# How to troubleshoot TXT record
This guide explains how to check if the expected TXT record is present in a tenant's DNS configuration.
From anywhere in the console, use the dig
command:
- with the
-t TXT
option, to filter for TXT records only - with tenant domain without www.
$ dig -t TXT www.example.com
; <<>> DiG 9.10.6 <<>> -t TXT example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41385
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com. IN TXT
;; ANSWER SECTION:
example.com. 300 IN TXT "_globalsign-domain-verification=aaaa123456789bbbb"
;; Query time: 28 msec
;; SERVER: 212.231.6.7#53(212.231.6.7)
;; WHEN: Mon May 04 16:12:42 CEST 2020
;; MSG SIZE rcvd: 207
The ANSWER
section must contain at least one line, with a value starting with _globalsign-domain-verification=
.
If it is not present, the tenant must place it themselves: Marfeel cannot do it on their behalf.
Beware of typos
If there's a typo on this line (E.g. The first _
missing) the MarfeelCDN can't be activated.
MarfeelCDN activation cannot proceed while the tenant hasn't added this record to their DNS.
# Handle CAA blocking
This error happens if:
- The tenant has some CAA records on its DNS
- with tenant domain without www.
- Those records don't include
globalsign.com
.
From anywhere in your console, validate the CAA records with dig -t CAA
:
$ dig -t CAA example.com
; <<>> DiG 9.10.6 <<>> CAA example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25101
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com. IN CAA
;; ANSWER SECTION:
example.com. 300 IN CAA 0 issue "digicert.com"
example.com. 300 IN CAA 0 issue "letsencrypt.org"
example.com. 300 IN CAA 0 issuewild "comodoca.com"
example.com. 300 IN CAA 0 issuewild "digicert.com"
example.com. 300 IN CAA 0 issuewild "letsencrypt.org"
example.com. 300 IN CAA 0 issuewild "globalsign.com"
example.com. 300 IN CAA 0 issue "globalsign.com"
example.com. 300 IN CAA 0 issue "comodoca.com"
;; Query time: 154 msec
;; SERVER: 46.6.113.34#53(46.6.113.34)
;; WHEN: Mon May 04 16:31:33 CEST 2020
;; MSG SIZE rcvd: 313
If there is any CAA record in the Answer section, it must include CAA records for globalsign.com
:
example.com. 300 IN CAA 0 issuewild "globalsign.com"
example.com. 300 IN CAA 0 issue "globalsign.com"
If they are not present, the tenant should add them.
Updating CAA records on Cloudflare
Cloudflare CDN users can follow the CAA configuration guide (opens new window) to add both records.