From 5e4d68b41cdf749ce7807ecf5c4d4c8b4e1dcf94 Mon Sep 17 00:00:00 2001 From: Tom Limoncelli Date: Mon, 12 May 2025 17:14:32 -0400 Subject: [PATCH] CLOUDFLAREAPI: Enable inserting DS records at the domain apex (even if they may be rejected) (#3571) --- documentation/provider/cloudflareapi.md | 6 +++++- documentation/provider/index.md | 2 +- integrationTest/integration_test.go | 1 + providers/cloudflare/cloudflareProvider.go | 1 + 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/documentation/provider/cloudflareapi.md b/documentation/provider/cloudflareapi.md index e33657dd8..58fa43236 100644 --- a/documentation/provider/cloudflareapi.md +++ b/documentation/provider/cloudflareapi.md @@ -385,6 +385,11 @@ Please notice that if _any_ `CF_WORKER_ROUTE` function is used then `dnscontrol` Worker Routes for the domain. To be clear: this means it will delete existing routes that were created outside of DNSControl. +## DS records + +Cloudflare has restrictions that may result in DNSControl's attempt to insert +DS records to fail. + ## Integration testing The integration tests assume that Cloudflare Workers are enabled and the credentials used @@ -399,7 +404,6 @@ go test -v -verbose -profile CLOUDFLAREAPI -cfworkers=false When `-cfworkers=false` is set, tests related to Workers are skipped. The Account ID is not required. - ## Cloudflare special TTLs Cloudflare plays tricks with TTLs. Cloudflare uses "1" to mean "auto-ttl"; diff --git a/documentation/provider/index.md b/documentation/provider/index.md index 663695af5..332a8af34 100644 --- a/documentation/provider/index.md +++ b/documentation/provider/index.md @@ -21,7 +21,7 @@ If a feature is definitively not supported for whatever reason, we would also li | [`AZURE_PRIVATE_DNS`](azure_private_dns.md) | ✅ | ✅ | ❌ | ❔ | ❌ | ❌ | ❔ | ❔ | ❌ | ❌ | ✅ | ❔ | ✅ | ❌ | ❔ | ❌ | ❔ | ❔ | ❔ | ❔ | ✅ | ✅ | ✅ | | [`BIND`](bind.md) | ✅ | ✅ | ❌ | ✅ | ❔ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | [`BUNNY_DNS`](bunny_dns.md) | ❌ | ✅ | ❌ | ❔ | ✅ | ✅ | ✅ | ❔ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❔ | ❌ | ❌ | ❌ | ❔ | ❔ | ❌ | ✅ | ✅ | -| [`CLOUDFLAREAPI`](cloudflareapi.md) | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ❔ | ✅ | ❌ | ✅ | ✅ | ❔ | ✅ | ✅ | ✅ | ✅ | ❔ | ❔ | ❔ | ❌ | ❌ | ✅ | ✅ | +| [`CLOUDFLAREAPI`](cloudflareapi.md) | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ❔ | ✅ | ❌ | ✅ | ✅ | ❔ | ✅ | ✅ | ✅ | ✅ | ✅ | ❔ | ❔ | ❌ | ❌ | ✅ | ✅ | | [`CLOUDNS`](cloudns.md) | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ❔ | ✅ | ❔ | ✅ | ❔ | ✅ | ✅ | ❔ | ✅ | ❔ | ❔ | ✅ | ❔ | ❔ | ✅ | ✅ | | [`CNR`](cnr.md) | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ❔ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | ❔ | ❌ | ❌ | ❔ | ✅ | ✅ | ✅ | | [`CSCGLOBAL`](cscglobal.md) | ✅ | ✅ | ✅ | ✅ | ❔ | ✅ | ❔ | ❔ | ❔ | ❔ | ❔ | ❔ | ✅ | ❔ | ❔ | ❔ | ❔ | ❔ | ❔ | ❔ | ❔ | ❌ | ✅ | diff --git a/integrationTest/integration_test.go b/integrationTest/integration_test.go index 34c4a947e..98401972b 100644 --- a/integrationTest/integration_test.go +++ b/integrationTest/integration_test.go @@ -795,6 +795,7 @@ func makeTests() []*TestGroup { testgroup("DS", requires(providers.CanUseDS), + not("CLOUDFLAREAPI"), // Use a valid digest value here. Some providers verify that a valid digest is in use. See RFC 4034 and // https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml // https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml diff --git a/providers/cloudflare/cloudflareProvider.go b/providers/cloudflare/cloudflareProvider.go index dac334cfb..b2b557a64 100644 --- a/providers/cloudflare/cloudflareProvider.go +++ b/providers/cloudflare/cloudflareProvider.go @@ -50,6 +50,7 @@ var features = providers.DocumentationNotes{ providers.CanUseAlias: providers.Can("CF automatically flattens CNAME records into A records dynamically"), providers.CanUseCAA: providers.Can(), providers.CanUseDNSKEY: providers.Cannot(), + providers.CanUseDS: providers.Can(), providers.CanUseDSForChildren: providers.Can(), providers.CanUseHTTPS: providers.Can(), providers.CanUseLOC: providers.Cannot(),