Tenant bridge DNS: direct CNAME vs CDN-proxied
For domain administrators connecting caib.<your-apex> to the Caib registry. You can download this page as Markdown to email or attach to a ticket.
What we are configuring
- Host: caib.<apex> (e.g. caib.example.com).
- Goal: browsers and APIs reach the registry that serves the tenant catalogue.
- TXT at _caib.<apex> is separate (per-user authority). This page is only about the bridge hostname.
Option A — Direct CNAME (recommended)
Create a DNS-only CNAME (Cloudflare: grey cloud). Point caib to the target Caib shows (usually registry.caib.io).
Why: resolvers see a normal CNAME chain — Caib shows Direct (green). Bots and assistants that rely on straightforward DNS are more likely to resolve the same path as browsers. Fewer CDN/WAF surprises.
Option B — Proxied / flattened (e.g. orange cloud)
CDNs often hide the CNAME and publish A/AAAA to the edge. Caib may show Proxied (amber) when HTTPS to https://caib.<apex>/ works with a valid cert for that hostname, even though no CNAME appears in DNS.
Risks for bots & assistants: tools that only read CNAME may disagree with browsers; Bot Fight / WAF / rate limits may block shared egress IPs; caching or transform rules can break API clients. If you proxy, plan rules so legitimate automation is allowed.
After DNS and TLS, Caib checks that GET https://caib.<apex>/v1/entities?domain=<apex>&lifecycle=all returns catalogue JSON. If that fails, the registry server’s nginx (or equivalent) must include caib.<apex> in server_name and route to the API.
Copy for your IT / DNS ticket
Paste into email or a change request:
Please add caib.<apex> as a CNAME to registry.caib.io (or the exact target from the Caib Domain & DNS page), DNS only, unless we explicitly choose CDN proxy. If proxied, ensure HTTPS works and automated clients are not blocked by bot or WAF rules. Reference: https://user.caib.io/docs/cname-bridge-routing