CNAME not working on DNSSEC Enabled


I have problem with my cname pointing to after enabling DNSSEC, I’m trying to access my subdomain which is CNAME point to that address (google suite custom url), like will be redirected to gmail login (Gsuite).

Before i enable DNSSEC, the CNAME works. and I can access the subdomain pointing to that address…
but now just always showing error 525.

Any ideas how to fix it?

It’s not an issue with DNSSEC, it’s a SSL handshake issue. The Google Domain doesn’t have a cert for your domain, nor one for itself usually.

Create a page rule for* setting SSL to Flexible (not recommended normally, but no alternative here).

1 Like

I’d just set the record to :grey:

1 Like

Agreed, but if the domain is HSTS preloaded it won’t work because that is HTTP only (Google should do better, but still…).

That won’t work, like what Matteo said, creating a new page rule and changing the SSL to be flexible for all sub domains that point to Google.

But I don’t know whether it will be a security problem or not. but there seems to be no alternative.

It’s work! thank you.

1 Like

I tend to write a custom redirect instead of using the GSuite ‘Custom URLs’ (which fail for HSTS domain as you’ve discovered) or Cloudflare Page Rules feature (these can quickly add up - there’s about 10 subdomains if you want to cover all the GSuite services).

As I host my main site on GCP I tend to do it on there but one could also just use a trivial Cloudflare Worker.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.