CNAME record conflict: Point "api" subdomain to AWS Load Balancer DNS

danieljosephparker · September 8, 2024, 11:34am

Good morning!

My use case

Host static marketing website at www.<my-vercel-domain>.com.
Host React app at <subdomain1>.<my-vercel-domain>.com.
Point api.<my-vercel-domain>.com to an AWS EC2 Elastic Load Balancer.
(In turn, the ELB routes incoming internet traffic to a Django app deployed on ECS/Fargate in a VPC private subnet.)

Context

To enable an HTTPS listener for the ELB, I created an SSL Certificate from AWS Certificate Manager for api.<my-vercel-domain>.com.
To validate this certificate, per DNS validation - AWS Certificate Manager (at the bottom: “If you are not using Route 53 as your DNS provider…”), I added a CNAME record in Vercel DNS.
- The NAME value was _<UUID>.api.<my-vercel-domain>.com.
- The VALUE value was that specified by ACM, ending in acm-validations.aws..
(I had also added a CAA record, which is still present.
- NAME = api
- VALUE = 0 issue "amazon.com".)
Certificate validation was successful.

Issue

I am now trying to add a CNAME record to Vercel DNS to point api.<my-vercel-domain>.com to the ELB.
- Attempted NAME value is api.
- Attempted VALUE value is the ELB’s DNS name.
I receive this error:

Existing record (“rec_c625ccf17bfb13236fca932d”) conflict with attempted “api” CNAME “<elb-dns>.” creation. CNAME record cannot be created if any other record exists with the same name.

To attempt to resolve, I deleted the SSL validation CNAME record, since this was also a CNAME record with NAME = api. My hypothesis is that the existence of this record caused the “conflict” error message. (My understanding is that this old CNAME is no longer needed since the certificate validation is completed.)
I used dnschecker.org to verify that the deletion of the old CNAME record has propagated.
However, when I reattempt the new CNAME record, I receive the same error message.
The Vercel DNS UI does not allow inspection of the internal DNS UUID specified in the error message, as far as I know. So I don’t have a way to figure out which record is responsible for this conflict.
Is it possible this is a cache or “ghost” record issue?

Thank you!

danieljosephparker · September 8, 2024, 12:19pm

Solution

The CAA record added for AWS ACM certificate validation was the cause of the conflict.

Steps taken

The https://vercel.com/api/v4/domains/<my-vercel-domain>/records API endpoint includes the internal Vercel id for the DNS record.

{
    "records": [
        {
            "id": "rec_c625ccf17bfb13236fca932d",
            ...
            "name": "api",
            "type": "CAA",
            ...
        },

The CAA record had an ID that matched that shown in the error message in my original post.
I deleted the CAA record, and reattempted adding the new CNAME record for the ELB. The addition was successful.

pawlean · September 8, 2024, 6:58pm

Thanks for coming back with your solution, it’ll help lots of folks

system · September 10, 2024, 6:58pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using Vercel DNS with subdomain Help domains	3	24	December 19, 2024
CNAME Record Not Propagating and Site Not Working Help	3	35	August 8, 2024
Create DNS record with Terraform for domain managed in Vercel Help domains	3	17	October 30, 2024
Domain is pending verification Help domains	12	53	October 23, 2024
Domain dns problem Help domains	10	85	August 13, 2024