Some CDNs allow their customers to bring in their own DNS. Some do not provide DNS service at all, requiring every customer to bring in their own DNS.
The customer's DNS will have a zone definition like the following:
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.
example.com. IN A 192.0.2.1 # CDN's IP address
The NS records point to the authoritative servers run by the customer (or to the DNS service provider that the customer uses).
The A record designates the IP address of the CDN.
CNAME cannot be used here, because example.com
is an APEX record.
The reason behind the prohibition is that CNAME is not type-specific; setting a CNAME for example.com
will incorrectly delegate the NS records to the CDN's DNS server as well.
The prerequisite of this type of configuration is that the CDN's IP address is a constant regardless of time / location of the client. That is why this approach is typcially found in CDNs that use BGP to route the requests.
We want to add ESNI record to the list.
Assuming that no prefix will be used, the zone file will look like below.
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.
example.com. IN A 192.0.2.1 # CDN's IP address
example.com. IN ESNI ... # CDN's ESNI record
For the reasons described, the ESNI record cannot be delegated to the CDN's DNS server. However, unlike A records, ESNI records cannot be a constant. It contains a public key that needs to be rotated.
Customers will be requested to update the ESNI record every time the CDN rotates the key.
This is not only an operational burden, but also significantly raises the keys being published and keys being accepted becoming out-of-sync.
The issue can be resolved by adding a prefix.
In the example below, the ESNI key for example.com
is published as _esni.example.com
.
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.
example.com. IN A 192.0.2.1 # CDN's IP address
_esni.example.com. IN CNAME _esni.mycdn.example # CNAME to CDN's ESNI record
Since _esni.example.com
is not an APEX record, the label can be delegated to the CDN's DNS server, regardless of the Resource Record type.