Dynamic Media delivery domain questions

Learn about available delivery domain options for Dynamic Media/Dynamic Media Classic domains and if a Certification Authority Authorization (CAA) record is applicable when a subdomain is used for Dynamic Media delivery.

Description description

Environments

  • Adobe Dynamic Media (ADM)
  • Adobe Dynamic Media Classic (ADMC)

Issue/Symptoms

List of questions concerning the setup, functionality, and maintenance of Dynamic Media/Dynamic Media Classic delivery domains.

Resolution resolution

What type of delivery domain options are there for Dynamic Media/ Dynamic Media Classic?

There are three types of delivery domains

  1. A generic domain that is configured as part of the provisioning. This is a domain like s7d9.scene7.com, s7g10.scene7.com, and s7ap1.scene7.com. These delivery domains are in use by a series of users. For this reason, Smart Imaging cannot be turned on for domains of this type at this stage. This will change over te summer of 2024. Support for SmartImaging on generic domains will be added until the end of August 2024.
  2. Specific scene7.com subdomain, like customer.scene7.com. On this type of domain, Smart Imaging can be set up, or added at a later stage.
  3. Subdomains owned by you, like assets.customer.com. These is also referred to as a vanity domain. One such subdomain can be set up as part of any Dynamic Media contract. Any additional ones need to be contracted separately. On this type of domain, Smart Imaging can be set up or added at a later stage.

How is the certificate for any scene7.com delivery domain maintained?

Scene7.com subdomains that have been set up in 2021 or earlier are pointing to the enhanced TLS *.scene7.com certificate. Scene7.com subdomains set up in 2022 or later are pointing to the Standard TLS *.scene7.com certificate. The latter has slightly better performance than the former and is, therefore, the preferred option. Whenever either of these certs is about one or two months before expiring, it is renewed automatically by Adobe. There is no action point for the customer. This applies to both the generic as well as the customer specific scene7.com subdomains.

What certificate options are there for vanity domains?

The standard option is to include the subdomain in one of the Adobe-managed SAN certificates hosted at the CDN. With this option, the CNAME of the subdomain to the edgehost at the CDN can be used as a form of DCV (Domain Control Verification) by the CA (DigiCert) to include the subdomain in a cert and issue that to Adobe. For this very same reason, the CNAME needs to remain in place for as long as the customer wants to serve Dynamic Media content through that delivery domain. Adobe renews the SAN certs automatically about a month before they expire. Any subdomains no longer CNAMEd will be removed from the SAN cert on the next renewal.

The setup steps for this option are as follows:

  1. Open a support ticket for the setup. Support would instruct you to set up a CNAME to the SAN cert next up for renewal.
    subdomain.domain.com IN CNAME something-or-other.scene7.com.edgekey.net

  2. You will have to get this done by your domain administrator and notify support through the ticket.

    1. Adobe has the CDN issue a CSR, including your subdomain.
    2. Adobe has the CA DigiCert issue a cert based on that CSR.
    3. Adobe deploys the cert at the CDN.
    4. Adobe configures the CDN mapping
    5. If desired, Adobe activates Smart Imaging.

When Step 2 is in place, the ETA is normally 1 month, as the cert update process is done once monthly.

If your domain policy does not allow the inclusion of a subdomain in an Adobe SAN cert, or if the policy dictates that your subdomain can only be included in a cert issued by a CA different from DigiCert (through a CAA record), then there is the option to host a dedicated cert at the CDN with as many subdomains as you need. This is a paid option that you would need to discuss with your CSM, and get it contracted before Adobe can proceed with the setup.

Can we have a CAA record on our domain when a subdomain is used for Dynamic Media delivery?

It is possible to have a CAA record on the domain, but if a subdomain is or is to be used for Dynamic Media delivery, there needs to be a CAA record that allows digicert.com to issue certs. If this is not the case, DigiCert cannot include a subdomain in a cert.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f