Document CAA record when using CNAME alias

[dimaqq]

I have an azure cdn profile and the cdn endpoint set up.
It has a custom domain with HTTPS and "CDN managed" certificate.
The domain record is external (aws route53), where a CNAME alias is set to point to azure cdn endpoint.

As far as I understand the CAA record in such set up cannot be issued on my custom domain, rather it should be issued on the cdn endpoint hostname.

There's nothing in the docs about this.

Also, it would be neat when "CDN managed" certificate is validated using CNAME record, azure also issued the CAA record for the certificate it issues.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: beac0740-af6e-61ce-bcfa-e783ca181b7d
• Version Independent ID: d97885ea-b051-5fde-bd14-ec977e34760e
• Content: Tutorial - Configure HTTPS on an Azure CDN custom domain
• Content Source: articles/cdn/cdn-custom-ssl.md
• Service: azure-cdn
• GitHub Login: @asudbring
• Microsoft Alias: allensu

[SadiqhAhmed-MSFT]

@dimaqq Thanks for the feedback. We are looking into this and will get back to you shortly.

[TravisCragg-MSFT]

@dimaqq do you have a support request or additional info to go along with this? There is a note in this doc that speaks of the CAA requirements for this to work.

[dimaqq]

The doc mentions CAA record in a different context: a pre-existing CAA record.

I feel that the doc may not be fully correct: if there's a public.com CNAME ... record, then public.com CAA ... record should be irrelevant... though I'm not entirely sure about what take precedence when during obsolete record TTL 🤷

[TravisCragg-MSFT]

@dimaqq Have you tried adding digicert as a ca via a CAA record with Route 53?

[dimaqq]

@dimaqq Have you tried adding digicert as a ca via a CAA record with Route 53?

Route53 rightfully disallows having both CNAME and CAA record for the same domain.

Reference: https://serverfault.com/a/885955

[dimaqq]

More tech details: https://cabforum.org/2017/09/27/ballot-214-caa-discovery-cname-errata/

In short, if I alias my.web.site via CNAME to mymy.azureedge.net then the CAA record resolution will be:

1. my.web.site not attempted because there's CNAME
2. mymy.azureedge.net attempted, failing that
3. web.site attempted, failing that
4. site attempted

So there are 2 ways too set CAA:

• Azure CDN managed certificate thingy can set it for mymy.azureedge.net (precise)
• I could set it for parent of aliased domain web.site (crude)

[asudbring]

Assigning to PM for review

#reassign:@amitsriva

[duongau]

#reassign: gunjanj

[duongau]

Thank you for you dedication to our documentation.

Unfortunately, we have been unable to review this issue in a timely manner. We sincerely apologize for the delayed response. We are closing this issue. If you feel that the problem persists, please respond to this issue with additional information.

Please continue to provide feedback about the documentation. We appreciate your contributions to our community.

#please-close