DNS record not being updated

kingsfung · September 19, 2023, 9:58pm

Hi all,

My DNS’s record is always managed by cert-manager and works fine w/ cloudflare. I recently rebuild my cluster and hence the cert-manager has to re-validate my domain by using DNS01 challenge. I would expect my TXT record being updated within 10m based on my TTL setting in dig. My record has NOT been updated after 24 hrs in any DNS record, but cloudflare’s DNS dashboard looks fine to me.

Here is my DNS record:

;;
;; Domain:     fung.house.
;; Exported:   2023-09-19 07:16:28
;;
;; This file is intended for use for informational and archival
;; purposes ONLY and MUST be edited before use on a production
;; DNS server.  In particular, you must:
;;   -- update the SOA record with the correct authoritative name server
;;   -- update the SOA record with the contact e-mail address information
;;   -- update the NS record(s) with the authoritative name servers for this domain.
;;
;; For further information, please consult the BIND documentation
;; located on the following website:
;;
;; http://www.isc.org/
;;
;; And RFC 1035:
;;
;; http://www.ietf.org/rfc/rfc1035.txt
;;
;; Please note that we do NOT offer technical support for any use
;; of this zone data, the BIND name server, or any other third-party
;; DNS software.
;;
;; Use at your own risk.
;; SOA Record
fung.house	3600	IN	SOA	karsyn.ns.cloudflare.com dns.cloudflare.com 2044677438 10000 2400 604800 3600

;; NS Records
fung.house.	86400	IN	NS	karsyn.ns.cloudflare.com.
fung.house.	86400	IN	NS	noel.ns.cloudflare.com.

;; A Records
fung.house.	1	IN	A	1.2.3.4
vpn.fung.house.	1	IN	A	1.2.3.4
www.fung.house.	1	IN	A	1.2.3.4

;; CNAME Records
echo2.fung.house.	1	IN	CNAME	external.fung.house.
echo-server.fung.house.	1	IN	CNAME	external.fung.house.
external.fung.house.	1	IN	CNAME	something.com.
flux-webhook.fung.house.	1	IN	CNAME	external.fung.house.

;; TXT Records
_acme-challenge.fung.house.	120	IN	TXT	"aNxJpQlDE16_ik1h5dKAqTmLGimF3LrrtEwp4QIjjbU"
k8s.cname-echo2.fung.house.	1	IN	TXT	"\"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingress/home/echo-server2\""
k8s.cname-echo-server.fung.house.	1	IN	TXT	"\"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingress/networking/echo-server\""
k8s.cname-external.fung.house.	1	IN	TXT	"\"heritage=external-dns,external-dns/owner=default,external-dns/resource=crd/networking/cloudflared\""

I have verified with multiple method, nslookup, host, dig, dnschecker.org… Here is one of the command I run:

dig TXT _acme-challenge.fung.house. @karsyn.ns.cloudflare.com

I also tried to enable developer mode and disable Universal SSL as desperate try. Does anyone has any idea? Thanks all for your time.

PS: Besides of the TXT record, other A, CNAME records are also off too. My domain was managed by namesilo, but the transfer process has been completed and I have verified my domain by using DNS01 challenge with cloudflare with this domain before.

cscharff · September 20, 2023, 12:14am

 dig _acme-challenge.fung.house TXT +short
"aNxJpQlDE16_ik1h5dKAqTmLGimF3LrrtEwp4QIjjbU"

dig echo2.fung.house +short
104.21.37.68
172.67.205.17

All appear to resolve just fine. The discrepancy between the CNME record in the BIND file export and prod is because the record is proxied. As a result the true origin would not be returned as you have explicitly configured Cloudflare to behave.

kingsfung · September 21, 2023, 7:33am

I saw my A and CNAME record are proxied, so certain degree of inconsistency is expected, but TXT records are not proxied. I would expect the TXT record is updated no longer than TTL (2 min in my case).

I try to copy your command to verify the result, but your command return empty. I also tried these following commands:

dig _acme-challenge.fung.house TXT +short @8.8.8.8
dig _acme-challenge.fung.house TXT +short @1.1.1.1
dig _acme-challenge.fung.house TXT +short @karsyn.ns.cloudflare.com

But they all return empty stdout. Just in case my computer or my network has problem, I also use this link to double check:

https://dnschecker.org/all-dns-records-of-domain.php?query=fung.house&rtype=TXT&dns=cloudflare

And the link shows no record in TXT.

It seems my domain’s TXT records are still NOT being updated.

kingsfung · September 24, 2023, 11:17pm

So after lots of different trials and cleaning up all DNS records, my DNS records can finally be updated. Root cause cannot be found unfortunately.