Wildcard HTTPS record

I’m trying to setup HTTPS records for my domain as described in https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns/

My problem is that i can’t find any useful information how to deal with a wildcard CNAME. I’ve successfully setup a HTTPS record for the root domain.

A brief overview of my DNS configuration so far:

example.com.      3600      IN  A          XXX.XXX.XXX.XXX
example.com.      3600      IN  AAAA       XXX:XXX:XXX:XXX
*.example.com.   86400      IN  CNAME      example.com.
example.com.     86400      IN  HTTPS      1 . alpn="h3,h2"
*.example.com.   86400      IN  HTTPS      1 . alpn="h3,h2"

While this works for the root domain, it doesn’t work if i query something like subdomain.example.com via https://dns.google

Apex * ?

You can add wildcard record, but it may not work as proxied :orange:, rather only as unproxied :grey: (DNS-only).

I am afraid wildcard (apex *) would work for CNAME as proxied :orange: only at Enterprise plan.

See the answer at the link below:

If you have sub-domains, you can always add the A/CNAME type specific records for them.

May I ask from where is this configured?
At the DNS tab of Cloudflare dashboard for your domain name?

I configured all entries as DNS-only so those restrictions shouldn’t apply.

Correct. Here is my current config(domain changed to example.com and IPs redacted):

My configuration:

nxdomain.info.      600          IN  A          XXX.XXX.XXX.XXX
nxdomain.info.      600          IN  AAAA       XXX:XXX:XXX:XXX
*.nxdomain.info.   600          IN  CNAME      nxdomain.info.
nxdomain.info.      86400     IN  HTTPS      1 . alpn="h3,h2"

Querying the HTTPS RR via apex works:

https://dns.google/query?name=nxdomain.info&rr_type=HTTPS

I can also successfully query the A/AAAA records of any subdomain via CNAME:

https://dns.google/query?name=something.nxdomain.info&rr_type=A

https://dns.google/query?name=something.nxdomain.info&rr_type=AAAA

The HTTPS record can’t be queried via subdomain though:

https://dns.google/query?name=something.nxdomain.info&rr_type=HTTPS

@MoreHelp also posted on Serverfault. This looks like a nameserver bug:

I think this is a legitimate bug in Cloudflares nameserver which can be reproduced.

Hm, from all that, may I ask, is the origin host/server supporting and working over HTTP/2 and also configured to work with HTTP/3?, as far as the requests are going straight to it due to the CNAME’s :grey: (DNS-only) or rather HTTPS record?

Nevertheless, despite of the apex * use, have you tried it using a DNS record for specific sub-domain (without apex)?
Even you say as far as I see from above screenshot, your naked-domain you’ve added, is working, but not sub-domain(s).

The server is running caddy with HTTP/2 and HTTP/3 enabled.

root:

subdomain:

The HTTPS record should be resolved against nxdomain.info with the wildcard CNAME in place. I have a similar setup with a different provider/nameserver which works as expected:

https://dns.google/query?name=status.proliantnas.dedyn.io&rr_type=HTTPS

CNAME → HTTPS

But i get no CNAME output with Cloudflares nameserver:

https://dns.google/query?name=status.nxdomain.info&rr_type=HTTPS

This IMHO violates rfc1034:

If the data at the node is a CNAME, and QTYPE doesn’t match CNAME, copy the CNAME RR into the answer section of the response, change QNAME to the canonical name in the CNAME RR, and go back to step 1.

@fritex can this issue be raised to the Cloudflare devs? This might affect other customers as well.

Sure. Thank you for notice!

Kindly, post back here with your ticket number so I could escalate it.

In the meantime, I will try to replicate this soon on my domain too.

I mistakenly created the ticket for the registrar category: #2340837

I can’t open one for DNS as those tickets seem to be for Pro+ only, unfortunately.

1 Like

Went the extra mile and asked on the repository for the ietf draft of the dns-alt-svc standard:

1 Like

I see that ticket number in the escalation queue now.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.