Enable AI Edge from DNS Record

[bmertens-datum]

High-Level Summary

In the DNS section of Datum Cloud, add a Protect action for eligible DNS records that do not yet have AI Edge enabled.

Protect is a shortcut that enables AI Edge (HTTPProxy + WAF) for a hostname. Protection routes traffic through Datum Edge using ALIAS records.

Core principle: DNS transparency

The DNS service must always present an accurate, transparent view of the actual zone file.
Requirements:

• The DNS UI must display records exactly as they exist in the zone file
• If a user downloads the zone file, it must match what is shown in the UI
• Protection workflows must not obscure, hide, or virtualize DNS records
• Any changes made by Protect must be reflected directly in the zone data

This ensures customer trust, debuggability, and operational clarity.

Eligible record types

• A
• AAAA
• CNAME
• ALIAS

User Experience

DNS Records List

DNS continues to display the records that exist in the zone file.
For each eligible record (A/AAAA/CNAME/ALIAS):

If AI Edge is NOT enabled

• Show the record normally
• Show a Protect button (single-click action)

If AI Edge IS enabled

• Show status: Protected
• Protected links to the corresponding AI Edge configuration (Proxy + WAF)

---

Behavior

Protection enablement rules

• Enabling protection from DNS is a shortcut to enable AI Edge for a hostname
• All protection enablement must be implemented using ALIAS records
• After protection is enabled, the hostname routes through Datum Edge
• Any DNS changes performed by Protect must be visible in the zone file and UI

---

Origin TLS guidance

Datum fully supports HTTPS to origin when a hostname is used.

Customers are strongly encouraged to configure origins using a hostname rather than a raw IP address. Hostname-based origins enable full TLS validation and are the recommended production configuration.

A and AAAA record limitation (IP origins)

When the origin is specified only as an IP address (A/AAAA record):

• Datum cannot perform proper hostname-based TLS validation
• HTTPS to the origin is therefore not supported by default
• Origin connectivity will default to HTTP

This is a limitation of IP-based origins, not of AI Edge TLS capability.

Recommended configuration

Preferred (fully supported):

DNS → CNAME/ALIAS → origin.example.com
Datum Edge → HTTPS → origin.example.com (valid cert)

Supported with limitation:

DNS → A/AAAA → origin IP
Datum Edge → HTTP → origin IP

Using a hostname for the origin enables:

• Proper SNI
• Certificate validation
• End-to-end HTTPS
• Better long-term operability

Customers should use hostname-based origins whenever possible.

---

Proxy reuse behavior

When Protect is clicked:

Reuse existing proxy (preferred)

If an existing HTTPProxy is found whose backend endpoint matches the DNS record’s current target:

• Add the hostname to the existing proxy’s spec.hostnames
• Do not create a new proxy

Create new proxy (fallback)

If no matching proxy exists:

• Create a new HTTPProxy
• Create associated WAF configuration per current AI Edge defaults

Motivation

Users frequently start in DNS and want a fast way to enable AI Edge protection for a hostname. Today this requires multiple steps across DNS and AI Edge pages.
This feature provides a fast path from DNS to AI Edge while keeping DNS as the authoritative view of zone contents.

Before protection
Client
↓
datum.design / app.datum.design
↓
waf-demo.vercel.app

After protection
Client
↓
datum.design / app.datum.design
↓
AI Edge (HTTPProxy + WAF ready)
↓
waf-demo.vercel.app

Goals

• For eligible record types (A/AAAA/CNAME/ALIAS) without AI Edge, show a Protect button
• For hostnames with AI Edge enabled, show Protected status
• Protected status links to the AI Edge configuration page for that hostname
• Clicking Protect provisions AI Edge (HTTPProxy + WAF) for the hostname
• DNS routing is updated to route through Datum using an ALIAS record
• If a proxy already exists with a matching backend endpoint:
  • Add the hostname to that proxy’s spec.hostnames
  • Do not create a new proxy
• If no matching proxy exists:
  • Create a new HTTPProxy
• After provisioning, the DNS list reflects the protected state (Protected)
• DNS continues to show the actual zone contents

Non-Goals

No response

[scotwells]

@bmertens-datum is the assumption here that we will create a proxy with an HTTP-only origin as the backend? We have a limitation right now where we can't use an IP address as an HTTPS backend without a hostname because we do full TLS verification which requires a hostname for SNI.

On the UX side, why do we want the original A record to be kept in place for the DNS record? Maybe a personal opinion, but I find the Cloudflare experience confusing where I add a DNS record, enable a proxy on it, and the actual DNS response is different than what I gave it.

Trying to think through how to represent this in the API in a way that keeps dependencies between services clean and avoid a circular dependency between DNS and Proxies.

[mattdjenkinson]

@bmertens-datum bump here on the above ^^

[bmertens-datum]

@mattdjenkinson Discussed this with Scot yesterday. Working on grooming the ticket now.

[mattdjenkinson]

Update 23.02.26: Scot has made some progress on 615 and will update where we're at on that ticket.

[mattdjenkinson]

Update 02.03.26: I have a working version of this locally for creating a proxy (with all the bells and whistles attached) on a CNAME but currently we have a blocker for turning it off as we don't currently version user changes.

@bmertens-datum & @scotwells should we create a sub issue for how we might want to tackle that?

@jacobsmith928 Do we want to go forward with just the ability to "turn on" the protection but not turn it off? Maybe we can surface some instructions on how a user could do it manually?

[jacobsmith928]

@mattdjenkinson awesome!

• i think it is worth having the option to turn on even if the cleanup is more manual at the moment.
• Great to push forward on the versioning. Might be a good thing to tackle alongside slightly more fine grained permissions?

[mattdjenkinson]

@jacobsmith928 do you have a preference on what we should do when we turn on the protection from a DNS record? My first thought is to show a dialog with some details about what it's doing and where you can edit it?