Marfeel Docs

# How to troubleshoot TXT record

This guide explains how to check if the expected TXT record is present in a tenant's DNS configuration.

From anywhere in the console, use the dig command:

  • with the -t TXT option, to filter for TXT records only
  • with tenant domain without www.
 












 






$ dig -t TXT www.example.com
; <<>> DiG 9.10.6 <<>> -t TXT example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41385
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.			IN	TXT

;; ANSWER SECTION:
example.com.		300	IN	TXT	"_globalsign-domain-verification=aaaa123456789bbbb"

;; Query time: 28 msec
;; SERVER: 212.231.6.7#53(212.231.6.7)
;; WHEN: Mon May 04 16:12:42 CEST 2020
;; MSG SIZE  rcvd: 207

The ANSWER section must contain at least one line, with a value starting with _globalsign-domain-verification=.

If it is not present, the tenant must place it themselves: Marfeel cannot do it on their behalf.

Beware of typos

If there's a typo on this line (E.g. The first _ missing) the MarfeelCDN can't be activated.

MarfeelCDN activation cannot proceed while the tenant hasn't added this record to their DNS.

# Handle CAA blocking

This error happens if:

  • The tenant has some CAA records on its DNS
  • with tenant domain without www.
  • Those records don't include globalsign.com.

From anywhere in your console, validate the CAA records with dig -t CAA:

 

















 
 







$ dig -t CAA example.com
; <<>> DiG 9.10.6 <<>> CAA example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25101
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.			IN	CAA

;; ANSWER SECTION:
example.com.		300	IN	CAA	0 issue "digicert.com"
example.com.		300	IN	CAA	0 issue "letsencrypt.org"
example.com.		300	IN	CAA	0 issuewild "comodoca.com"
example.com.		300	IN	CAA	0 issuewild "digicert.com"
example.com.		300	IN	CAA	0 issuewild "letsencrypt.org"
example.com.		300	IN	CAA	0 issuewild "globalsign.com"
example.com.		300	IN	CAA	0 issue "globalsign.com"
example.com.		300	IN	CAA	0 issue "comodoca.com"

;; Query time: 154 msec
;; SERVER: 46.6.113.34#53(46.6.113.34)
;; WHEN: Mon May 04 16:31:33 CEST 2020
;; MSG SIZE  rcvd: 313

If there is any CAA record in the Answer section, it must include CAA records for globalsign.com:

example.com.		300	IN	CAA	0 issuewild "globalsign.com"
example.com.		300	IN	CAA	0 issue "globalsign.com"

If they are not present, the tenant should add them.

Updating CAA records on Cloudflare

Cloudflare CDN users can follow the CAA configuration guide (opens new window) to add both records.