I’ve been in this industry for 30 somewhat years and luckily every now and than I still learn something new. As I stepped into this world of blogging, I decided to try out static websites instead of simply using WordPress. Must admit I had a little too much fun discovering how all this stuff actually works, diving into Git CI/CD pipelines, learning the markdown language, setting up an Azure static website and combining it all. No worries, over time I will share all I can, but for today I’m going to concentrate on name resolution, a.k.a. DNS.

I had a couple of ideas before my site went live. it should be reachable by the apex domain (root domain, michaelwaterman.nl and by www.michaelwaterman.nl. From an Azure point of view that’s really easy to accomplish. Just go to your static web app, click “Custom Domains” and add the domain names you would like to use. In my experience the domain validation that’s part of the process can take quite a while before it’s finished, so just wait until it’s done. The options “Set default“, means it will automatically redirect to that specific url, cool stuff indeed. I’m using the free version at the time of writing so I’m “limited” to three domains, for now that’s totally fine.

The Problem: Name resolution

According to the guidance on the Microsoft website, the steps you should take for DNS resolutions are twofold:

  • Create a cname that points to www.dnsname.suffix
  • Create an alias that points to dnsname.suffix

Me being stupid and not reading well enough interpreted the first as “Create a cname at the root“. I had a learning moment as the majority of my Azure services broke down very quickly after adding the cname. It’s even listed at the official RFC 1912 documentation not to do that:

Thou shall not create a cname at thou DNS root level.

Me…

Well, not with the exact same words, but you know what I mean. After removing the cname from the root, everything started working again once the TTL expired, which was only an hour. Did I ever tell you that “being patience” isn’t my forte?

Anyways, after reading more carefully, I learned that there’s this thing called an “ALIAS” or “ANAME” record, specifically designed for this purpose. Once an endpoint queries for michaelwaterman.nl, the DNS server “translates” the request into an A record and passes that back to the requestor. At least that’s what I’ve read. Funny thing is, in my case it didn’t work, no matter what! I had no issues going to the www of my site, just the query to the apex domain wouldn’t turn up anything. Just said something around the lines of “server not found“.

The solution

It took a while to figure it out but apparently DNSSEC and using an ALIAS (ANAME) record in the same DNS zone isn’t compatible. Funny thing is I found one blog entry mentioning this, no official documentation whatsoever. So after removing DNSSEC from my DNS zone and waiting for the TTL to expire it magically started working as expected.

As a security minded person this isn’t really what I want, but at least it works for now. Have to dig a little deeper to see what else I can do. If there’s more info I’ll make sure to post it here.

Stay tuned!


Reference

Set up a custom domain with external providers in Azure Static Web Apps | Microsoft Learn