DNS-based Domain Validation

DNS-based Domain Validation is a simple but more technical way to prove domain ownership to the Certifying Authority (CA) if completing Email DCV is not possible. The logic for using this method of proving domain ownership is that only the domain owner has the access to add a DNS entry to the domain’s DNS (Zone) manager settings.

This method will not work if you cannot add a DNS entry in your domain’s DNS manager settings.

Make sure you have access to your domain’s DNS (Zone) manager settings. To do this login to the control panel of the service whose NS (name servers) are being used for your domain name. This can be your domain registrar, or your web hosting service, or in some cases, a CDN such as Cloudflare. If you do not have an understanding of DNS settings avoid this method as a wrong DNS entry or a mistaken deletion of a DNS entry can take your website offline.

DNS-based Domain Validation

The option to select DNS DCV appears when you open the Certificate Enrollment form. It is the last option after Email and File DCV options.

DNS Domain Validation for Sectigo/Comodo certificates

The DNS entry type for Domain Validation of Sectigo/Comodo certificates is CNAME.

  1. Log into your domain’s Control Panel.
  2. Locate and select the DNS Zone Manager for your desired domain.
  3. Select the option to create a new CNAME Record.
  4. In the Host Name or Alias field, place the first unique value for your order as shown in your Order Details page in your account. This value will begin with an “_” and that special character must be present in the record.
  5. In the CNAME / Points To field, place the second unique value for your order as shown in your Order Details page in your account.
  6. This value will end with comodoca.com and that must be included in the record value.
  7. Set the TTL to 3600 (seconds) or the lowest possible option.
  8. Click Save and wait for the record to propagate (i.e. 15 minutes).

DNS Domain Validation for DigiCert/Symantec/Thawte/GeoTrust/RapidSSL certificates

The DNS entry type for Domain Validation of DigiCert/Symantec/Thawte/GeoTrust/RapidSSL certificates is TXT.

  1. Log into your domain’s hosting Control Panel.
  2. Locate and select the DNS Zone Manager for your desired domain.
  3. Select the option to create a new TXT Record.
  4. In the Host Name or Alias field, either leave it blank or place an @ symbol.
  5. In the TXT Value field, place the unique value that is displayed on your Order Details Page within your account.
  6. Set the TTL to 3600 (seconds) or the lowest possible option.
  7. Click Save and wait for the record to propagate (i.e. 15 minutes).

Troubleshooting DNS DCV

After adding the DNS entry, wait 15 minutes or more based on the number of seconds entered in the TTL value for the DNS entry. Then check if the DNS entry has propagated globally using this free online tool. We provide a direct method of checking this on your certificate’s Order Details page with a linked  icon.

Enter the DNS entry and expected value and hit the Search button. You can then see if the the DNS entry has propagated globally.

If your DNS record has not propagated successfully, check if you have mistakenly added the record in the wrong place:

  1. If you have bought your domain name from a a domain registrar and are hosting it with a different web hosting service, you may be using the web hosting service’s NS (nameserver). In such a case you will need to add the DNS record in your web hosting control panel.
  2. If you use a CDN’s NS then you need to add the DNS record in your CDN’s control panel.

If the DNS entry is available globally, then wait for upto 30 minutes to receive your certificate files. You can also check the status on your Order Details Page within your account. If you still do not receive your certificate files, then reach out to us using the Contact Support option on your Order Details page.