I have a whitelabel cloud based product that customers CNAME a domain onto. Historically we have only had a reason to run this on subdomains, but a new featureset in development that now makes it attractive to run on the registered/apex domain.
I would prefer to not use A records for this and utilize CNAME/ALIAS/ANAME instead.
I searched the forum for these terms, and a few topics popped up - but the "flattening" seemed to be incidental and not the cause of the Subscriber's problems.
Does this sound correct? Does anyone know of issues I should be on the lookout for? If so, are they specific to any given provider or implementation?
Thanks! I am familiar with those Cloudflare docs. I've utilized CNAME flattening a bit in the past, but never layered with the HTTP-01 challenge. (e.g. grab cert via DNS-01 for static sites using Amazon S3 buckets).
Thanks! I totally forgot about that while writing the above, and well, wonderful! Our system does not currently support TLS-ALPN-01, and I don't want to waste resources on it. This gives me some ammo to decline requests!
CNAME Flattening and similarly named features from other providers are not visible to DNS clients. All that is usually returned are standard A or AAAA records. Keep in mind, this also means you retain control over the CAA records that would be queried from the apex unlike a CNAME which would delegate control over all record types.
It's basically cheating the limitation in the DNS specs on the DNS provider side. The provider does a direct lookup of the target FQDN (and presumably caches the result for the appropriate TTL) and responds authoritatively to the querying client with the A/AAAA records as necessary.
They're also useful outside of apex records when you want to, for example, delegate the A/AAAA responses, but keep local authority over other record types (TXT, MX, CAA, etc).
As there are no standards on this, and it is "cheating the limitation in the DNS specs on the DNS provider side" as you perfectly stated, I'm worried about how the implementation details of any one provider accomplishing this might cause issues.
In my experience so far, the implementation details vary mostly around failure cases such as how the DNS server responds when it can't get a valid response from the target FQDN and doesn't already have a previously cached value. It can range from NXDOMAIN, SERVFAIL, or empty NOERROR responses to even query timeouts. Even if it does have a previously cached value but the TTL has expired, I suspect there are differences around whether it will return the last known value or one of the error responses. But none of the providers I've seen have any sort of low level control over those choices.
That's great insight! Thanks. It reads like standard ephemeral failures.
We currently require clients to CNAME a DNS-01 record onto our acme-dns instance. I was debating dropping that requirement, but I'm inclined to keep it as a backup. We require this to "prime" our system before anything goes live; we obtain the certificate in advance of the client CNAME'ing a domain onto the Application Server and notify them when the platform is ready.
As example of my earlier comment ... Route53 only allows Alias to AWS services.
I vaguely recall restrictions with Cloudflare flattening beyond its borders as well but that may be only on free accounts. Not that sure of that.
As long as you don't mind people using A/AAAA records on their apex to you it won't matter. But, it sounded like you very much wanted to avoid that. At least, that's how I read your post.
They enabled Alias onto foreign DNS a while back, because the Cloudflare product was too much of an advantage.
Maybe this is for recursive CNAMEs when the targets are not within Cloudflare? Free accounts will definitely flatten an apex record that is pointed to external A record. I know that paid accounts are required to enable automatic flattening of all CNAMEs.
Route53 will also charge 1x-2x for alias expansion. You get a second charge if it requires a second DNS lookup on their system, but it's waived if it's going to certain Amazon resources.
Huh, I even checked the docs before posting and it didn't mention that. Or perhaps I mis-read. Anyway, good to know.
Edit: I also don't see an Alias option in my Route53 panel for foreign DNS. And, I can't make a CNAME for the apex. Oh well. Not something I need atm anyway
Must be brain-cramping. I don't see the option for foreign CNAME in Alias record. And, I couldn't see how I could set it on the Route53 control panel either. You can do things in the same hosted zone.
Here's from the top section of that doc link you provided. I don't see a foreign CNAME as a valid target for Alias
Resources that you can redirect queries to
Alias records
An alias record can only redirect queries to selected AWS resources, including but not limited to the following:
