it turns out that this specific ISP has issues). It's interesting that the other person who can replicate it, with the same ISP, is not geographically close to me (although we'd both get routed to EZE too). Still sounds like an issue that will be personally insightful to troubleshoot/understand more9 replies
CDCloudflare Developers
•Created by juanferreras on 9/3/2024 in #general-help
Intermittent slowness on one specific ISP using Worker as Origin (proxy) / maybe all Cloudflare
9 replies
CDCloudflare Developers
•Created by juanferreras on 9/3/2024 in #general-help
Intermittent slowness on one specific ISP using Worker as Origin (proxy) / maybe all Cloudflare
noted! absolutely, cheers for sending that – will take a deep look
9 replies
CDCloudflare Developers
•Created by juanferreras on 9/3/2024 in #general-help
Intermittent slowness on one specific ISP using Worker as Origin (proxy) / maybe all Cloudflare
9 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
Hi! We ended up validating using HTTP validation instead to work around, but pairdomains/pairnic support was excellent and found out the issue was something unique to their DNS system implementation. Thank you, Chaika, for your time and support! We've definitely learned a few things throughout this one.
The root cause of the issue (I've edited my messages to exampledomain.us now):
When our custom DNS system was created, the name servers were set to give a default answer to any A record query where we don't have a specific zone file for the domain. So if a domain has DNS set up, we give the normal answer for it. If the domain doesn't have DNS set up, we answer with the IP address of a placeholder server (216.92.3.120). [...] What happens is the query to _acme-challenge.preview.exampledomain.us reaches us and we respond with an answer that it is a CNAME to preview.exampledomain.us.6f0d68e920b655b1.dcv.cloudflare.com. If the query doesn't use DNSSEC, the CNAME is followed and the query is successful. If the query uses DNSSEC and it checks for an A record, the CNAME is followed and the A record (or lack of record) is given and the query is successful. If the query uses DNSSEC and it checks for any other record type, the querying server can make a followup query asking for the A record of the target. If there is an A record for the target, the A record is given and the query is successful. This problem happens because the querying server cant find an A record for preview.exampledomain.us.6f0d68e920b655b1.dcv.cloudflare.com, so they query us and ask for the IP address. We respond with 216.92.3.120. We give an IP but Cloudflare correctly says there is no A record. The disagreement causes the querying server to respond that the DNSSEC check failed.
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
that makes sense, I was seeing and in general it seems that a CNAME takes over the SOA for that hostname - but you're right that the extended DNS error code hints at there being a problem there
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
yeah exactly - also not sure but it's something worth playing with. Thanks for helping debug this Chaika! I'll make sure to post here when ever we get to the bottom of it
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
but isn't that the reason why CNAMEs dont exist at @ in the spec? I'll try a few examples, it's a good shout
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
Ah that makes sense! I'll start playing with HTTP validation as a plan B too, but it's the kind of thing that you don't want to run into a blocking issue whilst the service is down
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
Another interesting bit: all our hostnames picked GTS (~80 created in the last 3 weeks), I thought it was a more uniform split
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
I'm right there with you! Always kind of avoided DNSSEC from the war stories – so far the registrar is being really responsive and helpful. I'll see if the Cloudflare Support ticket gets assigned to someone that has any further things worth trying
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
not an enterprise zone sadly! it did cross my mind to re-add them and see if I got letsencrypt assigned 😂
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
none - but this is the first one that uses DNSSEC outside of Cloudflare unfortunately
It's also quite interesting to me that both hierarchies ( _acme-challenge.preview.exampledomain.us CNAME as well as preview.exampledomain.us.6f0d68e920b655b1.dcv.cloudflare.com TXT) seems to individually have no DNSSEC issues for Google - but the full chain does intermittently
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
The DS record for SHA-1 has been removed a few hours ago and seems to be correctly updated everywhere. Sadly I can still replicate the issue where Google DNS fails sometimes for
dig _acme-challenge.preview.exampledomain.us TXT +dnssec @8.8.8.8 (already flushed the cache for Google DNS in https://developers.google.com/speed/public-dns/cache and can also be seen using dns.google) https://dns.google/resolve?name=_acme-challenge.preview.exampledomain.us&type=TXT&do=true
DNSviz initially seems to say everything's OK. Although we've run it with Advanced Options: Extra Types TXT and:
_acme-challenge.preview.exampledomain.us/A has errors; select the "Denial of existence" DNSSEC option to see them. appears as an error (nothing really appears in the graph)
https://dnsviz.net/d/_acme-challenge.preview.exampledomain.us/ZmMsrA/dnssec/?rr=all&a=all&ds=all&ta=.&tk=
(EDIT: original domain was replaced)
Sadly, when enabling that option the error dissappears instead of showing more information 🤔 - still not sure I understand why this appears when adding extra types TXT, as CF doesn't serve any A record there through the CNAME47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
haha sorry yeah I re-read my message whilst you were typing and realized that literally that option would be the absolute worst possible thing to do 😂 . Cheers for mentioning it, hope I didn't freak you out there
noted on the renewal - so we'll have to figure this one out, but I guess we'll all learn something out of it!
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
yeah - let's see if their registrar support is helpful / customer's willing to temporarily disable DNSSEC* (as I understand renewal happens via HTTP DCV anyways, I'm just wanting to avoid any downtime on the switch over). Just when you think you're comfortable with DNS, a rogue DNSSEC intedeterministic issue pops up 😂
many, many thanks Chaika! really appreciate your time and support here!
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
47 replies
CDCloudflare Developers
•Created by juanferreras on 6/6/2024 in #general-help
Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
excellent - that makes a lot of sense now, thank you for confirming it! I'm still somewhat confused as to why Google DNS would pick the SHA-1 if in theory the error message says everyone would just ignore it.
but I'll see if the registrar can fix their DS records or alternatively temporarily disable DNSSEC
47 replies