DNS & SSL quirks - bad Cloudflare behaviors

I have a few issues that are driving me batty:

(I am editing host names here, adding spaces, since Cloudflare refuses to allow me to reference more than 4 in a post)

First issue: The first NS listed for my domain placed on Cloudflare (days ago, not just now), ainsley . ns . cloudflare . com, claims it doesn’t know anything about my domain using nslookup. This is likely causing propagation delays. The second NS, sonny . ns . cloudflare . com, response fine & authoritatively. I don’t understand why one of the 2 name servers Cloudflare itself told me to use is not recognizing the domain.

Error:
*** ainsley . ns . cloudflare . com can’t find datasculpting . com: No response from server

Second issue:
My mail is hosted on Google Workspace. I generated a DKIM record, put the TXT record into my DNS records on Cloudflare. It’s been an hour and the record isn’t being detected by anything from the outside. This is likely related to the first issue somehow. Massive delays in any kind of visibility or propagation.

Third issue: Using nslookup, I try to change the server to the second NS host Cloudflare told me to put in, sonny . ns . cloudflare . com, but nslookup spits back this error:
*** Can’t find address for server sonny . ns . cloudflare . com: No response from server
OK, so I determine the IP of the server (172.64.35.66) and set that as the server in nslookup. That works. Kind of bizarre. Once I do that, the records I am looking to check ARE in there, I can ask it for the TXT record for google . _domainkey . datasculpting . com and it works. Why would this NOT work on ainsley . ns . cloudflare . com? Why have me put in an NS that literally is not holding my records at all?

Fourth issue: On my other domain, datasculpting . ai, I had a “Let’s Encrypt” SSL set up via AutoSSL initially. I initially set up a “Full” SSL encryption choice when having Cloudflare proxy for me, but then realized I’d probably have problems later with AutoSSL when that certificate expires since the lookup through DNS would not have a matching auto-created record that the AutoSSL service would be looking for. So I decided instead that I would use an Origin server from Cloudflare and do “Full (strict)” mode. However, because Cloudflare initially hit the site when it had the “Let’s Encrypt” certificate, even after I removed that (and it is 100% gone) and added the Origin cert from Cloudflare in its place (and I verified that is the certificate responding when I hit the site without Cloudflare’s proxy), when I turn proxying back up Cloudflare is responding with THAT certificate (as if it saved it into the proxy setup) instead of a Cloudflare-issued certificate. I tried turning off all SSL (SSL config & proxying) on Cloudflare for an hour just in case it was caching and needed some amount of time to flush that other certificate, turning everything back on STILL has it responding with that certificate instead of a Cloudflare one. This is insane. I have no mechanism through Cloudflare to revoke that certificate as it is being utilized by Cloudflare - I want Cloudflare to use it’s own certificate as if the “Let’s Encrypt” one never existed on the web server host, that I have since deleted from there, and now have an Origin certificate from Cloudflare being used by the web server. I checked the “Edge” settings (which technically shouldn’t matter as being specialized) and it’s indicating that the Cloudflare cert is a “backup” cert. How the heck do I revoke the “Let’s Encypr” certificate it usurped into its system?

All these issues are insane to me. I’m no DNS expert, I don’t have a PHD in DNS, but I’ve been managing DNS records for 25+ years and these behaviors are simply configuration absurdities on Cloudflare’s part. I’m simply trying to get the benefit of Cloudflare, which is the reverse proxy & basic WAF protections, and their whole process of DNS record, NS, and SSL management are loopy and unclear. I’ve traced through all my steps and have done nothing wrong. All records as I have set in both the registrar and the Cloudflare side are correct and as-expected. I believe there are 2 issues - the primary NS host isn’t carrying my records and this is causing massive propagation delays and the inability to revoke certificates that get usurped by the service is bad practice. There should ALWAYS be a way to revoke a certificate and my only option now (it seems) is to wait for that certificate to expire.

A fair amount to work through…

This is working fine…
https://cf.sjr.org.uk/tools/check?fc28ab96d30d4e2ab33a88f7b0aedd44#dns

dig +short datasculpting.com @ainsley.ns.cloudflare.com
172.67.152.53
104.21.32.131

A Google DKIM record is resolving fine…
https://cf.sjr.org.uk/tools/check?fc28ab96d30d4e2ab33a88f7b0aedd44#dns-mail

Sounds like a problem with your local resolver.

dig +short sonny.ns.cloudflare.com
162.159.44.66
108.162.195.66
172.64.35.66

Cloudflare doesn’t issue its own certificates, it uses LetsEncrypt and Google Trust Services for edge certificates. Likely you have assumed the LetsEncrypt certificate you saw was your origin one when it was actually the Cloudflare edge certificate.

Currently your site is proxied and using a Cloudflare-generated LetsEncrypt certificate at the edge.
https://cf.sjr.org.uk/tools/check?dc79d876ac85432589992734de95e7b7#connection-server

In short, everything is working fine. Your DNS issues may be related to your local resolver.

1 Like

I just found a featured buried on the “Edge Certificates” section named “Disable Universal SSL” which sounds like it purges existing certificates and then creates new ones when Universal SSL is turned back on. I’ll try that but turning it off for a little while then turning back on. This is so bizarre - why not just have a “revoke” button to the right of all “Edge” certificates issued & in use, whether as active or backup?

The NS issue is still annoying and the extreme lack of propagation likely due to it is still a major problem.

OK, thanks for checking from the outside, though Google can’t see the DKIM record yet and it’s been almost 2 hours.

When using nslookup, once connected to a NS, queries to the NS should technically not be a resolver issue. I am talking directly to the NS host in those cases. I’m willing to accept it may still be a resolver, issue, though, perhaps my firewall is doing something funky with UDP DNS packets. I’ll try using my wireless hotspot for the lookups.

I tried via mobile hotspot (no firewall) and still got bizarre “not found” responses from nslookup. But even when I use another external tool and look up for an authoritative response I get back no TXT records found:

You are looking up TXT records for datasculpting.com (the domain), but you haven’t set any.

For the DKIM record you need to look up the TXT record for google._domainkey.datasculpting.com explicitly.

1 Like

I also just checked dnschecker.org for propagation on the TXT record and it’s showing that it hasn’t propagated ANYWHERE:

google._domainkey.datascultping.com has been TXT record now for 2 hours, didn’t exist before (new record)

Again, you need to look up the subdomain explicitly. DNS can’t lookup subdomains just by specifying your apex domain.

1 Like

I understand, and I did, and nothing is coming back.

I just refreshed and it FINALLY showed up on that site. Still not visible to Google, though.

I understand the old days regarding things possibly taking up to 48 hours but for a new record and when querying authoritatively it should work instantly once loaded into the NS, and Google also I would presume would do an authoritative query not local resolver. Maybe I’m wrong and Google is stupid.

The problem with a huge delay is once a DKIM is established, any email provider then presumes that the the emails will be delivered with this and while Google is waiting, the actual DKIM signing is non-existent, causing a buffer of time where emails might be rejected.

That’s something to take up with Google. Their own resolver has it…

dig +short google._domainkey.datasculpting.com txt @8.8.8.8
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnUrkcxb+zxgwRoKbK4UhA3Y7vXJFpnSZhGfhh8sVnvemXZzziMWNrMSFVTsk+0kVDeY+Z9J8TME0tkfmiCVuXPN8tI4xtpEDGg22VNP67mvoliZ2ZF9oVZsozb/wqjfTwP8+wNnBy1hO42p9GF8SIcNqJKXC/x/oLWVeXgZPSJ2DwD7iKawLXp4gVCO6r6sJe" "FqzT0jJx8Y1YGbC7rQnMp1G2YWExnIL3e+gZRl2iPRoyduwM0i7HB9MVrTd1/PNfqfhhVnK/dm+43v4lWpss7nbrLJDPbn1hpazXDotzfgAGfA7/AXRQy7jTvwZc9DDV9BON9/sAtnwnmzkish82QIDAQAB"

Make sure you have pasted it correctly and it’s the current key and hasn’t changed.

Your Cloudflare configuration is working fine.

Yeah I checked the data entry, it’s fine. I will have to wait a bit and see if Google’s own tools for checking are working or not.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.