TLSA record in combination with NS cloudflare

Goodmorning Community,

I recently walked into a problem with the name servers of cloudflare when i want to setup my TSLA.

I protect my sites with the services of cloudflare, and as soon as I move them to CF i walk into the problem that the nameservers are generating some sort of record. This record is a subdomain of the domainname. For example:

when i do “dig MX” I receive: “10”.

I don’t know how to resolve this problem. As long as I don’t have a match with the right mx records, the outbound emails are blocked by DANE.

Is there someone who run into this problem as well and might have the solution?


I dont know what TSLA is supposed to be, however the dc record appears when you proxy a record that is typically required in an unproxied state.

MX records are a good example for that, as these are used for email and cannot be proxied through Cloudflare. In your case you will have set the DNS record, to which your MX record points to, set to :orange:.

Hi Sandro, thanks for your quick reply.

The TLSA record is used for TLSA records (Transport Layer Security Authentication) to match a public key of a certificate (X.509) to a domain where the TLSA record is provided. This makes it able to make an TLSA certificate association. It’s an extension of the DKIM en DMARC procedures.

When I understand your reply right, i have to make an MX record in my Cloudflare DNS, which will point to the DNS record of the domain. So that will be an CNAME record, wich points to because that should be the right address for the mail.

Thanks for the explanation regarding TLSA records. I wasnt aware of that record type yet, then the entire DKIM, DMARC, and DANE setup is still somewhat of a mystery to me :smile:

Anyhow, as far as MX records are concerned you’d set them up on Cloudflare just like at any other place. The only thing to keep in mind is not to proxy (:orange:) the A or CNAME record that you assigned to your MX record.

Hi Sandro,

That’s the whole issue i’m having here. The only proxy i’ve setup is the A and AAAA record. So no CNAME nor MX record are using Cloudflare. It seems that as soon as i add an website from my original hoster to CF, I directly got an added mailserver, who understandably does not see the TLSA record :frowning:

As long as the record specified for MX is not proxied you should not get an additional dc record.

Can you post the domain name?

Sandro, i think the DNS is changed in the way it should be, the changes took some time to be processed. When i check the DNS now, it’s right :slight_smile:

All right, I cant find a dc record however. Your MX record points straight to a mail host which in turn presumably points to your server. So I guess that should be fine, shouldnt it?

1 Like

Yes, i’ll try again! Thanx you so much! :+1:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.