Dnssec & cname

Do we really need to remove our DS record if we want to create a CNAME record for zendesk ?

We asked support and they advised that in order to point our subdomain to XXXXX.zendesk.com while using our own domain we would need to disable DNSSEC.

I have no doubt that Cloudflare Partner Support would have advised if there was another solution however more heads may offer another view.
I am not too comfortable removing the DS record however I am wondering if others have a solution. At the moment because of the DS record the CNAME record is not working.

You should be able to just point your subdomain to Zendesk’s. Right now, my blog have DNSSEC on and is pointing to my hosting provider CNAME and I have no problem whatsoever.

But, since the zendesk.com domain is not protected by DNSSEC, your subdomain that points to Zendesk will not be fully protected with DNSSEC if Zendesk DNS got compromised.

As more evidence that you do not need to deactivate DNSSEC, support.cloudflare.com is powered by Zendesk and DNSSEC is on. :slightly_smiling_face:

Simply add the CNAME and Cloudflare will automatically signed your record on-the-fly.


Yes you are quite right. I have emailed support so hopefully someone else answers and not the original support.
I have had the record in place for weeks now support.onehostcloud.hosting which I have a CNAME pointing to onehostcloud.zendesk.com and no record has been propagated.

I have no idea how Cloudflare themselves have managed to use the zendesk domain for their support subdomain.

From Cloudflare Support

Thank you for contacting Cloudflare Support. Looks like you have a DS record in place:

900 IN RRSIG DS 5 2 900 20170801014726 20170702014726 19540 hosting. GpPq2qdKjfPG6DvNgNQkFSLrroYCmzZq2/08oOxWEts/klilG1iU7Nwj sRLvf//LgJtS6RtG1RQhiWJR0R3eRzMVTikc0xnPsfM0neluV0WMMSUJ FTm18f2VoqGVDUNB9rGJPGY+RH1XrzZypMuJyTkMKehyhdLm0PyRhOZg kWCWXCGeOsVqGPOMg4jmDET9BgaRK8uhN7+p/10pMcgzc28NL4r8COKq +JodFKEDiPgMWeFEvOLvLdohQZdO4gCl+EkST2BMxjtjlx5pkec3bE22 BJzIFytt2QmyjNiwguGODDVBWvhxEpm/rJ/aauXW8I8x9Q21V0dgMsd1 yq/ApA==
;; Received 451 bytes from in 5 ms

I’m not able to resolve the support record: DNS Propagation Checker - Global DNS Testing Tool Remove the DS record and things should work as expected. Let me know if you have any questions.


I worked it out.

I turned CNAME flattening off and now everything works fine