DV certificate verification by DNS record
Certification authorities allow DV certificate order verification in several ways, including via DNS record. This feature is suitable for any orders that cannot be verified via the Authority's verification email.
Standard DV certificate verification
The standard way to verify a DV certificate is to send a verification email to the verified domain. There are five mailboxes for a given domain and a domain owner or administrative contact’s email. The certificate applicant must have (at least) one of the mailboxes active on the domain admin, administrator, hostmaster, postmaster or webmaster to get the email and confirm it. The only alternative is to forward the approver email to the domain administrative contact’s email or its owner (WHOIS contacts).
An alternative way to verify your domain
Certification authorities can verify the DV certificate order not only via email, but also through a unique DNS record.
Select the option to verify the certificate via DNS record in the certificate order’s fifth step (Certificate verification and public key (CSR)).
After requesting a certificate from the authority, you will see the data that you will use to verify the certificate via DNS in the order detail.
Create DNS TXT record
For a domain’s DNS verification, it is necessary to create a DNS record (TXT type) in the authenticated domain’s zone file. You can find this option in your registrar's domain administration where you can set up DNS records. The data for creating a TXT record will be listed in the certificate order detail and are unique to each order. You will put the prepared records into the DNS, which we will show you. In principle, this involves setting a unique text in the TXT record to the _dnsauth subdomain.
An example of a DNS record for domain verification:
_dnsauth.sslmarket.com. 3600 IN TXT pyzm2vngxyfgwbh5d04n7j9nl4zrp51v
The CA will check the TXT record in the DNS domain at regular intervals. If the TXT record is correct, it will automatically confirm the certificate order and issue it automatically. You will no longer have to wait for a confirmation email.
DNS record check
The newly created DNS record’s availability and correctness can be checked by various tools that can display the DNS query’s answer. Part of the UNIX operating systems is a DIG program that can send a query to a DNS record and display a response. This program is not included with Windows, so we recommend using the Google DIG tool.
After you enter the domain name (_dnsauth.zoner.com) and click on TXT, you will see the answer to the DNS query that must contain the randomstring we gave you. The _Dnsauth subdomain must point to a subdomain formed by randomstring.
An example of correct answer obtained by Dig (in Linux terminal):
dig TXT +additional _dnsauth.sslmarket.com. @8.8.4.4
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>>TXT +additional _dnsauth.sslmarket.com. @8.8.4.4
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13209
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_dnsauth.sslmarket.com. IN TXT
;; ANSWER SECTION:
_dnsauth.sslmarket.com. 3056 IN TXT "pyzm2vngxyfgwbh5d04n7j9nl4zrp51v"
;; AUTHORITY SECTION:
sslmarket.com. 1256 IN SOA ns1.regzone.cz. administrator.czechia.cz. 2013071303 10800 1800 1814400 3600
;; Query time: 13 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Wed Aug 14 12:08:01 2013
;; MSG SIZE rcvd: 165
DNS verification is quick and easy
The above verification method will not cause any delays when issuing the certificate. The authority performs checks at very short intervals so you do not have to worry that the certificate issue will be delayed.
You are having problems with domain verification?
Please feel free to contact our customer support, who will be happy to help you with any problems you may have.
We are sorry that you did not find the required information here.
Please help us to improve this article. Write us what you have expected and not found out.