Hi Team, We are encountering an issue in our domain for creating a auto validating certificate. The main issue revolves around the auto-validation of certificates. Here’s a detailed overview of the problem: Current Setup: consider our domain, **xyz.com** , registered with GoDaddy. We have a frontend named **myfe.xyz.com** . A DNS Zone is created, and the NS record is updated in GoDaddy to route traffic from Azure to GoDaddy. Problem: We have NS records for our subdomain in both GoDaddy and Azure. Due to this setup, we can't create a CName record on both ends unless we map the CName to the Front Door endpoint. Without this CName mapping, the certificate does not auto-renew. Comparison with AWS: AWS provides an option to choose between auto-renewal and manual renewal while creating a certificate. However, this option seems to be missing in Azure, or I might be missing the correct steps to achieve this. Request for Assistance: Can anyone advise on how we can set up the auto-renewal of certificates in Azure given our current setup? Specifically, we need guidance on the correct process for creating and managing certificates with auto-renewal in Azure, considering the limitations we are facing with CName records and NS records.

Hello @Varun Deepak Jagadeesh (Nallas) , Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. As per Azure Front Door document , Azure Front Door (Standard and Premium) managed certificates are automatically rotated if the domain CNAME record points directly to a Front Door endpoint or points indirectly to a Traffic Manager endpoint. Otherwise, you need to re-validate the domain ownership to rotate the certificates. Have you delegated your domain to Azure as mentioned in the below tutorials? Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-add-custom-domain#prerequisites https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns Could you also confirm if you are trying to create a CNAME for a subdomain or an apex/root domain? Apex domains are at the root of a DNS zone and don't contain subdomains. For example, contoso.com is an apex domain. Azure Front Door supports adding apex domains when you use Azure DNS. Refer: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-how-to-onboard-apex-domain?pivots=front-door-standard-premium Regards, Gita

How to add cname record into a subdomain at DNS zone in Azure

Varun Deepak Jagadeesh (Nallas) 0

Hi Team,

We are encountering an issue in our domain for creating a auto validating certificate. The main issue revolves around the auto-validation of certificates.

Here’s a detailed overview of the problem:

Current Setup:
- consider our domain, **xyz.com**, registered with GoDaddy.
- We have a frontend named **myfe.xyz.com**.
- A DNS Zone is created, and the NS record is updated in GoDaddy to route traffic from Azure to GoDaddy.
Problem:
- We have NS records for our subdomain in both GoDaddy and Azure.
- Due to this setup, we can't create a CName record on both ends unless we map the CName to the Front Door endpoint.
- Without this CName mapping, the certificate does not auto-renew.
Comparison with AWS:
- AWS provides an option to choose between auto-renewal and manual renewal while creating a certificate. However, this option seems to be missing in Azure, or I might be missing the correct steps to achieve this.

Request for Assistance:

Can anyone advise on how we can set up the auto-renewal of certificates in Azure given our current setup? Specifically, we need guidance on the correct process for creating and managing certificates with auto-renewal in Azure, considering the limitations we are facing with CName records and NS records.

GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee

2024-05-29T10:12:20.36+00:00

@Varun Deepak Jagadeesh (Nallas) , could you please provide an update on this post?
GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee

2024-05-30T12:47:42.5833333+00:00

@Varun Deepak Jagadeesh (Nallas) , could you please provide the above requested detail for further discussion on this issue?

1 answer

GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee

2024-05-27T09:29:21.41+00:00

Hello @Varun Deepak Jagadeesh (Nallas) ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

As per Azure Front Door document,

Azure Front Door (Standard and Premium) managed certificates are automatically rotated if the domain CNAME record points directly to a Front Door endpoint or points indirectly to a Traffic Manager endpoint. Otherwise, you need to re-validate the domain ownership to rotate the certificates.

Have you delegated your domain to Azure as mentioned in the below tutorials?

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-add-custom-domain#prerequisites

https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

Could you also confirm if you are trying to create a CNAME for a subdomain or an apex/root domain?

Apex domains are at the root of a DNS zone and don't contain subdomains. For example, contoso.com is an apex domain. Azure Front Door supports adding apex domains when you use Azure DNS.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-how-to-onboard-apex-domain?pivots=front-door-standard-premium

Regards,

Gita
Please sign in to rate this answer.

1 person found this answer helpful.
Varun Deepak Jagadeesh (Nallas) 0 Reputation points

2024-05-29T10:51:25.19+00:00

Hi @GitaraniSharma-MSFT ,

Thank you for your assistance. However, the document you shared shows the same information: we need to have a CNAME pointing to the specific endpoint. We can do this if we don't have an NS record created for the domain.

Consider my parent zone as contoso.com and my custom domain as child.contoso.com. In this case, I can create a CNAME for child.contoso.com without creating a child zone.

Now, consider my parent zone as contoso.com, which I have with GoDaddy, and my child zone as child.contoso.com, which I need to create in Azure. When I create a DNS record in Azure, it will generate an NS record for my child domain (child.contoso.com). I also need to create a child record in GoDaddy with the NS record created in Azure to route the traffic.

In this case, If i try to create a certificate for my child zone. Due to the above-mentioned scenario, I can't create a CNAME in both GoDaddy and Azure because it will say record for the same name is already created. Therefore, we need to create an A record to validate the certificate, which will not help in auto-validation.

I think I have explained the scenario in brief. Let me know if you need more details to understand.

Thanks,
VarunDeepak J

GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee

2024-05-29T13:25:46.8133333+00:00

@Varun Deepak Jagadeesh (Nallas) , If you have a DNS zone "child.contoso.com" in Azure which is already delegated using the NS records, then you can directly manage the DNS records in Azure. You don't have to create CNAME record in GoDaddy anymore.

Once a domain is delegated to Azure, you only need to create records in Azure.

Refer: https://learn.microsoft.com/en-us/azure/dns/dns-domain-delegation

https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

In the prerequisites section of "Configure a custom domain on Azure Front Door" document, you can find the below:

If you look at step 3 of "Associate the custom domain with your Azure Front Door endpoint", it says:

So, could you please clarify why you are stating that you need to create a CNAME in both GoDaddy and Azure?

Regards,

Gita

Varun Deepak Jagadeesh 0 Reputation points

2024-05-30T13:34:17.3333333+00:00

@GitaraniSharma-MSFT , as you mentioned above "If you have a DNS zone "child.contoso.com" in Azure which is already delegated using the NS records, then you can directly manage the DNS records in Azure. You don't have to create CNAME record in GoDaddy anymore."

If I try to create a CName in "child.contoso.com" it will appear like " .child.contoso.com" it will ask me to enter a some value so i cant create a certificate for that domain.

"Each label must only contain letters, numbers, underscores, and/or dashes. Each label should be separated from other labels by a period. A wildcard ('*' character) is permitted either as the single character in the name, or as the first label in the name. An empty value, or a single '@' character is permitted for record sets at the zone apex (except for CNAME record sets)."

Even in godady i can't create CName because i have NS record over there :-( .

Did i missing something or doing it in a wrong way.

GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee

2024-05-31T08:43:28.25+00:00

@Varun Deepak Jagadeesh (Nallas) , thank you for the details. Now, I understand your setup better and I'm sharing some points below for clarification:

You mentioned - "Now, consider my parent zone as contoso.com, which I have with GoDaddy, and my child zone as child.contoso.com, which I need to create in Azure. When I create a DNS record in Azure, it will generate an NS record for my child domain (child.contoso.com). I also need to create a child record in GoDaddy with the NS record created in Azure to route the traffic." ---> this statement is not correct.

Child DNS zone is created in Azure only when you have an existing parent DNS zone in Azure (already delegated). Refer: https://learn.microsoft.com/en-us/azure/dns/tutorial-public-dns-zones-child

If you only create a DNS zone "child.contoso.com" in Azure, then this is not a child DNS zone but a single DNS zone where "child.contoso.com" itself is treated as the apex/root domain.

And as per the Azure Front Door limitations,

Apex domains don't have a CNAME record pointing to an Azure Front Door endpoint, so the autorotation for managed certificate fails until the domain ownership is revalidated.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/apex-domain#azure-front-door-managed-tls-certificate-rotation

The CNAME mapping is only possible when "contoso.com" is delegated to Azure and "child.contoso.com" is a CNAME record in the "contoso.com" DNS zone. Then, you can point "child.contoso.com" to the AFD endpoint.

But in your scenario, "child.contoso.com" is the root domain for the created DNS zone, so you cannot have a CNAME record for that same domain. You can only have an alias record created in the Azure DNS zone and use a TXT record to validate the domain.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-how-to-onboard-apex-domain?pivots=front-door-standard-premium

https://learn.microsoft.com/en-us/azure/frontdoor/domain#txt-record-validation

And as mentioned previously, Azure Front Door (Standard and Premium) managed certificates are automatically rotated only if the domain CNAME record points directly to a Front Door endpoint.

But due to your setup, you need to re-validate the domain ownership to rotate the certificates.

Your setup seems to be hitting the product limitation.

Regards,

Gita

Varun Deepak Jagadeesh 0 Reputation points

2024-06-03T05:42:01.25+00:00

@GitaraniSharma-MSFT , Thank you for your detailed explanation and the reference link. I appreciate the information provided.

I am curious to know if it is possible to generate a ticket with Azure to request the addition of a feature for adding CName to the root domain. This feature is available in AWS, and we are currently using it.

Is there a specific process to follow to feature requests to the Azure team?

Thank you for your assistance.

KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2024-06-05T10:36:36.78+00:00

@Varun Deepak Jagadeesh (Nallas) ,

Greetings.

You can use Azure Feedback Hub to submit feature requests.

However, I did find an existing feature ask for the same : Azure DNS CNAME flattening.

You can upvote and comment on this so the feature request gets Product Team's attention.

In the meantime, I shall summarize your discussion with @GitaraniSharma-MSFT and post it as an answer.

I would highly appreciate if you could Accept the answer as original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil
Sign in to comment

Share via

How to add cname record into a subdomain at DNS zone in Azure

1 answer