Link to home
Create AccountLog in
Avatar of DeZo1
DeZo1Flag for United States of America

asked on

Domain Validation via DNS at subdomain level possible?

Domain Validation via DNS or HTML; at the first level subdomain.
I am in a situation where I have been provided the FQDN to use.  I need to get several certificates for, using DNS DV.  I do not control any of the DNS entries for the or, I have to send in request changes to an a DNS Admin group.  I applied for an SSL and had the state DNS admins create a DV record.  The DV record was created at the first level subdomain city.  The SSL provider needs the DV record to be located at the primary root domain level  The State DNS Admins are unwilling to make the record at this level (same is true for the HTML method).

Does anyone know of an SSL provider that will perform DV at the subdomain level?

Thanks for you consideration to this question
Avatar of David Favor
David Favor
Flag of United States of America image

What you're asking to do is very easy with certs, so long as you have full access to your DocumentRoot directory for site content.

If you have access, then here's the command...

certbot-auto certonly --dry-run --no-self-upgrade --non-interactive --rsa-key-size 4096 --email $email --agree-tos --webroot -w /path/to/docroot -d

Open in new window

Once you get a successful run, then remove --dry-run.

Tip: Always start with --dry-run, as running many failing cert requests will hit rate limiting very quickly.
Avatar of DeZo1


Hi David,

Thanks for the response.  Can you clarify document root?

If I have, to me the document root is, which I do not have access too.  

If in this case is the document root then that is what I am looking for. looks to be specifically geared toward ssl certs for websites.  I am specifically looking for SAN SSL that can validate via DNS at the sub domain record level for Email server.  Additionally I have appliances like a helpdesk, kvm, filters, etc that don’t have the ability to run an agent or provide shell access.

Any traditional SSL providers that DV at the sub domain level?  AWS will validate a domain at via CNAME record and issue an SSL, however the SSL is free but only available for use on AWS hosted service.
Avatar of Graham N.
Graham N.
Flag of United Arab Emirates image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
DocumentRoot is the directory serving content for a given site.

So in your case you require providing certbot-auto writeable access to the site content, which means you must truly own full access to this site for this to work.

Otherwise you must have the owner request a cert for you... which... well... you might be old + gray before you get any one to provide this for you. And if you do this, then you'll have to go through the request process every year.

You can't do what you're asking (validate at DNS level) unless you actually own access to the zone file + reload process for every DNS instance for the zone. If you do have this access, you can use one of the many LetsEncrypt clients, if you use a standard DNS server (like named) which has an existing client written... else you must write your own client...

There is no TLS (SSL has been dead for years) validation of CNAME records anymore. This was deprecated several years ago.

There are... ugly work arounds which work a bit still. Eventually all browsers will report an cert pinned to a CNAME site as suspicious... because  A records return IP addresses + CNAMEs can be chained + hacked.

Best avoid any CNAME shenanigans at this point, else eventually all visitors will see a suspicious site message.

Summary: After working through the lengthy process of requesting any government action... best use LetsEncrypt... so you're done with this in a few minutes, with no other government request required.
The majority of (paid) Certificate issuers use CNAME records for domain name validation, and this has nothing to do with whether SSL or TLS is used, nor is the method depreciated.

Other methods adopted for domain name validation include the placement of TXT records in DNS and dropping flat text files in to the "document root" for the domain being validated.

If the argument "Eventually all browsers will report an cert pinned to a CNAME site as suspicious" were true, then this would equally apply to "LetsEncrypt" certificates. Further, following that argument, then having a 90 day expiration and providing no financial security whatsoever (i.e. LetsEncrypt certificates) should be equally suspicious from a "browser" perspective.
Avatar of DeZo1


I used Comodo Positive SSL as recommended.  Thank you, it provided the validation level I needed.