Trouble adding CNAME record for WAF to a hostname that already has an A record

madprofessor

2/28/23, 6:12 AM

I have a domain (for instance, example.com) that points to certain IP direction (type A record), and DNS system is controlled by my organization. Now, a new web app has been published at news.example.com. As it is located on a cloud service provider, in order to maintain easy access, we requested a new A record on our managed DNS that should be created to point the name news.example.com to the cloud provider-assigned IP address for the host.

after that, we wanted to deploy a WAF in front of the news.example.com website to protect it. The Cloud service provider requires that I create a new CNAME pointing news.example.com to the target string provided by the cloud provider so that traffic gets routed through the WAF first. However, the CNAME record creation process fails because it says there already exists an A record associated.

Example CNAME record:

origin (news.example.com) - this one has already an A record pointing to its IP address.
target: xxx.yyyy.zzz.www. (info provided by Cloud Service Provider)
Type: CNAME

How can approach this problem? What am I missing?

0 + 0

oracle

domain-name-system

linux

Score:0

Server

Nikita Kipriyanov

2/28/23, 7:01 AM

CNAME record can't coexist with other record types, see RFC 1912. The following zone data is incorrect:

@ORIGIN example.com.
www IN A 192.0.2.1
www IN CNAME ccc

As a consequence, it is impossible to add true CNAME record at the apex of the zone. This follows from the fact there always is the SOA record at the apex, and CNAME could not possibly be alone, therefore it is forbidden. (Also there must be at least one NS record, and this case is discussed in the RFC.)

Some cloud providers emulate this "CNAME at the apex" behaviour, but in fact they are doing this using programmatically generated zone, not actually using CNAME, at least, not at the apex.

If you want to add CNAME, you have to remove A record of the same name. There is no other way.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Trouble adding CNAME record for WAF to a hostname that already has an A record

TH: ปัญหาในการเพิ่มระเบียน CNAME สำหรับ WAF ในชื่อโฮสต์ที่มีระเบียน A อยู่แล้ว

RO: Problemă la adăugarea înregistrării CNAME pentru WAF la un nume de gazdă care are deja o înregistrare A

RU: Проблема с добавлением записи CNAME для WAF к имени хоста, у которого уже есть запись A

VI: Sự cố khi thêm bản ghi CNAME cho WAF vào tên máy chủ đã có bản ghi A

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.