Does Cloudflare’s CNAME flattening work with DNSSEC?

What is the name of the domain?

NA

What is the issue you’re encountering

Does Cloudflare’s CNAME flattening work with DNSSEC?

What feature, service or problem is this related to?

DNSSEC

What are the steps to reproduce the issue?

I know that what others call ANAME or ALIAS records, is equivalent to CNAME flattening in Cloudflare and it’s used automatically when needed for a domain (Create zone apex record · Cloudflare DNS docs). Other providers say that their ALIAS records do not work with DNSSEC (e.g. DNS records overview  |  Google Cloud & What Are ALIAS Records? | Domain Names - FAQ | Gandi Documentation — Gandi Documentation documentation), and from my little knowledge generally it wouldn’t work because of how the DNSSEC signing is done yet it does work for some providers. My question is, does Cloudlfare’s CNAME flattening work with DNSSEC? It does not say anywhere in the docs that using CNAME flattening clashes with DNSSEC.

Hi!

With the exception of pre-signed DNSSEC which might (rarely) be configured as part of a Secondary zone setup, it’ll work fine. That’s because we sign records live & in real time, at the edge, at the time they’re served.

Great to hear this, thank you!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.