Avatar of DeZo1
Flag for United States of America asked on

Domain Validation via DNS at subdomain level possible?

Domain Validation via DNS or HTML; at the first level subdomain.
I am in a situation where I have been provided the FQDN city.state.gov to use.  I need to get several certificates for city.state.gov, using DNS DV.  I do not control any of the DNS entries for the city.state.gov or state.gov, I have to send in request changes to an a DNS Admin group.  I applied for an SSL and had the state DNS admins create a DV record.  The DV record was created at the first level subdomain city.  The SSL provider needs the DV record to be located at the primary root domain level state.gov.  The State DNS Admins are unwilling to make the record at this level (same is true for the HTML method).

Does anyone know of an SSL provider that will perform DV at the subdomain city.state.gov level?

Thanks for you consideration to this question

Avatar of undefined
Last Comment

8/22/2022 - Mon
David Favor

What you're asking to do is very easy with https://LetsEncrypt.org certs, so long as you have full access to your DocumentRoot directory for site content.

If you have access, then here's the command...

certbot-auto certonly --dry-run --no-self-upgrade --non-interactive --rsa-key-size 4096 --email $email --agree-tos --webroot -w /path/to/docroot -d city.state.gov

Open in new window

Once you get a successful run, then remove --dry-run.

Tip: Always start with --dry-run, as running many failing cert requests will hit rate limiting very quickly.

Hi David,

Thanks for the response.  Can you clarify document root?

If I have city.state.gov, to me the document root is state.gov, which I do not have access too.  

If in this case city.state.gov is the document root then that is what I am looking for.

Letsencrypt.org looks to be specifically geared toward ssl certs for websites.  I am specifically looking for SAN SSL that can validate via DNS at the sub domain record level for Email server.  Additionally I have appliances like a helpdesk, kvm, filters, etc that don’t have the ability to run an agent or provide shell access.

Any traditional SSL providers that DV at the sub domain level?  AWS will validate a domain at city.state.gov via CNAME record and issue an SSL, however the SSL is free but only available for use on AWS hosted service.
Graham N.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
David Favor

DocumentRoot is the directory serving content for a given site.

So in your case you require providing certbot-auto writeable access to the city.state.gov site content, which means you must truly own full access to this site for this to work.

Otherwise you must have the state.gov owner request a cert for you... which... well... you might be old + gray before you get any one to provide this for you. And if you do this, then you'll have to go through the request process every year.

You can't do what you're asking (validate at DNS level) unless you actually own access to the state.gov zone file + reload process for every DNS instance for the state.gov zone. If you do have this access, you can use one of the many LetsEncrypt clients, if you use a standard DNS server (like named) which has an existing client written... else you must write your own client...

There is no TLS (SSL has been dead for years) validation of CNAME records anymore. This was deprecated several years ago.

There are... ugly work arounds which work a bit still. Eventually all browsers will report an cert pinned to a CNAME site as suspicious... because  A records return IP addresses + CNAMEs can be chained + hacked.

Best avoid any CNAME shenanigans at this point, else eventually all visitors will see a suspicious site message.

Summary: After working through the lengthy process of requesting any government action... best use LetsEncrypt... so you're done with this in a few minutes, with no other government request required.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Graham N.

The majority of (paid) Certificate issuers use CNAME records for domain name validation, and this has nothing to do with whether SSL or TLS is used, nor is the method depreciated.

Other methods adopted for domain name validation include the placement of TXT records in DNS and dropping flat text files in to the "document root" for the domain being validated.

If the argument "Eventually all browsers will report an cert pinned to a CNAME site as suspicious" were true, then this would equally apply to "LetsEncrypt" certificates. Further, following that argument, then having a 90 day expiration and providing no financial security whatsoever (i.e. LetsEncrypt certificates) should be equally suspicious from a "browser" perspective.

I used Comodo Positive SSL as recommended.  Thank you, it provided the validation level I needed.