We are doing SSO integration (SAML) for Dynatrace however, we are stuck at first step i.e. verification of domain to Dynatrace.
The dilemma is,
We have generated TXT resource record for our company's domain but when we ask DNS team to add that TXT resource record to DNS configuration they said "CNAME is present for that domain hence they cant add TXT resource record"
It could be either CNAME or TXT record under DNS configuration and both can't be coexist.
Our DNS team suggests, if Dynatrace can generate CNAME record instead of TXT record or can Dynatrace do the email verification.
Under Dynatrace UI, I can see only TXT record option is available.
Has anyone face similar kind of issue and resolved it successfully by any other means.
Kindly suggest and help.
Solved! Go to Solution.
Has anybody faced this issue earlier?
I have never done this validation with Dynatrace, but quite used to do it with TLS certificate validation, including the two methods (CNAME & TXT). But, by the Dynatrace documentation, Dynatrace only supports TXT validation.
From what you tell us, I believe your DNS team is not being cooperative. There can be several entries for CNAME/TXT at the same time, and definitely one domain can have multiple TXT entries. You can check this easily by going to the following link and inserting any one "big" domain that you know of:
CNAME cannot coexist with any other record in DNS for a single domain
If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different.
What would be worth testing is to create the TXT record at the target domain the CNAME is pointing at.
Whether this would work depends on whether recursion is available to the verifier and how the verifier logic is implemented wrt the DNS response.
Thanks for bringing the RFC1034 clarification. Despite a lot of work in that area, it was never brought to my attention!
From @AK 's description, it seems that the CNAME is at the domain level, which presents several other interesting considerations. While RFC1034 even states such an example, it would be a little bit weird, as it would even contradict itself (how can a domain have a CNAME, if it couldn't even have other data, and how would NS entries even be possible here?). Maybe I'm seeing something wrong here, but that might explain why I never saw such a thing, because CNAMEs are used normally at the "host" level.
Indeed, Dynatrace requires a TXT record to verify ownership of the domain. We were not aware of the CNAME limitation.
We have a workaround behind the scenes in places. Somebody from Dynatrace will reach out to you in the next days.
Somebody from Dynatrace reached out to you. I was told that you'll switch to a different domain that doesn't have a CNAME record thus you should be able to do the domain verification for SAML.
Please let me know if that works or if you need further help!
Yes @gerald_, we added TXT record for the higher domain as lower domain already has CNAME. Domain verification was successful after this.
However, as per the suggestion from our DNS team, it would be better if we have option to generate CNAME record or email verification for domains on Dynatrace UI.
Thank you all for your comments and suggestions.