Skip to main content
This guide prepares a domain for use with a Datum AI Edge by creating a DNS zone, an apex ALIAS record, and a subdomain CNAME — all pointing at the AI Edge endpoint.
This guide assumes your domain is already delegated to Datum nameservers. See DNS for nameserver details and ALIAS record behavior.

Prerequisites

  • datumctl installed and authenticated
  • A valid Project
  • Domain delegated to Datum nameservers

Configuration Steps

Step 1: Set Variables

The TARGET value is your AI Edge endpoint hostname. Find it in the Datum portal under your AI Edge’s generated hostname, or via:
datumctl get httpproxy <name> --namespace default -o yaml

Windows (PowerShell)

$PROJECT   = "your-project-id"
$NAMESPACE = "default"
$ZONE      = "your-zone-name"
$DOMAIN    = "your-domain.example.com"
$TARGET    = "your-endpoint.datumproxy.net."

macOS / Linux

PROJECT="your-project-id"
NAMESPACE="default"
ZONE="your-zone-name"
DOMAIN="your-domain.example.com"
TARGET="your-endpoint.datumproxy.net."
TARGET must include a trailing dot. Without it, the value will be treated as a relative name and DNS resolution will fail.

Step 2: Create the DNS Zone

Windows (PowerShell)

@"
apiVersion: dns.networking.miloapis.com/v1alpha1
kind: DNSZone
metadata:
  name: $ZONE
  namespace: $NAMESPACE
spec:
  dnsZoneClassName: datum-external-global-dns
  domainName: $DOMAIN
"@ | datumctl apply -f - --project $PROJECT --validate=false

macOS / Linux

cat <<EOF | datumctl apply -f - --project $PROJECT --validate=false
apiVersion: dns.networking.miloapis.com/v1alpha1
kind: DNSZone
metadata:
  name: $ZONE
  namespace: $NAMESPACE
spec:
  dnsZoneClassName: datum-external-global-dns
  domainName: $DOMAIN
EOF
--validate=false disables client-side schema validation. It is required here because datumctl does not bundle schemas for DNS API types locally.
Verify the zone is accepted and programmed:
datumctl get dnszones --project $PROJECT --namespace $NAMESPACE
Wait until both ACCEPTED and PROGRAMMED show True before proceeding.

Step 3: Create the Apex ALIAS Record

Points the root domain (@) at the AI Edge endpoint.

Windows (PowerShell)

@"
apiVersion: dns.networking.miloapis.com/v1alpha1
kind: DNSRecordSet
metadata:
  name: ${ZONE}-apex
  namespace: $NAMESPACE
spec:
  dnsZoneRef:
    name: $ZONE
  recordType: ALIAS
  records:
    - name: "@"
      ttl: 300
      alias:
        content: $TARGET
"@ | datumctl apply -f - --project $PROJECT --validate=false

macOS / Linux

cat <<EOF | datumctl apply -f - --project $PROJECT --validate=false
apiVersion: dns.networking.miloapis.com/v1alpha1
kind: DNSRecordSet
metadata:
  name: ${ZONE}-apex
  namespace: $NAMESPACE
spec:
  dnsZoneRef:
    name: $ZONE
  recordType: ALIAS
  records:
    - name: "@"
      ttl: 300
      alias:
        content: $TARGET
EOF

Step 4: Create a Subdomain CNAME

Points a subdomain (e.g., app.your-domain.example.com) at the same endpoint.

Windows (PowerShell)

@"
apiVersion: dns.networking.miloapis.com/v1alpha1
kind: DNSRecordSet
metadata:
  name: ${ZONE}-app-cname
  namespace: $NAMESPACE
spec:
  dnsZoneRef:
    name: $ZONE
  recordType: CNAME
  records:
    - name: "app"
      ttl: 300
      cname:
        content: $TARGET
"@ | datumctl apply -f - --project $PROJECT --validate=false

macOS / Linux

cat <<EOF | datumctl apply -f - --project $PROJECT --validate=false
apiVersion: dns.networking.miloapis.com/v1alpha1
kind: DNSRecordSet
metadata:
  name: ${ZONE}-app-cname
  namespace: $NAMESPACE
spec:
  dnsZoneRef:
    name: $ZONE
  recordType: CNAME
  records:
    - name: "app"
      ttl: 300
      cname:
        content: $TARGET
EOF

Verification

Check Record Status

datumctl get dnsrecordsets --project $PROJECT --namespace $NAMESPACE
Both records should show ACCEPTED=True and PROGRAMMED=True.

Check DNS Resolution

Windows (PowerShell)

Resolve-DnsName $DOMAIN
Resolve-DnsName "app.$DOMAIN"

macOS / Linux

dig $DOMAIN
dig app.$DOMAIN
Both names should resolve to the AI Edge endpoint.

Cleanup

Windows (PowerShell)

datumctl delete dnsrecordset ${ZONE}-app-cname `
  --project $PROJECT --namespace $NAMESPACE --ignore-not-found

datumctl delete dnsrecordset ${ZONE}-apex `
  --project $PROJECT --namespace $NAMESPACE --ignore-not-found

datumctl delete dnszone $ZONE `
  --project $PROJECT --namespace $NAMESPACE --ignore-not-found

macOS / Linux

datumctl delete dnsrecordset ${ZONE}-app-cname \
  --project $PROJECT --namespace $NAMESPACE --ignore-not-found

datumctl delete dnsrecordset ${ZONE}-apex \
  --project $PROJECT --namespace $NAMESPACE --ignore-not-found

datumctl delete dnszone $ZONE \
  --project $PROJECT --namespace $NAMESPACE --ignore-not-found

Troubleshooting

SymptomRoot CauseResolution
Zone stuck at PROGRAMMED=FalseDomain not delegated to Datum nameserversUpdate nameservers at your registrar
nslookup / dig returns NXDOMAINZone not yet propagatedWait 1–2 minutes and retry
ALIAS resolves to wrong addressTARGET missing trailing dotRe-apply the record with a trailing dot on the target
Record not appearing--validate=false omittedRe-apply with --validate=false

Summary

  • DNS zones use kind: DNSZone at dns.networking.miloapis.com/v1alpha1
  • The DNS zone class is always datum-external-global-dns — it is platform-provided and not user-configurable
  • Use recordType: ALIAS for the apex (@) and recordType: CNAME for subdomains
  • The TARGET value must include a trailing dot
  • All DNS apply commands require --validate=false
  • Delete record sets before deleting the zone
Last modified on June 3, 2026