Domain verification by awverify, or by asuid?

[ishepherd]

Re: Create domain verification record:

Is TXT awverify still the best way to verify?

Could TXT asuid be used instead? (link)

I have sometimes found the awverify way unreliable, I'm wondering if the asuid way is any better or more secure?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 56baff6e-3653-f1a5-1c9b-dd4d372e2291
• Version Independent ID: e44e3b63-6f49-ef86-0607-2c1a71a86bd0
• Content: Migrate an active DNS name - Azure App Service
• Content Source: articles/app-service/manage-custom-dns-migrate-domain.md
• Service: app-service
• GitHub Login: @cephalin
• Microsoft Alias: cephalin

[AjayKumar-MSFT]

@ishepherd, Thanks for the question! We are taking a look into this and will get back to you soon.

[dcbrown16]

@AjayKumar-MSFT I just tagged you in a Teams thread where we were recently told to use the TXT value from the latest document, i.e. the asuid value not awverify. Please make this change high priority - it's causing confusion.

[AjayKumar-MSFT]

Iain, Apologies for the delay! We have been discussion on this internally with the product team and author, we will review further and make appropriate changes in the document as required. Thanks for your feedback and support.

[ishepherd]

Thanks @AjayKumar-MSFT and @dcbrown16

A colleague today pointed me to this page: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover#use-azure-app-services-custom-domain-verification

That answers my original question: Use asuid, not awverify, because asuid prevents subdomain takeover attacks.

[AjayKumar-MSFT]

Iain, thanks for the update and sharing the answer. We will work with the author and get the document(s) updated as required for additional clarity. We will close this out, but if you feel you need more information please just let us know.