Domain Validation via DNS at subdomain level possible?
Domain Validation via DNS or HTML; at the first level subdomain.
I am in a situation where I have been provided the FQDN city.state.gov to use. I need to get several certificates for city.state.gov, using DNS DV. I do not control any of the DNS entries for the city.state.gov or state.gov, I have to send in request changes to an a DNS Admin group. I applied for an SSL and had the state DNS admins create a DV record. The DV record was created at the first level subdomain city. The SSL provider needs the DV record to be located at the primary root domain level state.gov. The State DNS Admins are unwilling to make the record at this level (same is true for the HTML method).
Does anyone know of an SSL provider that will perform DV at the subdomain city.state.gov level?
Thanks for you consideration to this question
I am in a situation where I have been provided the FQDN city.state.gov to use. I need to get several certificates for city.state.gov, using DNS DV. I do not control any of the DNS entries for the city.state.gov or state.gov, I have to send in request changes to an a DNS Admin group. I applied for an SSL and had the state DNS admins create a DV record. The DV record was created at the first level subdomain city. The SSL provider needs the DV record to be located at the primary root domain level state.gov. The State DNS Admins are unwilling to make the record at this level (same is true for the HTML method).
Does anyone know of an SSL provider that will perform DV at the subdomain city.state.gov level?
Thanks for you consideration to this question
ASKER
Hi David,
Thanks for the response. Can you clarify document root?
If I have city.state.gov, to me the document root is state.gov, which I do not have access too.
If in this case city.state.gov is the document root then that is what I am looking for.
Letsencrypt.org looks to be specifically geared toward ssl certs for websites. I am specifically looking for SAN SSL that can validate via DNS at the sub domain record level for Email server. Additionally I have appliances like a helpdesk, kvm, filters, etc that don’t have the ability to run an agent or provide shell access.
Any traditional SSL providers that DV at the sub domain level? AWS will validate a domain at city.state.gov via CNAME record and issue an SSL, however the SSL is free but only available for use on AWS hosted service.
Thanks for the response. Can you clarify document root?
If I have city.state.gov, to me the document root is state.gov, which I do not have access too.
If in this case city.state.gov is the document root then that is what I am looking for.
Letsencrypt.org looks to be specifically geared toward ssl certs for websites. I am specifically looking for SAN SSL that can validate via DNS at the sub domain record level for Email server. Additionally I have appliances like a helpdesk, kvm, filters, etc that don’t have the ability to run an agent or provide shell access.
Any traditional SSL providers that DV at the sub domain level? AWS will validate a domain at city.state.gov via CNAME record and issue an SSL, however the SSL is free but only available for use on AWS hosted service.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
DocumentRoot is the directory serving content for a given site.
So in your case you require providing certbot-auto writeable access to the city.state.gov site content, which means you must truly own full access to this site for this to work.
Otherwise you must have the state.gov owner request a cert for you... which... well... you might be old + gray before you get any one to provide this for you. And if you do this, then you'll have to go through the request process every year.
You can't do what you're asking (validate at DNS level) unless you actually own access to the state.gov zone file + reload process for every DNS instance for the state.gov zone. If you do have this access, you can use one of the many LetsEncrypt clients, if you use a standard DNS server (like named) which has an existing client written... else you must write your own client...
There is no TLS (SSL has been dead for years) validation of CNAME records anymore. This was deprecated several years ago.
There are... ugly work arounds which work a bit still. Eventually all browsers will report an cert pinned to a CNAME site as suspicious... because A records return IP addresses + CNAMEs can be chained + hacked.
Best avoid any CNAME shenanigans at this point, else eventually all visitors will see a suspicious site message.
Summary: After working through the lengthy process of requesting any government action... best use LetsEncrypt... so you're done with this in a few minutes, with no other government request required.
So in your case you require providing certbot-auto writeable access to the city.state.gov site content, which means you must truly own full access to this site for this to work.
Otherwise you must have the state.gov owner request a cert for you... which... well... you might be old + gray before you get any one to provide this for you. And if you do this, then you'll have to go through the request process every year.
You can't do what you're asking (validate at DNS level) unless you actually own access to the state.gov zone file + reload process for every DNS instance for the state.gov zone. If you do have this access, you can use one of the many LetsEncrypt clients, if you use a standard DNS server (like named) which has an existing client written... else you must write your own client...
There is no TLS (SSL has been dead for years) validation of CNAME records anymore. This was deprecated several years ago.
There are... ugly work arounds which work a bit still. Eventually all browsers will report an cert pinned to a CNAME site as suspicious... because A records return IP addresses + CNAMEs can be chained + hacked.
Best avoid any CNAME shenanigans at this point, else eventually all visitors will see a suspicious site message.
Summary: After working through the lengthy process of requesting any government action... best use LetsEncrypt... so you're done with this in a few minutes, with no other government request required.
The majority of (paid) Certificate issuers use CNAME records for domain name validation, and this has nothing to do with whether SSL or TLS is used, nor is the method depreciated.
Other methods adopted for domain name validation include the placement of TXT records in DNS and dropping flat text files in to the "document root" for the domain being validated.
If the argument "Eventually all browsers will report an cert pinned to a CNAME site as suspicious" were true, then this would equally apply to "LetsEncrypt" certificates. Further, following that argument, then having a 90 day expiration and providing no financial security whatsoever (i.e. LetsEncrypt certificates) should be equally suspicious from a "browser" perspective.
Other methods adopted for domain name validation include the placement of TXT records in DNS and dropping flat text files in to the "document root" for the domain being validated.
If the argument "Eventually all browsers will report an cert pinned to a CNAME site as suspicious" were true, then this would equally apply to "LetsEncrypt" certificates. Further, following that argument, then having a 90 day expiration and providing no financial security whatsoever (i.e. LetsEncrypt certificates) should be equally suspicious from a "browser" perspective.
ASKER
I used Comodo Positive SSL as recommended. Thank you, it provided the validation level I needed.
If you have access, then here's the command...
Open in new window
Once you get a successful run, then remove --dry-run.
Tip: Always start with --dry-run, as running many failing cert requests will hit rate limiting very quickly.