cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Frondoor Std/Premium TXT Domain validation lookup via CNAME

matzter
New Contributor

‎Jan 12 2023 08:35 AM

‎Jan 12 2023 08:35 AM

Frondoor Std/Premium TXT Domain validation lookup via CNAME

Hi, I'm not sure if there is a better place to ask my question as there is no frontdoor board in the techcommunity. 
Anyway, my question is about the TXT Domain validation process of frontdoor standard/premium.
I didn't find any hint about the concept of using CNAME records to support the TXT lookup. Does anyone know if this is supported in Azure Frontdoor?

Example:
Frontdoor is looking up the TXT entry "xyz123" on _dnsauth.www.test.com

I create a CNAME record _dnsauth.www.test.com pointing to _dnsauth.www.otherzone.com
I create a TXT record _dnsauth.www.otherzone.com with the content "xyz123".

Before you scream at me, please see https://letsencrypt.org/docs/challenge-types/ where this is supported.

Since Let’s Encrypt follows the DNS standards when looking up TXT records
for DNS-01 validation, you can use CNAME records or NS records to delegate
answering the challenge to other DNS zones.
This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone.
It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server.

263 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by matzter (New Contributor)
matzter

‎Jan 12 2023 11:46 AM

‎Jan 12 2023 11:46 AM

Solution

Re: Frondoor Std/Premium TXT Domain validation lookup via CNAME

I can actually answer myself on this, it works indeed.
The way we use this might be interesting for some of you, as in fact it allows you to easily plan and execute a DNS change that is independent from the actual setup.

Example:
With my application that uses frontdoor I deploy a separat DNS zone which is independent of the actual customer DNS. Then I tell the customer to create two CNAME records www.xyz.com and _dnsauth.www.xyz.com which point to www.mydnsrecord.com and _dnsauth.www.mydnsrecord.com. the mydnsrecord.com is the DNS zone I deploy with frontdoor, and create the TXT record for the certificate validation and the CNAME entry for the CDN endpoint. Works fine.
0 Likes
Reply