Domain Validation via DNS at subdomain level possible?

Zorniac
Zorniac used Ask the Experts™
on
Domain Validation via DNS or HTML; at the first level subdomain.
I am in a situation where I have been provided the FQDN city.state.gov to use.  I need to get several certificates for city.state.gov, using DNS DV.  I do not control any of the DNS entries for the city.state.gov or state.gov, I have to send in request changes to an a DNS Admin group.  I applied for an SSL and had the state DNS admins create a DV record.  The DV record was created at the first level subdomain city.  The SSL provider needs the DV record to be located at the primary root domain level state.gov.  The State DNS Admins are unwilling to make the record at this level (same is true for the HTML method).

Does anyone know of an SSL provider that will perform DV at the subdomain city.state.gov level?

Thanks for you consideration to this question
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
What you're asking to do is very easy with https://LetsEncrypt.org certs, so long as you have full access to your DocumentRoot directory for site content.

If you have access, then here's the command...

certbot-auto certonly --dry-run --no-self-upgrade --non-interactive --rsa-key-size 4096 --email $email --agree-tos --webroot -w /path/to/docroot -d city.state.gov

Open in new window


Once you get a successful run, then remove --dry-run.

Tip: Always start with --dry-run, as running many failing cert requests will hit rate limiting very quickly.
ZorniacIT Manager

Author

Commented:
Hi David,

Thanks for the response.  Can you clarify document root?

If I have city.state.gov, to me the document root is state.gov, which I do not have access too.  

If in this case city.state.gov is the document root then that is what I am looking for.

Letsencrypt.org looks to be specifically geared toward ssl certs for websites.  I am specifically looking for SAN SSL that can validate via DNS at the sub domain record level for Email server.  Additionally I have appliances like a helpdesk, kvm, filters, etc that don’t have the ability to run an agent or provide shell access.

Any traditional SSL providers that DV at the sub domain level?  AWS will validate a domain at city.state.gov via CNAME record and issue an SSL, however the SSL is free but only available for use on AWS hosted service.
All of the Comodo PositiveSSL and EssentialSSL DV certificates (range in price from US$ 8 appx up to US$ 56 per year)  offer what you are looking for, using either HTML or DNS validation at the "subdomain" level - so in your case city.state.gov. They can even do dept.city.state.gov level validation. Just make sure to choose the correct validation type.

https://comodosslstore.com/
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

David FavorFractional CTO
Distinguished Expert 2018

Commented:
DocumentRoot is the directory serving content for a given site.

So in your case you require providing certbot-auto writeable access to the city.state.gov site content, which means you must truly own full access to this site for this to work.

Otherwise you must have the state.gov owner request a cert for you... which... well... you might be old + gray before you get any one to provide this for you. And if you do this, then you'll have to go through the request process every year.

You can't do what you're asking (validate at DNS level) unless you actually own access to the state.gov zone file + reload process for every DNS instance for the state.gov zone. If you do have this access, you can use one of the many LetsEncrypt clients, if you use a standard DNS server (like named) which has an existing client written... else you must write your own client...

There is no TLS (SSL has been dead for years) validation of CNAME records anymore. This was deprecated several years ago.

There are... ugly work arounds which work a bit still. Eventually all browsers will report an cert pinned to a CNAME site as suspicious... because  A records return IP addresses + CNAMEs can be chained + hacked.

Best avoid any CNAME shenanigans at this point, else eventually all visitors will see a suspicious site message.

Summary: After working through the lengthy process of requesting any government action... best use LetsEncrypt... so you're done with this in a few minutes, with no other government request required.
The majority of (paid) Certificate issuers use CNAME records for domain name validation, and this has nothing to do with whether SSL or TLS is used, nor is the method depreciated.

Other methods adopted for domain name validation include the placement of TXT records in DNS and dropping flat text files in to the "document root" for the domain being validated.

If the argument "Eventually all browsers will report an cert pinned to a CNAME site as suspicious" were true, then this would equally apply to "LetsEncrypt" certificates. Further, following that argument, then having a 90 day expiration and providing no financial security whatsoever (i.e. LetsEncrypt certificates) should be equally suspicious from a "browser" perspective.
ZorniacIT Manager

Author

Commented:
I used Comodo Positive SSL as recommended.  Thank you, it provided the validation level I needed.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial