Clarify purpose of domain validation DNS records (A and TXT)

[jephlu]

Hello,

On DNS record for domain validation, can you precise the purpose of the 2 record, the A and the TXT ?

Here they are presented as a requirement :

Later it CNAME is not required

My understanding / proposal :

• CNAME record : mainly, traffic routing. It can be used for custom domain validation, only if the app service is the target. In case of an app gateway, WAF, or other front-end layer before the app service, target the appropriate asset.
• TXT record : validate the custom domain. For security, this record must remain after validation, to prevent subdomain takeover with dangling DNS entry (as per https://learn.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover). Additionally, during an application migration, the TXT record allows custom domain verification before traffic failover.

Best practice :

• use the TXT record to validate the domain, and maintain it registered in DNS zone for all the lifecycle of the application. Delete it only if the CNAME record is deleted.
• use the CNAME record to route trafic to your app service, or other front-end layer.

What do you think ?

Jean-Philippe

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 224b73dd-c59d-a833-0d4d-a778af6086a9
• Version Independent ID: c6b167c9-9589-45d0-ee6a-7a47a4aec41e
• Content: Map existing custom DNS name - Azure App Service
• Content Source: articles/app-service/app-service-web-tutorial-custom-domain.md
• Service: app-service
• GitHub Login: @msangapu-msft
• Microsoft Alias: msangapu

[RyanHill-MSFT]

Thanks for the feedback! We are currently investigating and will update you shortly.

[RyanHill-MSFT]

@jephlu I see where the confusion came in @jephlu. You are correct in your first bullet, however, you don't believe you need to delete it if the CNAME is deleted. You will need to delete/update it when certificate renewal takes place. Both the A record and CNAME will route traffic, but it's recommended to use a CNAME as the inbound IP address could change due to infrastructure changes.

Nonetheless, I've assigned this issue to the content author for further review.

[jephlu]

Sorry, I mistaken A / CNAME records. My issue is not totally clear.

Completely agree that CNAME is the best option to route traffic.

A record can be used to route also (but was not the point of my issue at all as my point is about custom domain validation).

I just want to make clear that :

• CNAME or TXT work fine to validate a custom domain, independently,
• CNAME also impacts app trafic,
• TXT does not impact the trafic, and improve security.

I have a customer that said to me that both are needed together (because it is marked in the doc and the azure portal, it is interpreted as a and) I demonstrated him that the process of custom domain validation works fine with the TXT record only, but he stays confident in the doc.

Last point, for the deletion of the TXT record. It can be done safely when the CNAME record is deleted, because the TXT protects it from being overtaken on another subscription by a rogue app service (in case the original app service was destroyed but not the CNAME)

Thanks!

[msangapu-msft]

We've added this to our backlog to review and update as needed. #please-close