API: create a TLSA record


#1

I’m trying to use the API to create a TLSA record as:

curl -X POST "https://api.cloudflare.com/client/v4/zones/.../dns_records" \
     -H "X-Auth-Email: ..." \
     -H "X-Auth-Key: ..." \
     -H "Content-Type: application/json" \
     -d '{"type":"TLSA","name":"_25._tcp.example.com","content":"3 1 1 <HASH>"}'

But I get the error:

{“success”:false,“errors”:[{“code”:1004,“message”:“DNS Validation Error”,“error_chain”:[{“code”:9100,“message”:“data is a required field.”}]}],“messages”:[],“result”:null}

I think this means that the data field is missing a property. I only guessed that the TLSA information was to be completely given in the “content” property name, so I suppose this is wrong. (Note that retrieving a TLSA record via the API works fine.)

What is the correct format for data that I need to create a TLSA record? I did not see it in the documentation.

Thanks.


#2

My usual suggestion for API troubleshooting is to do it manually from the Cloudflare dashboard.

Then go to your Dashboard home and check the Audit log for that event and look at the Metadata for the syntax.


#3

Thanks for the suggestion. Looking at the audit log, the only differences were the addition of a “zone name” and “zone id” property and the “content” property had a value: “3\t1\t1\t…” (whereas I had spaces instead of the escaped tabs).

So, I tried:

curl -X POST "https://api.cloudflare.com/client/v4/zones/.../dns_records" \
     -H "X-Auth-Email: ..." \
     -H "X-Auth-Key: ..." \
     -H "Content-Type: application/json" \
     -d '{"type":"TLSA","name":"_25._tcp.example.com","content":"3\t1\t1\t<HASH>","zone name":"example.com","zone id":"<id>"}'

But, I get the same error as before:

{“success”:false,“errors”:[{“code”:1004,“message”:“DNS Validation Error”,“error_chain”:[{“code”:9100,“message”:“data is a required field.”}]}],“messages”:[],“result”:null}

Maybe there is something I am missing? Also, what does “data is a required field” mean exactly?


#4

Has nobody used the API to publish a TLSA record?


#5

Now might be the time to open a support ticket: support AT cloudflare DOT com


#6

OK, thanks. I’ll report back if I get this working for the benefit of anyone else in this position.


#7

The correct way to create a (311) TLSA record is as follows:

curl -X POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_records" \
     -H "X-Auth-Email: <EMAIL>" \
     -H "X-Auth-Key: <API_KEY>" \
     -H "Content-Type: application/json" \
     -d '{"type":"TLSA","name":"_25._tcp.example.com","data":{"usage":3,"selector":1,"matching_type":1,"certificate":"<HASH>"}}'

Thank you to support for solving the problem.


#8

I’m now updating TLSA RRs after letsencrypt renewal. Useful information, thanks!


#9

Hi. You’re welcome! Let’s Encypt renewal was exactly the reason I was asking too.