Domain Verification CNAME Questions

What will this do?

The ability to create a new DNS record for your domain "proves" in a practical (if not perhaps absolute) way that you control the domain and are authorized to make changes to the DNS records attached to the domain.

It doesn't make a difference to the WAF setup process, but while you're making these DNS changes it is a good time to verify that you're taking advantage of all the security features that your DNS provider offers such as Two-Factor Authentication, Domain Locking, confirmations, etc.

Will this affect my production site?

Adding the DNS record required to verify your domain will not affect your production site in any way. It is not re-routing where traffic goes nor does it modify your production configuration.

Why does the DNS subdomain for this look so weird?

Most DNS records affect the subdomain (the 'www' part of 'www.example.com), and typically are short and human-readable as they'll constantly be used. 

The DNS verification subdomain is generated to not conflict with any of your existing subdomains, be readable by our domain verification applications and not easily guessable for security purposes. Despite all of that, it functionally is no different than having a subdomain record like 'yes-this-is-my-domain.example.com'

What are some common mistakes people make?

The two most common mistakes people make are:

1. Double adding the subdomain. 

Despite being long and 'weird' looking, the subdomain entry is conceptually similar to adding 'www' in your DNS setup. Due to the length of it and how confusing DNS record interfaces are it is very easy to accidentally "double" up the entry when pasting it in.

This will leave you with a record of:

_F5046DC145DBC06B4C733C7BD0AD001A.example.com.example.com

instead of

_F5046DC145DBC06B4C733C7BD0AD001A.example.com

2. Choosing the wrong record type

The domain verification record needs to be a CNAME DNS record type. 

Why does my DNS provider have different names for these things?

There is, unfortunately, no agreed-upon syntax for what you call the part of a DNS record that clients (like web browsers) lookup and the part that is returned/resolved by a DNS service. 

As an example, here are three popular services and how they refer to these on their sites.

SERVICE SUBDOMAIN VALUE
DNSimple Name Content
Namecheap Host Value
Hover Hostname Targetname

How long do I need to keep this DNS record around?

After your WAF is set up you can safely delete the record as it is no longer needed. There is no real harm in leaving it up, but to prevent later confusion we recommend removing it.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.