DNSSEC incorrect name field used for signing

Cloudflare incorrectly signs DNSSEC. The signing name for my domain with non-ASCII characters should be the Punycode version of jääkaappi.fi which is jääkaappi.fi but Cloudflare for some reason uses j\195\164\195\164kaappi.fi This makes DNSSEC not work and the domain unreachable. All other Cloudflare services like DNS use the Punycode version correctly without issues.

screenshot

Edit: Punycode version is
image

Yeah, morehelp is inappropriate because DNSSEC signing issues can be solved by someone on community forums…

@user16311
Can you please share your ticket number again so that I can escalate it.

2338410 Thanks

Thank you
I have escalated your ticket.

1 Like

FYI to everyone else Cloudflare has confirmed its an issue with their system and has opened an internal ticket with their engineering team to fix it.

2 Likes

*** DNSSEC with IDNA domain
I test the creation of an emoji domain…
Punycode encoded as xn–d09h.parent_domain. but when I’ll try to enable DNSSEC Cloudflare uses the Unicode form \240\159\170\130.parent_domain.
Not sure it is IDNA2008 compliant… But sure at parent_domain it generates an error since I cannot create a record like:
\240\159\170\130.parent_domain. IN DS …
It requires something like xn–d09h.parent_domain. IN DS …

Received this from Cloudflare a few days ago:

We received an update from the engineering team that they have identified the issue, and have a fix waiting for engineering reviews and release. Do note that it might take a while for the fix to get deployed. Our current estimate is that we will have the fix released on Jan 4th, 2022.

2 Likes

Thanks for the info

Now (Jan 6th, 2022) it is corrected

1 Like

They deployed a fix on the 4th as promised and it fixed some of it but not all. For me, the records are still signed incorrectly and they have a new engineering ticket for figuring that out. So it has not been resolved completely.

A full fix has now been deployed by the engineering team. Anyone having this issue just has to cancel DNSSEC setup and then re-enable it and the records should be signed correctly.

1 Like