IBM Cloud Docs
CIS DNS zone CNAME (partial) setup

CIS DNS zone CNAME (partial) setup

A partial or CNAME setup allows you to use reverse proxy while you maintain your primary and authoritative DNS provider.

This configuration is useful when you can't change your authoritative DNS provider and want to proxy only individual subdomains through the global network.

After you complete a partial setup, the actual resolution of your records to CIS depends on the CNAME records added at your authoritative DNS provider. Check your authoritative DNS provider to learn which records are pointing to {your-hostname}.cdn.cloudflare.net.

The following table shows the recommended setup configurations for a child zone (subdomain).

Parent and child domain setup
Parent domain setup Recommended child subdomain setup
Parent domain on CIS through a Full setup Full setup only
Parent domain on CIS through a CNAME setup CNAME setup only
The parent domain is not on CIS Can choose Full or CNAME setup

Setting up a CNAME zone

To set up a CNAME, take the following steps.

  1. Create the partial type zone by using the CIS API or CLI.

    • To create the partial type zone with CIS API:

      POST https://{{api}}/v1/{{crn}}/zones

      data:  {
              "name":       "ibmnetworkdemo.com",
              "jump_start": false,
              "type":       "partial"
          }
      
    • To create the partial type zone with CIS CLI:

          ibmcloud cis domain-add ibmnetworkdemo.com --type partial --output JSON
      

    If you encounter the error message: "Partial zone signup not allowed", contact Support.

  2. Get the txt record verification_key and cname_suffix from the response:

    {
        "result": {
            "id": "1df93abfb59849abd3e34fde156a4c21",
            "name": "ibmnetworkdemo.com",
            "status": "active",
            "paused": false,
            "verification_key": "476754457-428595283",
             "cname_suffix": "cdn.cloudflare.net",
            "original_name_servers": [
                "ns1.softlayer.com",
                "ns2.softlayer.com"
            ],
            "original_registrar": "everyones internet, ltd. dba s (id: 925)",
            "original_dnshost": null,
            "modified_on": "2021-05-07T06:46:19.326826Z",
            "created_on": "2021-05-07T01:57:53.163247Z",
            "account": {
                "id": "b0c53e3f037b8cdc62b5cb373b8c55e6",
                "name": "57aea3aa-a38e-4760-ada5-a698bca56171"
            }
        },
        "success": true,
        "errors": [],
        "messages": []
    }
    
  3. Add the record cloudflare-verify to the parent DNS zone indicated by the verification-key (in this example, ibmnetworkdemo.com):

    txt cloudflare-verify.ibmnetworkdemo.com  476754457-428595283
    
  4. After CIS verifies the record, the zone is activated. This process might take several hours.

Verify the CNAME

To verify your CNAME setup, take the following steps.

  1. Add an A record in CIS and enable proxy:

    www.ibmnetworkdemo.com   A      169.48.151.44   true      1
    
  2. Add the CNAME record in the authoritative DNS:

    www.ibmnetworkdemo.com  www.ibmnetworkdemo.com.cdn.cloudflare.net
    

    The response appears similar to the following example:

    check::
       dig www.ibmnetworkdemo.com a
    
    ; <<>> DiG 9.10.6 <<>> www.ibmnetworkdemo.com a
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13528
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;www.ibmnetworkdemo.com.                IN        A
    
    ;; ANSWER SECTION:
    www.ibmnetworkdemo.com.        899        IN        CNAME        www.ibmnetworkdemo.com.cdn.cloudflare.net.
    www.ibmnetworkdemo.com.cdn.cloudflare.net. 299 IN A 104.18.8.216
    www.ibmnetworkdemo.com.cdn.cloudflare.net. 299 IN A 104.18.9.216