DV certificate validation by a DNS record

Symantec family certificate authorities enable you to validate a DV certificate order many ways, including validation by a DNS record. The function is suitable for any order that cannot be validated by the authority validation email message.

Standard DV certificate validation

The standard method to validate a DV certificate is to send an email message with a unique link to the validated domain. Five boxes are available on the domain, plus the domain owner or administrative contact email address. The certificate applicant has to have one of the following boxes active on the domain being validated -admin, administrator, hostmaster, postmaster or webmaster. So far, the only option to this was forwarding the authority message to domain administration contact address or its owner (contacts from WHOIS).

An alternative option to validate the domain

Certificate authorities in our portfolio can validate DV certificate orders not just via an email message, but also through a unique DNS record.

The option to validate the certificate through a DNS record can be selected in the fifth step during the certificate order (Certificate validation and public key (CSR)).

Alternate option of DV certificate vetting

After requesting your certificate from the authority you will see data for validating the certificate via DNS in the order detail.

Creating DNS TXT record

To validate the domain by DNS, you have to create a TXT DNS record in the zone file of the validated domain. You can find this option in the domain administration of your registrar, where you can set your DNS records.
The data to create the TXT record will be displayed in the certificate order detail and it is unique for each order. Enter the prepared records that we will show you into DNS. An example of DNS record to validate domain through DNS:

sslmarket.co.uk. 3600 IN TXT 20170313115848xw7ce3rd0qs5i41avvbc2v9e6u4xjgtsh0vem6czhacn4m6cmp

The authority will regularly check the TXT record in the domain DNS. If the TXT record is OK, the certificate order will be automatically confirmed and issued. There will be no need to wait for the confirmation email message.

DNS record check

You can check the newly created DNS record availability and correctness using multiple tools that can display an answer to a DNS request. UNIX operating systems contain DIG software which can send a request to a DNS record and display the answer. The Windows operating system does not contain this program, so we recommend using DIG online version.

Enter the domain; i.e.validateddomain.co.uk, to the left column named "Hostnames or IP addresses". In Type dropdown menu choose TXT. After clicking the DIG button you will see the answer to your DNS request.

dig TXT +additional sslmarket.co.uk. @
; <<>> DiG 9.10.3-P4-Ubuntu <<>> TXT +additional sslmarket.co.uk. @
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39603
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;sslmarket.co.uk. IN TXT

sslmarket.co.uk. 3599 IN TXT

;; Query time: 151 msec
;; WHEN: Wed Mar 15 08:07:28 CET 2017
;; MSG SIZE rcvd: 117

DNS validation is quick and simple

Validating a certificate via DNS does not cause any delays during the certificate issuance process. The authority performs the check in very short intervals, so you don't have to worry that the certificate issuance will be delayed. During DNS validation you do not have to wait for the DNS records to spread, which usually takes up to 48 hours.

SSLmarket has simplified the validation method mentioned above as much as possible and you do not have to get delayed by creating the DNS record or validation file.

Having trouble during alternative domain validation?

If necessary, feel free to contact our Customer support, who will guide you through the domain validation process described above.