[Closed] Using *.dedyn.io for tunneling in cloudflare (DNSSEC problem?)

Hi everyone,

I am trying to get a subdomain of deSEC working with cloudflare.
I am talking about this one: desecforumquestioncloudflare.dedyn.io

  1. I added the domain as a new site to cloudflare and changed the nameserver configuration (on desec website) as cloudflare asks me to do.
    This worked and cloudflare seems to be happy.

    Cloudflare Domain Configuration - Screenshot

  2. Checking this site for the nameserver configuration confirms this:
    DNS Propagation Checker - Global DNS Testing Tool

  3. Configure Cloudflare tunnel using the domain “desecforumquestioncloudflare.dedyn.io

  4. somehow this does not work. For unknown reasons I get no ip address as a result requesting this:

dig AAAA desecforumquestioncloudflare.dedyn.io @


dig AAAA desecforumquestioncloudflare.dedyn.io @

but asking the cloudflare nameservers we get a ip address which you can successfully use if you change your host-file configuration to resolve “desecforumquestioncloudflare.dedyn.io” without asking your usual dns-server.

dig AAAA desecforumquestioncloudflare.dedyn.io @eve.ns.cloudflare.com
; <<>> DiG 9.10.6 <<>> AAAA desecforumquestioncloudflare.dedyn.io @eve.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5747
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 1232
;desecforumquestioncloudflare.dedyn.io. IN AAAA

desecforumquestioncloudflare.dedyn.io. 300 IN AAAA 2a06:98c1:3121::3
desecforumquestioncloudflare.dedyn.io. 300 IN AAAA 2a06:98c1:3120::3

;; Query time: 21 msec
;; SERVER: 2606:4700:50::a29f:26cc#53(2606:4700:50::a29f:26cc)
;; WHEN: Thu Nov 10 13:05:06 CET 2022
;; MSG SIZE  rcvd: 122

Watching the AAA results for the domain you can see another strange thing (Time of writing it looks like this AAAA addresses - Screenshot):

In my previous experiments with this configuration I was able to see how this list was filling up slowly with ipv6 addresses until it starts draining again ending with an empty list.

I have the suspicion there is a problem with dnssec resulting in the behavior that DNS servers add the ip address and then detecting the entries could not be verified by DNSSEC deciding to remove the entry again.
You can see it here:

Screenshot for reference:
DNSSEC Analyzer Result - Screenshot

Any ideas what I am doing wrong?
Is it possible to do the configuration like this as all?

Thank you for your help :slight_smile:

In my understanding (not sure): To make this possible, you would not have to edit the ns record in the dns zone desecforumquestioncloudflare.dedyn.io, but the ns record for the subdomain desecforumquestioncloudflare in the dns zone dedyn.io.

I don’t think deSEC allows that (that would also be against the idea of what dynDNS is supposed to be, so you wouldn’t be doing dynDNS anymore). Presumably it makes sense to buy a real domain for this?

@markus Thanks for you response :slight_smile:

Why do you think the configuration of the nameserver on the desec site is not sufficient?
Reading the results of the dnssec analyzer DNSSEC Analyzer - desecforumquestioncloudflare.dedyn.io
I think the ip addresses listed there are good:

You can configure your /etc/hosts file to resolve the domain like this: desecforumquestioncloudflare.dedyn.io

running a curl on “desecforumquestioncloudflare.dedyn.io” results in this:

➜  ~ curl desecforumquestioncloudflare.dedyn.io                              
502 Bad Gateway
Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared

In my understanding this means:

  • cloudflare is taking care of the domain and publishes a ip address which points to the right tunnel
  • missing proper DNSSEC configuration stops the DNS-servers to validate and therefore stops them from accepting the configured ip address

You’re right :slight_smile:

$ dig +short @ns1.desec.io desecforumquestioncloudflare.dedyn.io ns

(DNSViz also says that it is a DNSSEC problem.)

In my understanding:

Either one would have to set up DNSSEC completely/correctly:

For that you would have to:

  1. Enable DNSSEC for dns zone desecforumquestioncloudflare.dedyn.io at cloudflare. According to dig this is not the case at the moment.
$ dig +short @eve.ns.cloudflare.com desecforumquestioncloudflare.dedyn.io dnskey
# no data is returned
  1. The DNSSEC signature would then have to be deposited in the parent(!) zone. There is currently a ds record stored that probably not fits for Cloudflare (to query the parent zone, you need to use the ns of the parent, in this case: @ns1.desec.io).
$ dig +short @ns1.desec.io desecforumquestioncloudflare.dedyn.io ds
40674 13 4 8F77AE40279BE230F149934991CA3E63C2EBBFB7D6CE21F2BD1CE7FA 3D410B048E0F90F361FE047707BCD41F9E7958A4
40674 13 2 BF82CB351800FAA68EC10DEB19F9DF9BA77EBD06F413A47CEF7AAFAA DDC82C74

I suspect this will not be possible for the following reasons:

  • To do this, you would have to edit the ds record in the parence zone, you do not have access to it
  • I don’t think dedyn supports this (out of scope, but i’m not sure)

Or alternatively disable DNSSEC:

I suspect this will not be possible for the following reasons:

  • To do this, you would have to remove the ds in the parence zone, you do not have access to it
  • Disabling DNSSEC is against the guidelines of deSEC

Turns out there is a nice cloudflare button to enable DNSSEC.

I took the values Cloudflare provides to me and just added them to the desec configuration.

Checking out desecforumquestioncloudflare.dedyn.io | DNSViz and DNSSEC Analyzer - desecforumquestioncloudflare.dedyn.io it looks like it changed something.
Now I have more green :slight_smile:

Just thinking out loud:

  • Maybe I should take the desec DS configuration proposal to the cloudflare configuration page. :thinking:
  • I guess I cannot disable dnssec for desecforumquestioncloudflare.dedyn.io because this would disable dnssec for all the other subdomains?

That is correct.

The current configuration is that DNS for domains under dedyn.io is managed by deSEC only. You cannot move DNS service to Cloudflare.

If you would like to use Cloudflare, you’ll have to bring a different domain.

It’s not possible to mix DNSSEC aspects of deSEC and Cloudflare in this way.

Stay secure,

This is unfortunate.

Thanks for clarifying this. Then I can stop trying to get this working :smiley: