Verify Domain Ownership Using DNS-Based Domain Control Validation (DCV)
When requesting an SSL/TLS certificate, one of the first steps is proving that you control the domain name listed in the certificate request. This process, known as Domain Control Validation (DCV), is required by the CA/Browser Forum Baseline Requirements and helps prevent unauthorized parties from obtaining certificates for domains they do not own.
DNS CNAME validation is one of the most reliable and widely supported methods for completing domain validation. Rather than responding to an email or uploading a validation file to your web server, you create a special DNS record that demonstrates control of your domain.
This guide explains how DNS CNAME validation works, how to obtain the required validation record from SSL.com, and how to add the record using common DNS providers such as GoDaddy, Namecheap, and Amazon Route 53.
What Is DNS CNAME Validation?
DNS CNAME validation is a domain ownership verification method that uses a unique CNAME record placed in your domain’s DNS zone.
When SSL.com issues a certificate order, a unique validation token is generated for each domain or subdomain requiring verification. By publishing the provided CNAME record in your DNS configuration, you prove that you have administrative control over the domain.
SSL.com periodically checks for the presence of the validation record. Once the correct record is detected, domain ownership is confirmed and certificate issuance can proceed.
Benefits of DNS Validation
DNS validation offers several advantages over email-based or file-based validation methods:
- Does not require access to administrative email addresses.
- Does not require uploading files to a web server.
- Remains valid as long as the required DNS records remain in place.
For organizations managing multiple domains or automating certificate deployment, DNS validation is often the preferred validation method.
How DNS CNAME Validation Works
The DNS validation process follows these general steps:
- Submit a certificate request through SSL.com.
- Select DNS validation as the Domain Control Validation method.
- Obtain the unique CNAME validation record from your SSL.com order.
- Add the CNAME record to your domain’s DNS zone.
- Wait for DNS propagation.
- SSL.com verifies the record.
- Certificate issuance proceeds once validation is successful.
The validation record typically consists of:
|
Field |
Description |
|
Host / Name |
A unique validation hostname generated by SSL.com |
|
Target / Value |
A unique validation destination generated by SSL.com |
|
TTL |
DNS cache duration (lower values may speed propagation) |
Both values must be entered exactly as provided.
Before You Begin
Before creating the validation record, ensure that:
- Your SSL.com certificate order has been submitted.
- DNS validation has been selected as the DCV method.
- You have administrative access to your DNS provider.
- You have obtained the validation Host and Target values from SSL.com.
- No existing DNS records conflict with the validation hostname.
If you manage DNS through a third-party provider, you must create the CNAME record within that provider’s DNS management portal.
Obtain Your SSL.com Validation Record
Check this related SSL.com guide for step by step instructions to obtain the required values: DNS CNAME lookup for domain
- Log in to your SSL.com account.
- Navigate to your certificate order.
- Open the order details page.
- Select DNS CNAME Validation as your preferred validation method, if not already selected.
- Copy the provided:
- Host (or Name) value
- Target (or Value) destination
Keep these values available, as they will be needed when creating the DNS record.
Add the Validation Record in GoDaddy
If your domain’s DNS is managed through GoDaddy, use the following steps to create the required validation record.
Step 1: Access DNS Management
- Sign in to your GoDaddy account.
- Open Domain Portfolio.
- Select the domain you want to validate.
- Open DNS Management.
Step 2: Create the CNAME Record
- Select Add New Record.
- Choose CNAME as the record type.
- Enter the SSL.com validation values:
- Name: Enter the Host value provided by SSL.com.
- Value: Enter the Target value provided by SSL.com.
- TTL: Leave the default value or choose the lowest available option.
- Select Save.
Step 3: Wait for DNS Propagation
Most GoDaddy DNS updates become visible within an hour, although global propagation may take up to 48 hours.
After propagation completes, SSL.com will detect the record and continue the validation process automatically.
For any updates to the steps, you can check out the guide by GoDaddy: Add a CNAME record
Add the Validation Record in Namecheap
If your DNS is hosted through Namecheap, follow these steps.
Step 1: Access DNS Settings
- Sign in to your Namecheap account.
- Open Domain List.
- Select Manage beside the domain.
- Navigate to Advanced DNS.
Step 2: Create the Validation Record
- Select Add New Record.
- Choose CNAME Record.
- Enter the validation values provided by SSL.com.
Important Namecheap Note
Some DNS systems automatically append the domain name to the Host field.
For example, if SSL.com provides:
- Host: _validation.example.com
You may only need to enter:
- _validation
depending on your DNS configuration.
Entering the full domain when the system automatically appends the domain name can create an invalid record.
Step 3: Save Changes
- Save the DNS record.
- Allow time for DNS propagation.
- Return to your SSL.com order page and initiate a validation recheck if available.
For any updates to the steps, you can check out the guide by Namecheap: How can I complete domain control validation (DCV) for my SSL certificate?
Add the Validation Record Using Amazon Route 53
Organizations hosting DNS in Amazon Route 53 can add the SSL.com validation record directly within their hosted zone.
Step 1: Open Route 53
- Sign in to the AWS Management Console.
- Open Route 53.
- Select Hosted Zones.
- Choose the domain being validated.
Step 2: Create the CNAME Record
- Select Create Record.
- Choose CNAME as the record type.
- Enter the SSL.com validation values:
- Record Name: Host value provided by SSL.com
- Value: Target value provided by SSL.com
- Save the record.
Step 3: Verify Propagation
After the record appears in Route 53, allow time for DNS propagation.
SSL.com will periodically query the DNS record and complete validation once the record becomes publicly visible.
For any updates to the steps, you can check AWS Certificate Manager guide: AWS Certificate Manager DNS validation
Add the Validation Record in Cloudflare
If your domain’s DNS is managed through Cloudflare, you can complete SSL.com DNS validation by creating a CNAME record containing the validation values provided with your certificate order.
Because Cloudflare offers DNS proxying and CNAME flattening features, it is important to configure the validation record correctly. Improper proxy or flattening settings can prevent SSL.com from detecting the validation record and delay certificate issuance.
Step 1: Access Your DNS Settings
- Sign in to your Cloudflare account.
- Select the domain you are validating.
- In the left navigation menu, select DNS.
- Open the Records tab.
Step 2: Create the CNAME Validation Record
- Select Add record.
- Choose CNAME as the record type.
- Enter the validation values provided by SSL.com:
- Name: Enter the Host value provided by SSL.com.
- Target: Enter the Target value provided by SSL.com.
- TTL: Leave the default value or select Auto.
- Configure the record as follows:
- Proxy status: Set to DNS only.
- Flatten: Set to Off, if this option is available.
- Select Save.
Important: Disable Proxying
Cloudflare’s proxy service must not be enabled for SSL.com validation records.
A validation CNAME configured as Proxied may not return the expected DNS response, preventing SSL.com from verifying domain ownership.
The cloud icon next to the record should appear gray and display DNS only, not orange and Proxied.
Step 3: Verify CNAME Flattening Settings
Cloudflare offers a feature called CNAME Flattening, which can modify how CNAME records are returned in DNS responses.
For SSL.com DNS validation:
- Navigate to DNS > Settings.
- Locate the CNAME Flattening setting.
- Ensure that CNAME Flattening for all CNAME records is disabled.
If your Cloudflare configuration allows per-record flattening, confirm that flattening is also disabled for the SSL.com validation record.
Why This Matters
SSL.com must be able to query and detect the exact CNAME record that was provided during the validation process. If Cloudflare flattens the record into another DNS response type, validation may fail.
Step 4: Check for Conflicting NS Records
If validation does not complete successfully, verify whether the hostname being validated is delegated to another DNS provider through an NS record.
For example, if a subdomain has its own NS record, DNS queries for that subdomain may bypass Cloudflare entirely and be answered by a different DNS provider.
In this situation:
- Verify that the validation CNAME record exists on the authoritative DNS provider for that subdomain.
- Alternatively, review and remove unnecessary NS delegations if appropriate for your DNS configuration.
Step 5: Wait for DNS Propagation
After saving the record, allow time for DNS propagation.
Most Cloudflare DNS updates become visible within a few minutes, although propagation times can vary depending on DNS caching and resolver behavior.
SSL.com periodically checks for the validation record and automatically completes domain validation once the correct record is detected.
Troubleshooting Cloudflare DNS Validation
If your certificate remains in a pending validation state, verify the following:
- The Host and Target values exactly match those provided by SSL.com.
- The CNAME record is configured as DNS only.
- CNAME Flattening is disabled globally and for the validation record.
- No conflicting DNS records exist for the same hostname.
- Any delegated subdomains are being managed by the correct authoritative DNS provider.
- DNS propagation has completed and the record is publicly visible.
You can use DNS lookup tools such as dig, nslookup, or online DNS propagation checkers to confirm that the CNAME record is resolving correctly.
Cloudflare DNS Validation Example
SSL.com may provide values similar to the following:
|
Field |
Example Value |
|
Name |
_sslcom-validation.example.com |
|
Target |
validation123.ssl-validation.com |
In Cloudflare, create a CNAME record using those exact values, set the record to DNS only, and ensure that CNAME Flattening is disabled.
Once SSL.com detects the published record, domain ownership is verified and certificate issuance can proceed.
For any updates, you can also refer to Cloudflare’s guide: Verify a domain with CNAME