fix: allow CNAME + other records when Cloudflare proxy is enabled#4189
Open
raman1236 wants to merge 1 commit intoStackExchange:mainfrom
Open
fix: allow CNAME + other records when Cloudflare proxy is enabled#4189raman1236 wants to merge 1 commit intoStackExchange:mainfrom
raman1236 wants to merge 1 commit intoStackExchange:mainfrom
Conversation
When a CNAME record has cloudflare_proxy set to 'on' or 'full', Cloudflare flattens the CNAME internally and returns A/AAAA records to resolvers. The CNAME is never actually served, so the RFC 1034 §3.6.2 restriction (CNAME must be the only record at a name) does not apply. The checkCNAMEs validation now skips the CNAME conflict error for proxied Cloudflare CNAMEs, similar to the existing AKAMAICDN exception. Fixes StackExchange#4181
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes the CNAME + other record type validation to allow coexistence when the CNAME is proxied through Cloudflare (
CF_PROXY_ONorCF_PROXY_FULL).Problem
When using the Cloudflare provider with
CF_PROXY_ON, dnscontrol rejects configurations that have a CNAME and another record type (e.g., MX) on the same name:However, when a CNAME is proxied, Cloudflare flattens it internally and returns A/AAAA records to resolvers. The CNAME is never served to the public, so the RFC 1034 §3.6.2 restriction does not apply. Cloudflare itself allows this configuration and it works correctly.
Root Cause
The
checkCNAMEsfunction inpkg/normalize/validate.gounconditionally rejects any record type (except AKAMAICDN) that shares a label with a CNAME, without checking whether the CNAME uses Cloudflare proxy flattening.Fix
When building the CNAME label map, also track which CNAMEs have
cloudflare_proxymetadata set to"on"or"full". Skip the conflict error for those labels, following the same pattern as the existing AKAMAICDN exception.Tests
Added
TestCNAMECloudflareProxiedthat verifies:Fixes #4181