How to correctly validate a domain using DNS record
Mar 26, 2021 | Jindřich Zechmeister
In this article, we will look at domain verification using a DNS record; this verification is performed when requesting a certificate for all domains included in the certificate order. The verification is only performed automatically and therefore it is necessary to follow the established rules.
What is a DNS record
A DNS record is the basic information needed for domain functionality. It ensures the routing of domain names and subdomains to the appropriate servers, and without DNS we would have to use complicated IP addresses. Instead of google.com, we would have to type 172.217.23.206 into the browser, which would be quite impractical.
This domain name system is available to every domain registrar and is easy to edit; see next paragraph. DNS records allow you to use many types for different purposes. However, we will be interested in the TXT type, which is used to supplement various information in the form of text.
DNS record settings and its form
You can set up a TXT DNS record by your registrar editing the DNS records. It is good to know that registrars use two principles to register a master domain. Either in the source, you specify the whole domain and the whole record (i.e. something.domain.com), or in the second case you do not specify the basic domain and the character "@" or the subdomain is used instead ("something" or @ instead of the bare domain).
Note that random string text is not enclosed in quotation marks, and quotation marks are not used for validation.
Set the actual TXT record for verification (random string) to the primary domain. If you have multiple DNS records in the domain zone, you can also set up a verification record for the _dnsauth subdomain; this avoids collisions with other DNS records and is guaranteed to be verified as well.
After setting up the DNS record, it will be updated and available within a few minutes. In short periods, the certification authority queries the DNS server assigned to the domain and obtains a new record with almost no delay. It is certainly not necessary to wait for the "expansion" of DNS records as with normal domain edits.
Setting up your own DNS authentication email
This new verification option combines DNS settings and email verification. You probably already know that when verifying by email, it is necessary to use the addresses to which verification messages go by default (admin, administrator ...). If you do not have mail on the verified domain, you can verify the use of a different verification email address in addition to the DNS verification string above.
The construction of the TXT record in DNS is then as follows:
_validation-contactemail.domain.com IN TXT john@gmail.com
The advantage of this procedure is that the email address is set for the domain forever and verification emails will be sent to you automatically; there is no need to do anything. In contrast, the authentication string in DNS must be set for each certificate order and renewal.
DNS record check
You can check the new DNS record in many ways. For most users, it is easiest to use web authentication; This is done using services such as Dig (DNS lookup) from Google, or Dig web interface, which offers advanced options. These web tools will show you the result immediately after entering a query.
If you use Linux, Unix or MacOS, you can use the Dig program. It simply starts in the terminal with the command dig A google.com; the dig command is followed by a specification of what type of DNS record you want to obtain, ie A, CNAME, TXT, MX, etc.
After running the command, you will receive an immediate response:
;; ANSWER SECTION: gmail.com. 158 IN A 77.75.79.53
;; Query time: 2 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jan 31 09:11:02 CET 2019
;; MSG SIZE rcvd: 54
If you are verifying the newly set TXT record, you will see the text for verification on the right side of the record - the so-called random string. Quotation marks are displayed only in the answer, they are not part of the record.
;; ANSWER SECTION:
domain.com. 3600 IN TXT "drvkpmgxlgn0y3s7mg7qnjd1ymhjyvqd"
Please contact support in case of problems
In very rare cases, there may be a collision between records or another problem that will prevent the verification from completing. We recommend waiting 1-2 hours and if the certificate is not verified and issued, please contact our support stating the order number or domain.
