Apex proxying works for one host with .com tld but not .co.uk

We have a customer with identical .com and .co.uk domains - with NS elsewhere.
Both identically configured with an ALIAS set up for apex (ie ANAME) to Cloudflare record.

The .com works fine (Hostname Active)
.co.uk address gives this error:
“The hostname is using Cloudflare and cannot be activated with an TXT or HTTP validation token. To activate the custom hostname, the DNS target needs to point to the SaaS zone”

Both apex domains have identical A recs pointing to Cloudflare.

Also, subdomains in the same domains all work fine with custom hostnames.

Why does the CNAME flattened Apex domain for .co.uk not work ?

Would you be able to share the domains?

Do you know if the customer has tried creating a flattened CNAME record on example.co.uk pointing to your fallback origin instead? I don’t know whether Cloudflare supports ALIAS records - it is possible they’re interfering with the validation.

Have I understood this correctly?

  • example.com works
  • example.co.uk does not work
  • www.example.com works
  • www.example.com.uk works

Yes - that’s correct
(the last one is www.example.co.uk, not www.example.com.uk)

The customer DNS on fasthosts does not have a flattened CNAME option. But it does have an ALIAS option which creates an A record which it monitors (so called ANAME record)

I’ll try pointing directly at the fallback

Pointing to fallback instead of CNAME on Cloudflare makes no difference.
It’s still Pending (Error) for the hostname status.
Strange how it works fine for one domain (I mean, permitting Apex A recs) but not for another domain.

Do you know if the .co.uk domain was used with Cloudflare previously?

I believe both domains were purchased only a year or two back and this is the first time they’ve been really used (maybe a parking page on the registrar).

This is the second time I have tried to add the .co.uk domain at the root level. I notice I don’t get the _acme-challenge TXT record the second time I try to add.

This problem is resolved.

I tried various combinations of:

  • using the fallback cname directly
  • removing all configuration and certs using the API interface and adding again via API
  • removing all references from the delegated NS on Fasthosts
  • simply waiting for 24 hours for DNS entries TTLs to expire

None of those things worked and the 1001 error/Pending TXT verification remained.

What did eventually work was removing all config from Cloudflare and the delegated name servers and creating a new custom host on a different CF delegated domain completely. This validated virtually immediately with Cloudflare. (Although, unusable because our origin servers present certs in original domain and I have SSL set to Strict and was reluctant to mess with that configuration for this issue).
Once it validated on Cloudflare using the test domain, I removed all the configuration again and added the custom host on the original domain again, which worked fine.

There is quite a bit of flakiness with Cloudflare’s implementation here and no real way to reset the custom host configuration - I suspect that’s what moving the host to a different domain did.