Is there a way to use Cloudflare Pages with DNSSEC? (i.e. no CNAME or CNAME to DNSSEC-enabled domain)


I recently started using Cloudflare Pages for the first time. My goal is to ultimately use it to serve my domain’s MTA-STS txt file, and potentially other things if that goes well. (Yes, I am aware that DANE is better but currently MTA-STS is all I can do.)

I started testing it with a domain I keep at Cloudflare Registrar. I added a custom domain in the form of a subdomain. The CNAME record that Cloudflare automatically added was orange-clouded, which caused the custom domain verification to fail until I went in and manually grey-clouded it. That seems like a rather odd choice by Cloudflare, but at least it’s an easy fix.

Anyway, I would ideally like to serve my MTA-STS file from a domain with DNSSEC. My domain does have DNSSEC enabled, but since I have to create a non-proxied CNAME record to pages(.)dev – and pages(.)dev is not DNSSEC enabled – my MTA-STS file is technically not being served from a domain with DNSSEC. For example, when I run the ‘dig’ command for my Pages subdomain, the ‘ad’ flag is not present because pages(.)dev is unsigned.

Is there any way to use Cloudflare pages without the non-proxied CNAME record to pages(.)dev, or perhaps an alternate Cloudflare Pages domain that is DNSSEC enabled? I am still very new to Pages and I suck at web development so… I may be missing something very obvious here.

Thank you for your time.


If validation is failing with orange cloud it means we can’t validate.


curl -I https://<yourdomain>/.well-known/acme-challenge/randomstring

and see what it’s returning. I’m guessing you have something above causing a redirect or serving files that aren’t Pages (Page Rules, Transform Rules, Bulk Redirects, Workers, etc.)
If it went right through, the validation would be good.

If you try again I can see exactly why validation is failing.

I’d say to just orange cloud. I don’t think we’ll be enabling DNSSEC for * for at least a long while.

1 Like

Ohhhhh. I didn’t realize that it’s okay to orange-cloud again after verification has passed. Thought it had to remain a non-proxied CNAME like with the new GitHub Pages. Issue solved. Thank you!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.