Cloudflare change in v4.15.4

10 views
Skip to first unread message

Tom Limoncelli

unread,
Jan 21, 2025, 3:56:39 PMJan 21
to DNSControl-discuss
Short version:
Cloudflare users will see many MODIFY-TTL changes when they upgrade to v4.15.4.  It will be a one-time change.  It is expected.

Longer version:

Since 2019-06-27 the CLOUDFLAREAPI provider has changed TTLs from 300 to 1.  This was done to reflect the special treatment that Cloudflare gives certain TTLs.

This 300 -> 1 change should have been done ONLY for A/AAAA/CNAME records with Cloudflare proxy enabled; no other records.  However we've been doing it for all records.  That is a bug.

This bug was fixed in v4.15.4.  Therefore, when you upgrade to v4.15.4 or later, your next "push" will see many, many, many, records changing their TTL to 300. For example, here are just the first 26 such corrections at my site:

******************** Domain: stackoverflow.com 108 corrections (cloudflare_main) #1: ± MODIFY-TTL stackoverflow.com MX 1 aspmx.l.google.com. ttl=(1->300) id=aab5612c342fad59cac07135b23d84a0 #2: ± MODIFY-TTL stackoverflow.com MX 10 alt3.aspmx.l.google.com. ttl=(1->300) id=6bc248ab58629572f62c8f22ea817ff1 #3: ± MODIFY-TTL stackoverflow.com MX 10 alt4.aspmx.l.google.com. ttl=(1->300) id=6827992ff7bd0a4bd6bd48eaf2a020bb #4: ± MODIFY-TTL stackoverflow.com MX 5 alt1.aspmx.l.google.com. ttl=(1->300) id=a2833ddd6bea77297a08f96247d05959 #5: ± MODIFY-TTL stackoverflow.com MX 5 alt2.aspmx.l.google.com. ttl=(1->300) id=c8fe2997cdb5010f4bdadfb87b229124 #6: ± MODIFY-TTL stackoverflow.com TXT "MS=ms52592611" ttl=(1->300) id=da7a1e0f5b722cc48db8f041c73fc47f #7: ± MODIFY-TTL stackoverflow.com TXT "ZOOM_verify_AbkNwz5bBl0eurcDKyhhuk" ttl=(1->300) id=abecd28a6eed0d9c84046e4daf71e296 #8: ± MODIFY-TTL stackoverflow.com TXT "apple-domain-verification=O9jlnJXAQ7sNSZqC" ttl=(1->300) id=c0e4ea611804bca0420a8b31ef393e55 #9: ± MODIFY-TTL stackoverflow.com TXT "atlassian-domain-verification=byLeZgl3MIcfOqwWuMhq8Fhr/1zem/jIaouJegvDZbBKUU5OqhwDjdpkyYg5CTzm" ttl=(1->300) id=90c88ba2362d0f0db9e8e33fb5e497de #10: ± MODIFY-TTL stackoverflow.com TXT "docker-verification=d65aee54-9091-4ceb-b792-61f5d5804050" ttl=(1->300) id=735b8415c0bc7181b1d52d8330934125 #11: ± MODIFY-TTL stackoverflow.com TXT "docusign=4262531d-29f4-4a62-9f33-ae9f66f5247b" ttl=(1->300) id=f8694e9d538a06b3c3e40616533bfe38 #12: ± MODIFY-TTL stackoverflow.com TXT "google-site-verification=2Bi6SYw5skkRexdtdLPL2gpxeIhLxnYVqITVP9Htl3w" ttl=(1->300) id=5997142f6d20a214ee09d294068fb5e6 #13: ± MODIFY-TTL stackoverflow.com TXT "google-site-verification=ctogLnZNAdc_CXq8yOhODMLpmugGynjxKecKHDz4oL8" ttl=(1->300) id=65b7c4bc52b4a2f9dd297f11afed7aaa #14: ± MODIFY-TTL stackoverflow.com TXT "google-site-verification=o3EMam8yBGo1yEjyybIiZcOunGHOQKpo8JmOtp9n1BU" ttl=(1->300) id=a1a88583fd8684c8800805a1483bf33e #15: ± MODIFY-TTL stackoverflow.com TXT "google-site-verification=rdWtMbplKjbRHGr2dNONfwkqithlUvjr3u6i8QEz_mo" ttl=(1->300) id=074ed2039968c59a915b7f39a286b082 #16: ± MODIFY-TTL stackoverflow.com TXT "onetrust-domain-verification=0d9d67f856334905a54256085a5768b3" ttl=(1->300) id=e1f065a4d27bf1493314fee1a7d79e54 #17: ± MODIFY-TTL stackoverflow.com TXT "onetrust-domain-verification=e445562296a64c649ae3d520230b8c4c" ttl=(1->300) id=2ba90181a6c602e9f50c84adf1f97bc0 #18: ± MODIFY-TTL stackoverflow.com TXT "v=spf1 ip4:198.252.206.71 include:_spf1.stackoverflow.com ~all" ttl=(1->300) id=0c772a809bcd79e0afb09d43346bf085 #19: ± MODIFY-TTL stackoverflow.com CAA 0 issue "digicert.com" ttl=(1->300) id=eedc0e4324594862e6cc240b3a2d7615 #20: ± MODIFY-TTL stackoverflow.com CAA 0 issue "digicert.com; cansignhttpexchanges=yes" ttl=(1->300) id=89f84774a3f07af4aa2295653e44b07b #21: ± MODIFY-TTL stackoverflow.com CAA 0 issue "letsencrypt.org" ttl=(1->300) id=9f66552e8a727929f1fa2e3c739c943b #22: ± MODIFY-TTL stackoverflow.com CAA 0 issue "pki.goog; cansignhttpexchanges=yes" ttl=(1->300) id=10e2fe16d68347c9fa270b7648eb499c #23: ± MODIFY-TTL stackoverflow.com CAA 0 issue "sectigo.com" ttl=(1->300) id=796346a05ebe0001883485f7088cc610 #24: ± MODIFY-TTL stackoverflow.com CAA 0 issuewild "digicert.com" ttl=(1->300) id=75c1850f44128ecc19659b260ce29256 #25: ± MODIFY-TTL stackoverflow.com CAA 0 issuewild "digicert.com; cansignhttpexchanges=yes" ttl=(1->300) id=60715cfe9fac82bbd65893e6b1391226 #26: ± MODIFY-TTL stackoverflow.com CAA 0 issuewild "letsencrypt.org" ttl=(1->300) id=f42f4ab4a6a02d4a8ebaac21e70e611d ...
...

This means that since 2019, the TTL on your MX, TXT, CAA, and other records was lower than you thought (1 second, when you thought it was 5 minutes). Now they will be cached properly.

I'd like to apologize to @patschi who tried to show us the error in our ways in https://github.com/StackExchange/dnscontrol/issues/490 but in our hubris or rush we kept the change. We'll do better in the future!

Best,
Tom

--
Tom Limoncelli (he/him)
SRE TPM, Stack Overflow, Inc.
Reply all
Reply to author
Forward
0 new messages