Site icon SSL.com

DNS CNAME Validation for SSL/TLS Certificates

Verify Domain Ownership Using DNS-Based Domain Control Validation (DCV)

When requesting an SSL/TLS certificate, one of the first steps is proving that you control the domain name listed in the certificate request. This process, known as Domain Control Validation (DCV), is required by the CA/Browser Forum Baseline Requirements and helps prevent unauthorized parties from obtaining certificates for domains they do not own.

DNS CNAME validation is one of the most reliable and widely supported methods for completing domain validation. Rather than responding to an email or uploading a validation file to your web server, you create a special DNS record that demonstrates control of your domain.

This guide explains how DNS CNAME validation works, how to obtain the required validation record from SSL.com, and how to add the record using common DNS providers such as GoDaddy, Namecheap, and Amazon Route 53.

What Is DNS CNAME Validation?

DNS CNAME validation is a domain ownership verification method that uses a unique CNAME record placed in your domain’s DNS zone.

When SSL.com issues a certificate order, a unique validation token is generated for each domain or subdomain requiring verification. By publishing the provided CNAME record in your DNS configuration, you prove that you have administrative control over the domain.

SSL.com periodically checks for the presence of the validation record. Once the correct record is detected, domain ownership is confirmed and certificate issuance can proceed.

Benefits of DNS Validation

DNS validation offers several advantages over email-based or file-based validation methods:

For organizations managing multiple domains or automating certificate deployment, DNS validation is often the preferred validation method.

How DNS CNAME Validation Works

The DNS validation process follows these general steps:

  1. Submit a certificate request through SSL.com.
  2. Select DNS validation as the Domain Control Validation method.
  3. Obtain the unique CNAME validation record from your SSL.com order.
  4. Add the CNAME record to your domain’s DNS zone.
  5. Wait for DNS propagation.
  6. SSL.com verifies the record.
  7. Certificate issuance proceeds once validation is successful.

The validation record typically consists of:

Field

Description

Host / Name

A unique validation hostname generated by SSL.com

Target / Value

A unique validation destination generated by SSL.com

TTL

DNS cache duration (lower values may speed propagation)

Both values must be entered exactly as provided.

Before You Begin

Before creating the validation record, ensure that:

If you manage DNS through a third-party provider, you must create the CNAME record within that provider’s DNS management portal.

Obtain Your SSL.com Validation Record

Check this related SSL.com guide for step by step instructions to obtain the required values: DNS CNAME lookup for domain

  1. Log in to your SSL.com account.
  2. Navigate to your certificate order.
  3. Open the order details page.
  4. Select DNS CNAME Validation as your preferred validation method, if not already selected.
  5. Copy the provided:
    • Host (or Name) value
    • Target (or Value) destination

Keep these values available, as they will be needed when creating the DNS record.

Add the Validation Record in GoDaddy

If your domain’s DNS is managed through GoDaddy, use the following steps to create the required validation record.

Step 1: Access DNS Management

Step 2: Create the CNAME Record

Step 3: Wait for DNS Propagation

Most GoDaddy DNS updates become visible within an hour, although global propagation may take up to 48 hours.

After propagation completes, SSL.com will detect the record and continue the validation process automatically.

For any updates to the steps, you can check out the guide by GoDaddy: Add a CNAME record

Add the Validation Record in Namecheap

If your DNS is hosted through Namecheap, follow these steps.

Step 1: Access DNS Settings

Step 2: Create the Validation Record

Important Namecheap Note

Some DNS systems automatically append the domain name to the Host field.

For example, if SSL.com provides:

You may only need to enter:

depending on your DNS configuration.

Entering the full domain when the system automatically appends the domain name can create an invalid record.

Step 3: Save Changes

For any updates to the steps, you can check out the guide by Namecheap: How can I complete domain control validation (DCV) for my SSL certificate?

Add the Validation Record Using Amazon Route 53

Organizations hosting DNS in Amazon Route 53 can add the SSL.com validation record directly within their hosted zone.

Step 1: Open Route 53

Step 2: Create the CNAME Record

Step 3: Verify Propagation

After the record appears in Route 53, allow time for DNS propagation.

SSL.com will periodically query the DNS record and complete validation once the record becomes publicly visible.

For any updates to the steps, you can check AWS Certificate Manager guide: AWS Certificate Manager DNS validation


Add the Validation Record in Cloudflare

If your domain’s DNS is managed through Cloudflare, you can complete SSL.com DNS validation by creating a CNAME record containing the validation values provided with your certificate order.

Because Cloudflare offers DNS proxying and CNAME flattening features, it is important to configure the validation record correctly. Improper proxy or flattening settings can prevent SSL.com from detecting the validation record and delay certificate issuance.

Step 1: Access Your DNS Settings

Step 2: Create the CNAME Validation Record

Important: Disable Proxying

Cloudflare’s proxy service must not be enabled for SSL.com validation records.

A validation CNAME configured as Proxied may not return the expected DNS response, preventing SSL.com from verifying domain ownership.

The cloud icon next to the record should appear gray and display DNS only, not orange and Proxied.

Step 3: Verify CNAME Flattening Settings

Cloudflare offers a feature called CNAME Flattening, which can modify how CNAME records are returned in DNS responses.

For SSL.com DNS validation:

If your Cloudflare configuration allows per-record flattening, confirm that flattening is also disabled for the SSL.com validation record.

Why This Matters

SSL.com must be able to query and detect the exact CNAME record that was provided during the validation process. If Cloudflare flattens the record into another DNS response type, validation may fail.

Step 4: Check for Conflicting NS Records

If validation does not complete successfully, verify whether the hostname being validated is delegated to another DNS provider through an NS record.

For example, if a subdomain has its own NS record, DNS queries for that subdomain may bypass Cloudflare entirely and be answered by a different DNS provider.

In this situation:

Step 5: Wait for DNS Propagation

After saving the record, allow time for DNS propagation.

Most Cloudflare DNS updates become visible within a few minutes, although propagation times can vary depending on DNS caching and resolver behavior.

SSL.com periodically checks for the validation record and automatically completes domain validation once the correct record is detected.

Troubleshooting Cloudflare DNS Validation

If your certificate remains in a pending validation state, verify the following:

You can use DNS lookup tools such as dig, nslookup, or online DNS propagation checkers to confirm that the CNAME record is resolving correctly.

Cloudflare DNS Validation Example

SSL.com may provide values similar to the following:

Field

Example Value

Name

_sslcom-validation.example.com

Target

validation123.ssl-validation.com

In Cloudflare, create a CNAME record using those exact values, set the record to DNS only, and ensure that CNAME Flattening is disabled.

Once SSL.com detects the published record, domain ownership is verified and certificate issuance can proceed.


For any updates, you can also refer to Cloudflare’s guide: Verify a domain with CNAME

Exit mobile version