![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 68%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERF%3C/text%3E%3C/svg%3E)
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Hi @ Roy Freij •,
Welcome to Microsoft Q&A Platform.
Azure does not perform DNSSEC response validation using the default Azure-provided DNS resolver. DNSSEC validation is only relevant when you are running your own recursive DNS resolvers.
Trust anchors and DNSSEC validation states:
In your scenario, the DNSSEC chain validates correctly until it reaches azurefd.net. This is because azurefd.net (Azure Front Door’s canonical domain) is not DNSSEC-signed
Microsoft does not publish DS/RRSIG records for azurefd.net
As a result, a fully trusted DNSSEC chain cannot be established when a CNAME ultimately points to Azure Front Door
This is why external DNSSEC validation tools (such as Verisign DNSSEC Debugger) report failures for *.azurefd.net.
Is there a way to resolve this?
No. DNSSEC cannot be enabled for Microsoft-owned service domains like azurefd.net. Customers cannot configure DNSSEC on these zones.
If a third-party audit requires full end-to-end DNSSEC validation, Azure Front Door cannot be used as the final CNAME target.
Please Accept the answer if the information helped you. This will help us and others in the community as well.