Custom Hostname DCV Delegation does not work (Pending Validation TXT) for domain with DNSSEC
is CF for SaaS DCV delegation for Custom Hostnames, not possible if the domain is not a zone in Cloudflare and has DNSSEC enabled (doesn't seem to have any misconfiguration)?
This happens for the 3 hostnames we're attempting to add (preview. which does not exist at the moment, www. which does point to their current/previous site, and root which also does and redirects to www.)
Already opened a support ticket (Ticket 3290689) but I'm a bit fearful that if we don't solve it soon we'll end up getting rate-limited / temporarily banned (?) by the CA soon
The automatic notifications have been stuck in DCV has failed (which they also tend to happen on successful validations but then work) - this time they've just been repeating that error for ~2 hours now instead of working after 2-3 minutes.
We've already activated tens of custom hostnames without any hiccups with this kind of setup (e.g. prevalidating both the cert with Delegated DCV and the hostname with the prevalidation TXT and only then moving the target CNAME)
Thank you!
EDIT: solved - pairdomains support was excellent and was able to discover something very-specific to their DNS system which they've been able to diagnose.
- TLD is
.us, - DNSSEC is enabled but no issues as far as I can tell that could cause anything to be unreachable
- Registrar is Pairnic,
- CA that Cloudflare picked seems to be Google.
- Hostname did pre-validate and is active, but Certificate is stuck in Pending Validation (TXT).
- No CAAs in the domain/TLD
_acme-challenge.preview.exampledomain.us CNAME resolves correctly, which means that _acme-challenge-preview.exampledomain.us is issuing the correct TXT that should activate it.This happens for the 3 hostnames we're attempting to add (preview. which does not exist at the moment, www. which does point to their current/previous site, and root which also does and redirects to www.)
Already opened a support ticket (Ticket 3290689) but I'm a bit fearful that if we don't solve it soon we'll end up getting rate-limited / temporarily banned (?) by the CA soon
The automatic notifications have been stuck in DCV has failed (which they also tend to happen on successful validations but then work) - this time they've just been repeating that error for ~2 hours now instead of working after 2-3 minutes.
We've already activated tens of custom hostnames without any hiccups with this kind of setup (e.g. prevalidating both the cert with Delegated DCV and the hostname with the prevalidation TXT and only then moving the target CNAME)
Thank you!
EDIT: solved - pairdomains support was excellent and was able to discover something very-specific to their DNS system which they've been able to diagnose.
