Why do you need the awverify CNAME record for Azure?
If you have control of a DNS lookup for a computer, or are able to inject a host record, then you could spoof an A record for that machine and point it to an Azure website (there's actually nothing to stop you doing that for a VM though)
By making you create a cname record, and independently verifying it (via their internal / public DNS system), it means that you do have control over the domain, and you're not spoofing somebody else's domain.
Let me try to answer your question by providing two cases. In both cases, you will still need to verify that you are the owner, it is just a security step.
1) www.example.com
is not being visited and not in production
2) www.example.com
is currently in production and is heavily being used
1) If your domain is now being setup or is not in production/being accessed, you can create a CNAME record that points to yoursite.azurewebsites.net
. No awverify.myhost.azurewebsites.net
needed.
2) If your domain is in heavy use and being accessed currently, and you wish to test to see if Azure sees the changes in your DNS records, you can create a sub-domain named 'awverify
' as in awverify.example.com
and point it to a created sub-domain awverify.myhost.azurewebsites.net
. This will not affect your current users accessing your website going to www.example.com
. Once Azure verifies that it sees the change in the CNAME, you can then notify users of maintenance and change the A record. If you just change the A record, the site may be seen as offline for up to 8 hours.
So to answer your question simply, you don't need to use awverify
. Just changing the CNAME can work as well. Also, just changing the A record will redirect all traffic from yourdomain.com
to yoursite.azurewebsites.net
Hope this helps.
In order to prove control of the domain, you need to put some information in a DNS record on the domain, which will identify your Azure account.
Such information can be embedded in the domain name which a CNAME points to. The part of the domain which was omitted from your post I would expect to identify your particular Azure account.
You don't actually need to keep that name secret. After all, it is going to be publicly visible once you put it in a DNS record.
The reason they couldn't do the same with an A record is that there is not sufficient entropy in an A record to achieve the same security.
That doesn't mean the CNAME is the only method they could have used. Other methods which could have worked include:
- A TXT record
- An AAAA record
- Multiple A records
Personally I consider a TXT record on a subdomain randomly generated by the verifier to be the best method, since it is the least intrusive. But that appears not to be supported in your case.