蜜豆视频

CNAME and Target

Instructions for working with 蜜豆视频 Client Care to implement CNAME (Canonical Name) support in 蜜豆视频 Target. Use CNAME to handle ad blocking issues or ITP-related (Intelligent Tracking Prevention) cookie policies. With CNAME, calls are made to a domain owned by the customer rather than a domain owned by 蜜豆视频.

Request CNAME support in Target

  1. Determine the list of hostnames you need for your SSL certificate (see FAQ below).

  2. Fill out this form and include it when you open an 蜜豆视频 Client Care ticket requesting CNAME support:

    • 蜜豆视频 Target client code:

    • SSL certificate hostnames (example: target.example.com target.example.org):

    • SSL certificate purchaser (蜜豆视频 is highly recommended, see FAQ): 蜜豆视频/customer

    • If the customer is purchasing the certificate, also known as 鈥淏ring Your Own Certificate鈥 (BYOC), fill out these additional details:

      • Certificate organization (example: Example Company Inc):
      • Certificate organizational unit (optional, example: Marketing):
      • Certificate country (example: US):
      • Certificate state/region (example: California):
      • Certificate city (example: San Jose):
  3. For each hostname request, 蜜豆视频 will create the implementation and come back with a CNAME record name for you to create, that will contain a random string suffixed by tt.omtrdc.net

    For example, if you made a request for target.example.com, we will send you back a CNAME in the form of abcdefgh.tt.omtrdc.net. Your DNS CNAME record should look similar to:

    code language-none
    target.example.com.  IN  CNAME  abcdefgh.tt.omtrdc.net.
    
    note important
    IMPORTANT
    蜜豆视频鈥檚 certificate authority, DigiCert, cannot issue a certificate until this step is complete. Therefore, 蜜豆视频 cannot fulfill your request for a CNAME implementation until this step is complete.
  4. If 蜜豆视频 is purchasing the certificate, 蜜豆视频 works with DigiCert to purchase and deploy your certificate on 蜜豆视频鈥檚 production servers.

    If the customer is purchasing the certificate (BYOC), 蜜豆视频 Client Care sends you the certificate signing request (CSR). Use the CSR when purchasing the certificate through your certificate authority of choice. After the certificate is issued, send a copy of the certificate and any intermediate certificates to 蜜豆视频 Client Care for deployment.

    蜜豆视频 Client Care notifies you when your implementation is ready.

  5. Update the serverDomain (documentation) to the new CNAME hostname and set overrideMboxEdgeServer to false (documentation) in your at.js configuration.

Frequently Asked Questions

The following information answers frequently asked questions about requesting and implementing CNAME support in Target:

Can I provide my own certificate (Bring Your Own Certificate or BYOC)?

You can provide your own certificate. However, 蜜豆视频 strongly recommend against this practice. Management of the SSL certificate lifecycle is easier for both 蜜豆视频 and you, if 蜜豆视频 purchases and controls the certificate. SSL certificates lifetime will only get shorter in time (see the next section about certificate lifetime). Therefore, 蜜豆视频 Client Care must contact you every time to obtain a new certificate in a timely manner. THis will prove to become a challenge when the certificate lifetime will be reduced to only 47 days. Your Target implementation is jeopardized when the certificate expires because browsers refuse connections.

IMPORTANT
If you request a Target bring-your-own-certificate CNAME implementation, you are responsible for providing renewed certificates to 蜜豆视频 Client Care every time it will expire. Allowing your CNAME certificate to expire before 蜜豆视频 can deploy a renewed certificate results in an outage for your specific Target implementation.

How long until my new SSL certificate expires?

All certificates lifetime span will lower as part of a major initiative from Certificate Authorities. For DigiCert, 蜜豆视频鈥檚 provider of certificates, the following schedule will be applied:

Until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.
As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.
As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.
For more information, see

What hostnames should I choose? How many hostnames per domain should I choose?

Target CNAME implementations require only one hostname per domain on the SSL certificate and in the customer鈥檚 DNS. 蜜豆视频 recommends one hostname per domain. Some customers require more hostnames per domain for their own purposes (testing in staging, for example), which is supported.

Most customers choose a hostname like target.example.com. 蜜豆视频 recommends following this practice, but the choice is ultimately yours. Do not request a hostname of an existing DNS record. Doing so causes a conflict and delays time to resolution of your Target CNAME request.

I already have a CNAME implementation for 蜜豆视频 Analytics, can I use the same certificate or hostname?

No, Target requires a separate hostname and certificate.

Is my current implementation of Target impacted by ITP 2.x?

Apple Intelligent Tracking Prevention (ITP) version 2.3 introduced its CNAME Cloaking Mitigation feature, which is able to detect 蜜豆视频 Target CNAME implementations and reduces the cookie鈥檚 expiration to seven days. Currently Target has no workaround for ITP鈥檚 CNAME Cloaking Mitigation. For more information about ITP, see Apple Intelligent Tracking Prevention (ITP) 2.x.

What kind of service disruptions can I expect when my CNAME implementation is deployed?

There is no service disruption when the certificate is deployed (including certificate renewals).

However, after you change the hostname in your Target implementation code (serverDomain in at.js) to the new CNAME hostname (target.example.com), web browsers treat returning visitors as new visitors. Returning visitors鈥 profile data is lost because the previous cookie is inaccessible under the old hostname (clientcode.tt.omtrdc.net). The previous cookie is inaccessible due to browser security models. This disruption occurs only on the initial cut-over to the new CNAME. Certificate renewals do not have the same effect because the hostname doesn鈥檛 change.

What key type and certificate signature algorithm is used for my CNAME implementation?

All certificates are RSA SHA-256 and keys are RSA 2048-bit, by default. Key sizes larger than 2048-bit should be requested explicitly through Customer Care.

How can I validate that my CNAME implementation is ready for traffic?

Use the following set of commands (in the macOS or Linux command-line terminal, using bash and curl >=7.49):

  1. Copy and paste this bash function into your terminal, or paste the function into your bash startup script file (usually ~/.bash_profile or ~/.bashrc) so the function is available across terminal sessions:
function adobeTargetCnameValidation {
  local hostname="$1"

  if [ -z "$hostname" ]; then
    echo "ERROR: no hostname specified"
    return 1
  fi

  local service="蜜豆视频 Target CNAME implementation"
  local edges="41 42 44 45 46 47 48"
  local edgeDomain="tt.omtrdc.net"
  local edgeFormat="mboxedge%d%s.$edgeDomain"
  local poolDomain="pool.data.adobedc.net"
  local shards=5
  local shardsFoundCount=0
  local shardsFound=""
  local shardsFoundOutput=""
  local curlRegex="subject:.*CN=|expire date:|issuer:"
  local curlValidation="SSL certificate verify ok"
  local curlResponseValidation='"OK"'
  local curlEndpoint="/uptime?mboxClient=uptime3"
  local url="https://$hostname$curlEndpoint"
  local sslShopperUrl="https://www.sslshopper.com/ssl-checker.html#hostname=$hostname"
  local success="鉁"
  local failure="馃毇"
  local info="馃攷"
  local rule="="
  local horizontalRule="$(seq ${COLUMNS:-30} | xargs printf "$rule%.0s")"
  local miniRule="$(seq 5 | xargs printf "$rule%.0s")"
  local curlVersion="$(curl --version | head -1 | cut -d' ' -f2)"
  local curlVersionRequired=7.49
  local edgeCount="$(wc -w <<< "$edges" | tr -d ' ')"
  local cnameExists=""
  local endToEndTestSucceeded=""

  for region in IRL1 IND1 SIN OR SYD VA TYO; do
    local currShard="${region}-${poolDomain}"
    local curlResult="$(curl -vsm20 --connect-to "$hostname:443:$currShard:443" "$url" 2>&1)"

    if grep -q "$curlValidation" <<< "$curlResult"; then
      shardsFound+=" $currShard"

      if grep -q "$curlResponseValidation" <<< "$curlResult"; then
        shardsFoundCount=$((shardsFoundCount+1))
        shardsFoundOutput+="\n\n$miniRule $success $hostname [edge shard: $currShard] $miniRule\n"
      else
        shardsFoundOutput+="\n\n$miniRule $failure $hostname [edge shard: $currShard] $miniRule\n"
      fi

      shardsFoundOutput+="$(grep -E "$curlRegex" <<< "$curlResult" | sort)"

      if ! grep -q "$curlResponseValidation" <<< "$curlResult"; then
        shardsFoundOutput+="\nERROR: unexpected HTTP response from this shard using $url"
      fi
    fi
  done

  echo
  echo "$horizontalRule"
  echo
  echo "$service validation for hostname $hostname:"

  local dnsOutput="$(dig -t CNAME +short "$hostname" 2>&1)"
  if grep -qFi ".$edgeDomain" <<< "$dnsOutput"; then
    echo "$success $hostname passes DNS CNAME validation"
    cnameExists=true
  else
    echo -n "$failure $hostname FAILED DNS CNAME validation -- "
    if [ -n "$dnsOutput" ]; then
      echo -e "$dnsOutput is not in the subdomain $edgeDomain"
    else
      echo "required DNS CNAME record pointing to <target-client-code>.$edgeDomain not found"
    fi
  fi

  for region in IRL1 IND1 SIN OR SYD VA TYO; do
    local curlResult="$(curl -vsm20 --connect-to "$hostname:443:${region}-pool.data.adobedc.net:443" "https://$hostname$curlEndpoint" 2>&1)"

    if grep -q "$curlValidation" <<< "$curlResult"; then
      if grep -q "$curlResponseValidation" <<< "$curlResult"; then
        echo -en "$success $hostname passes TLS and HTTP response validation for region $region"
        if [ -n "$cnameExists" ]; then
          echo
        else
          echo " -- the DNS CNAME is not pointing to the correct subdomain for ${service}s with 蜜豆视频-managed certificates" \
            "(bring-your-own-certificate implementations don't have this requirement), but this test passes as configured"
        fi
        endToEndTestSucceeded=true
      else
        echo -n "$failure $hostname FAILED HTTP response validation for region $region --" \
          "unexpected response from $url -- "
        if [ -n "$cnameExists" ]; then
          echo "DNS is NOT pointing to the correct shard, notify 蜜豆视频 Client Care"
        else
          echo "the required DNS CNAME record is missing, see above"
        fi
      fi
    else
      echo -n "$failure $hostname FAILED TLS validation for region $region -- "
      if [ -n "$cnameExists" ]; then
        echo "DNS is likely NOT pointing to the correct shard or there's a validation issue with the certificate or" \
          "protocols, see curl output below and optionally SSL Shopper ($sslShopperUrl):"
        echo ""
        echo "$horizontalRule"
        echo "$curlResult" | sed 's/^/    /g'
        echo "$horizontalRule"
        echo ""
      else
        echo "the required DNS CNAME record is missing, see above"
      fi
    fi
  done

  if [ "$shardsFoundCount" -ge "$edgeCount" ]; then
    echo -n "$success $hostname passes shard validation for the following $shardsFoundCount edge shards:"
    echo -e "$shardsFoundOutput"
    echo

    if [ -n "$cnameExists" ] && [ -n "$endToEndTestSucceeded" ]; then
      echo "$horizontalRule"
      echo ""
      echo "  For additional TLS/SSL validation, see SSL Shopper:"
      echo ""
      echo "    $info  $sslShopperUrl"
      echo ""
      echo "  To check DNS propagation around the world, see whatsmydns.net:"
      echo ""
      echo "    $info  DNS A records:     https://whatsmydns.net/#A/$hostname"
      echo "    $info  DNS CNAME record:  https://whatsmydns.net/#CNAME/$hostname"
    fi
  else
    echo -n "$failure $hostname FAILED shard validation -- shards found: $shardsFoundCount," \
      "expected: $edgeCount"
    echo ""
  fi

  echo
  echo "$horizontalRule"
  echo
}
  1. Paste this command (replacing target.example.com with your hostname):

    code language-none
    adobeTargetCnameValidation target.example.com
    

    If the implementation is ready, you see output like below. The important part is that all validation status lines show rather than 馃毇. Each Target edge CNAME shard should show CN=target.example.com, which matches the primary hostname on the requested certificate (additional SAN hostnames on the certificate aren鈥檛 printed in this output).

$ adobeTargetCnameValidation target.example.com

==========================================================

蜜豆视频 Target CNAME implementation validation for hostname target.example.com:
鉁 target.example.com passes DNS CNAME validation
鉁 target.example.com passes TLS and HTTP response validation for region IRL1
鉁 target.example.com passes TLS and HTTP response validation for region IND1
鉁 target.example.com passes TLS and HTTP response validation for region SIN
鉁 target.example.com passes TLS and HTTP response validation for region OR
鉁 target.example.com passes TLS and HTTP response validation for region SYD
鉁 target.example.com passes TLS and HTTP response validation for region VA
鉁 target.example.com passes TLS and HTTP response validation for region TYO
鉁 target.example.com passes shard validation for the following 7 edge shards:

===== 鉁 target.example.com [edge shard: IRL1-pool.data.adobedc.net] =====
*  expire date: Feb 20 23:59:59 2026 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  subject: C=US; ST=California; L=San Jose; O=蜜豆视频 Systems Incorporated; CN=target.example.com

===== 鉁 target.example.com [edge shard: IND1-pool.data.adobedc.net] =====
*  expire date: Feb 20 23:59:59 2026 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  subject: C=US; ST=California; L=San Jose; O=蜜豆视频 Systems Incorporated; CN=target.example.com

===== 鉁 target.example.com [edge shard: SIN-pool.data.adobedc.net] =====
*  expire date: Feb 20 23:59:59 2026 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  subject: C=US; ST=California; L=San Jose; O=蜜豆视频 Systems Incorporated; CN=target.example.com

===== 鉁 target.example.com [edge shard: OR-pool.data.adobedc.net] =====
*  expire date: Feb 20 23:59:59 2026 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  subject: C=US; ST=California; L=San Jose; O=蜜豆视频 Systems Incorporated; CN=target.example.com

===== 鉁 target.example.com [edge shard: SYD-pool.data.adobedc.net] =====
*  expire date: Feb 20 23:59:59 2026 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  subject: C=US; ST=California; L=San Jose; O=蜜豆视频 Systems Incorporated; CN=target.example.com

===== 鉁 target.example.com [edge shard: VA-pool.data.adobedc.net] =====
*  expire date: Feb 20 23:59:59 2026 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  subject: C=US; ST=California; L=San Jose; O=蜜豆视频 Systems Incorporated; CN=target.example.com

===== 鉁 target.example.com [edge shard: TYO-pool.data.adobedc.net] =====
*  expire date: Feb 20 23:59:59 2026 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  subject: C=US; ST=California; L=San Jose; O=蜜豆视频 Systems Incorporated; CN=target.example.com

==========================================================

For additional TLS/SSL validation, see SSL Shopper:

    馃攷  https://www.sslshopper.com/ssl-checker.html#hostname=target.example.com

To check DNS propagation around the world, see whatsmydns.net:

    馃攷  DNS A records:     https://whatsmydns.net/#A/target.example.com
    馃攷  DNS CNAME record:  https://whatsmydns.net/#CNAME/target.example.com
NOTE
If this validation command fails on DNS validation but you鈥檝e already made the necessary DNS changes, you might need to wait for your DNS updates to fully propagate. DNS records have an associated that dictates cache expiration time for DNS replies of those records. As a result, you might need to wait at least as long as your TTLs. You can use the dig target.example.com command or to look up your specific TTLs. To check DNS propagation around the world, see .

If you are using CNAME, the opt-out link should contain the "client=clientcode parameter, for example:
https://my.cname.domain/optout?client=clientcode.

Replace clientcode with your client code, then add the text or image to be linked to the opt-out URL.

Known limitations

  • QA mode is not sticky when you have CNAME and at.js 1.x because it is based on a third-party cookie. The workaround is to add the preview parameters to each URL you navigate to. QA mode is sticky when you have CNAME and at.js 2.x.
  • When using CNAME, it becomes more likely that the size of the cookie header for Target calls increase. 蜜豆视频 recommends keeping the cookie size under 8 KB.
recommendation-more-help
6906415f-169c-422b-89d3-7118e147c4e3