| 18 Oct 2025 |
 hexa (signing key rotation when) | all alias records are servfail on some gandi pop reachable from Southern Europe and the Middle East and South America | 19:11:23 |
 vcunat | Do we really need ALIAS records in there? | 19:13:58 |
| vcunat | Surely there's a solution which works for static A+AAAA? | 19:14:17 |
| vcunat | (even if perhaps the first redirect is slightly slower than with an ALIAS) | 19:14:37 |
| hexa (signing key rotation when) | netlify does geodns, so the alias record was so that people would get a local pop | 19:16:46 |
| hexa (signing key rotation when) | do we need it? no | 19:16:56 |
| hexa (signing key rotation when) | is it better than not having it? yes | 19:17:06 |
| vcunat | Aah, I thought the normal practice is that you get http-redirected to www. | 19:17:41 |
| vcunat | (and there you can have CNAME) | 19:17:49 |
| hexa (signing key rotation when) | yeah, ideally | 19:17:56 |
| hexa (signing key rotation when) | but that is not the case on nixos.org | 19:18:00 |
| vcunat | but I'm somewhat out of touch from the web world. | 19:18:04 |
| hexa (signing key rotation when) | and I'm not keen on changing that, because it'll fck with search results, no? | 19:18:13 |
| vcunat | I see now. But don't tell me that netlify is relying on ALIAS so heavily. | 19:18:22 |
| vcunat | I mean, it's completely unstandardized. | 19:18:28 |
| hexa (signing key rotation when) | they only give us a hostname | 19:18:37 |
| hexa (signing key rotation when) | no stable IP addresses | 19:18:42 |
| hexa (signing key rotation when) | we hosted DNS until earlier this year | 19:19:06 |
| hexa (signing key rotation when) | which is how that ✨️ magic ✨️ just worked | 19:19:26 |
| hexa (signing key rotation when) | but alas nixos-homepage was using that account with unscoped api tokens and pull_request_target and lol no | 19:20:19 |
| vcunat | 🤔 I guess Netlify prefer that you have DNS with them as well. | 19:20:41 |
| hexa (signing key rotation when) | Redacted or Malformed Event | 19:20:50 |
| vcunat | They seem to offer a static IP, but given that we don't redirect...
https://docs.netlify.com/manage/domains/configure-domains/configure-external-dns/#configure-an-apex-domain | 19:20:55 |
| vcunat | And I see no option for HTTPS records to salvage at least some clients. | 19:21:22 |
| vcunat | Yeah, I don't know. Not great. | 19:21:42 |
| hexa (signing key rotation when) | I did recreate the nixos.org origin record a while ago, but that didn't change anything | 19:25:08 |
| vcunat | And a ticket at Gandi has been created, surely. | 19:26:32 |
| vcunat | (I'm out of ideas for shorter-term mitigations. Static IP would surely make it slow for half of the world, unless we switch to www. redirects which would probably be a larger change.) | 19:31:05 |
| vcunat | * (I'm out of ideas for shorter-term mitigations. Static IP would surely make it slow for half of the world, unless we switch to www. redirects which would perhaps be a larger change.) | 19:32:14 |
| hexa (signing key rotation when) | 5h ago | 19:33:09 |
