Modern businesses face fierce competition and high demands for their websites. There are billions of websites vying for customer attention, and they expect a reliable, secure browsing experience. TLS certificates allow websites to establish trusted connections with users, but receiving a digital certificate is not always straightforward. The first step involves a business validating its domain ownership through the Domain Control Validation (DCV) process.
DCV methods vary, and there isn’t a standard ‘best method.’ Understanding each method allows businesses to evaluate which option best demonstrates control over their digital assets.
How to Prove Control Over a Domain With DCV
TLS certificates, also called SSL certificates or digital certificates, facilitate trusted connections between a website and a user and protect data in transit. Because certificates are foundational to secure browsing, only a Certificate Authority (CA) can issue them. DCV verifies that the business requesting a certificate controls the domain in question; only after DCV is complete will the CA issue a digital certificate.
Multiple DCV methods exist, including Email DCV, DNS TXT, DNS CNAME, and HTTP Practical Demonstration. Each method ensures that only authorized parties can use a domain for digital certificates, protecting web interactions from potential threats.
Email DCV
The Email DCV method is straightforward and requires no technical skills. To use it, the CA sends a validation email to one of a set of predefined domain-based email addresses, usually administrator@, admin@, postmaster@, hostmaster@, or webmaster@. Personal email addresses are not accepted for Email DCV.
The authorization email from the CA will contain instructions for the applicant to follow, usually copying a validation code or visiting a confirmation link. In this way, email validation works similarly to multi-factor authentication.
Previously, Email DCV leveraged the WHOIS database, an internet listing of domain owners, and how to contact them. Due to a mix of privacy and security concerns, CAs no longer use WHOIS records for Email DCV.
DNS TXT DCV
Using DNS TXT DCV, the applicant will add a DNS TXT record to the domain’s DNS zone file. Applicants will receve a randomly generated value from that they add to the DNS TXT record. When the CA searches for records associated with the domain, they will find a record with the assigned value and complete the validation process.
DNS CNAME DCV
Using DNS CNAME DCV, the applicant will add a DNS CNAME record to the domain’s DNS configuration, which points to a validation server controlled by the CA. The CA will then check that the CNAME record exists and resolves correctly to confirm domain ownership.
It’s important to note that both DNS TXT and DNS CNAME DCV require access to DNS settings and, depending on the size of the organization, may require cross-team coordination.
Using DNS TXT DCV for Wildcard Certificates
To provide ownership over multiple domains or subdomains requires either a Wildcard certificate or a subject alternative name (SAN) certificate. Wildcards use a wildcard character (*) in the domain name field to support one domain and multiple subdomains, while SAN certificates support multiple domains. For wildcard certificates, a single DNS TXT record is typically used for validation, covering all subdomains under the wildcard.
HTTP Practical Demonstration DCV Method
HTTP Practical Demonstration DCV is used to demonstrate control over fully qualified domain names (FQDNs) exactly as named in the certificate request.
The applicant will place a plain validation text file on the domain’s server containing a randomly generated value provided by the CA. The domain’s server must be accessible on port 80 (HTTP). Some CAs may support validation over port 443 (HTTPS). Proper firewall settings are essential to allow IPs associated with the CA access for validation. This method can validate both IPv4 and IPv6 addresses.
For a DNS refresher, check out What Is DNS and How Does it Work?
How to Choose the Appropriate DCV Method
Organizations should evaluate their existing workflows, network infrastructure, administrative control over domain and DNS settings, and internal resources when selecting a validation method.
However, there are some things to keep in mind:
Email DCV: Ideal for personal and small business websites. Applicants using the email method should monitor their domain-based email addresses to avoid delays.
DNS TXT and DNS CNAME DCV: Recommended for businesses familiar with DNS management or with a DNS service provider. Applicants should look for potential DNS propagation delays, which can slow down the validation process.
HTTP-based Validation: This method works well for organizations with easy access to website servers. It requires no DNS changes but is not easily scalable and can introduce human errors.
Common Issues with DCV
The DCV process can initially seem overwhelming, no matter which method you choose. For larger organizations, separate teams usually request the certificate and manage the DNS infrastructure, creating a need for ticketing systems or other workflows to track an already slow, manual process.
The more domains an organization has, the more complex the process can become. While a small business may have one or two domains, a large organization likely has multiple—lookalikes, email, and mail domains— all of which will need their own certificates and, thus, will need to go through the DCV process. For this reason, it is especially crucial that teams remain mindful of the most common ways to introduce errors.
As a best practice, begin the certificate request process 30 days before your certificate expires for renewals.
Both applicants handling renewals and new requests should plan for delays, whether from email verification issues or slow-to-propagate DNS updates.
Always double-check you are using the correct validation code for DNS TXT, DNS CNAME, and HTTP Practical DCV.
Uploading multiple files is tedious, slow work; always confirm that the validation file is correct and accessible before the CA checks.
How a DNS Service Provider Supports the DCV Process
Many businesses, especially mid-market and enterprise organizations, are turning to DNS service providers to help streamline the DCV process. A DNS service provider already makes it easy for teams to create and update records through control panels or APIs. Additionally, they often provide tools to enable businesses to verify DNS record configurations and ensure that any changes propagate quickly and reliably across the internet—which is especially helpful for DNS TXT and DNS CNAME DCV.
Imagine the owner of a small eCommerce site requesting a certificate for their website. They opt to use DNS TXT DCV because they have a DNS service provider that allows them to easily update DNS records. The business owner logs into its DNS service account, navigates to its DNS settings in the control panel, and adds a record that includes the randomly generated code the Certificate Authority provided. The DNS service provider propagates the updates across the internet, and the CA can easily find and validate the updated record. By leveraging a DNS provider for the DCV process, the business owner was able to streamline the certificate issuance.
Businesses looking to create a seamless, automatic DCV process can partner with a DNS service provider that automates both DNS records and certificate lifecycle management, removing the burden on internal teams and reducing overhead costs.
For a deeper dive, check out Using DNS for Domain Validation and Certificate Management.
UltraDNS: Superior Support for Domain Control Validation
With over 20 years of experience, UltraDNS has a proven track record of supporting organizations with their DNS and certificate management needs.
UltraDNS enhances Domain Control Validation by providing a fast, reliable DNS infrastructure that supports quick validation record updates.
