ANAME, CNAME flattening recommendation

I want to take advantage of the Autoscaler and I would need to point an ANAME (CNAME flattening) to a Nova destination.

Now I need to find a registrar or DNS provider that can handle that and DNSSSEC.

What do you guys use/recommend for CNAME flattening (ANAME)?
I’m looking at Cloudflare they offer CNAME flattening and DNSSEC which I would need also.
I also found that offers ANAME which is the same, but DNSSEC they don’t have it.

My Domain name also has an email server so that’s why I want DNSSEC.

I would like to find an option that is not too expansive, so is very unexpansive. Cloudflare has a free option too.

What do you guys use?

1 Like

Hey @pat74!

While I can’t officially recommend any particular provider, personally I’ve been using Cloudflare for some years with good results.
For that matter, authoritative nameservers for are at Cloudflare as we speak. :slight_smile:

There are a few other options, however, including DNSimple and Namecheap - along with a free plan. Depending on your needs, especially around guaranteed uptime, a paid service may be preferred. That said, I’ve had no issues with DNSSEC on Cloudflare (and alias-type records) myself.

Hope this helps!


Do you need to install the certificate on Cloudflare as well when using their CNAME flattening?
I’m getting reports from users that the certificate is invalid. I had the same certificate installed on my Digital ocean load balancer and they were working fine.
They are installed in my ADC as well.
Why do some get the invalid certificate?

This shouldn’t be necessary - Cloudflare does offer reverse proxying, which may be enabled by default, but for basic DNS you should still arrive at your Nova node as expected.

What this sounds like is an incomplete SSL certificate chain - you can test for this issue here. The expected format for a full chain file is available under Nova’s documentation - this is effectively ‘private key, certificate, optional intermediate certificate, optional root certificate’. The order does appear to be different to DIgitalOcean’s requirements, as well as needing to be in a single file.

Alternatively, if you’re able to get any information about what exactly the certificate errors are that are being reported, I may be able to point you in the right direction.

Not sure exactly what happened, after I posted here my node’s server when down and then back up and the next day everything was working normally.
So what I’m thinking is that maybe the certificate didn’t install properly on one of the nodes and after rebooting them they got deployed properly.

This all happened automatically so that’s good, I guess, but it may have been a manual intervention also.