Feedback on Workers Custom Domains

I saw the blog post about Custom Domains for Workers a few days ago and decided to give it a try as I have a number of workers operating as origins with dummy AAAA records.

Overall, it’s a great improvement as both the dummy DNS records and wildcard routes are no longer needed.

There’s three pieces of feedback I’d like to raise:

  • I noticed that when a custom domain is added to a worker, a new “Advanced” TLS certificate is issued to the zone, covering the entered custom hostname and also the zone base domain, even though the default “Universal” certificate already covers the custom hostname with its wildcard entry.

    Whilst this obviously doesn’t break anything, for larger-scale use cases, it could create quite a bit of unnecessary clutter in the dashboard.

    For me personally, it’s also annoying as I audit all certificates issued for my domains via certificate transparency logs. Issuing additional certificates where a usable wildcard cert already exists just creates more work here. There could also be a (albeit very minor) concern here around hostnames leaking via CT logs.

    Also, given that additional certificates are something Cloudflare would normally charge for, I imagine that providing them for free in this way may not be ideal from a business and efficiency perspective, especially in larger-scale use cases.

  • In the DNS tab, the entries for workers custom hostnames that are shown in a section above standard DNS records are not filtered by the DNS record search function.

  • It could be nice to have the facility on a zone’s Workers tab to add a worker custom hostname. This would mirror the functionality of routes, which can be added from both the Worker and Zone sides.

Thanks for all the progress on products and features! I can’t wait to see what’s next :slight_smile: