Constraints

Manual DNS verification can be performed only on your domain name management platform by following the instructions provided by the domain name service provider.

(Optional) Step 1: Hosting Domain Name on HUAWEI CLOUD DNS

When you use DNS to verify your domain ownership, the DNS records can be resolved only on the platform managing your domain name. If your domain names are not hosted on HUAWEI CLOUD, are you willing to migrate them to HUAWEI CLOUD?

• If yes, perform the following operations:
  1. For details, see How Do I Migrate My Domain from Another DNS Service Provider to HUAWEI CLOUD DNS?
  2. Go to Step 2: Obtaining Verification Information.
• If not, perform the verification on the corresponding platform. For example, if your domain is hosted on Alibaba Cloud, perform the verification on Alibaba Cloud.

If your domain name has been managed on HUAWEI CLOUD, skip this step.

Step 2: Obtaining Verification Information

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. The service console is displayed.
3. In the navigation pane on the left, choose SSL Certificate Manager. In the row containing the desired certificate, click Verify Domain Name in the Operation column. The Verify Domain Name page is displayed.
4. On the Verify Domain Name page, view the content for Host Record, Record Type, and Record Value. Figure 2 shows an example.
   If Host Record, Record Type, and Record Value are not displayed, log in to the mailbox to view. The mailbox is the one you provide during certificate application.

   Figure 2 Viewing a host record
   

Step 3: Performing Verification Using HUAWEI CLOUD DNS

1. Log in to the management console.
2. Choose Networking > Domain Name Service. In the navigation pane on the left, choose DNS Resolution > Public Zones. The Public Zones page is displayed.
3. In the public zone list, click the domain name to be resolved. In the upper right corner of the page, click Add Record Set. The Add Record Set dialog page is displayed.
   

   If there is already a TXT record in the record set, click Modify in the Operation column. Modify the record in the displayed Modify Record Set dialog box.

   Figure 3 Adding a record set
   

   Table 1 Record set parameters

   Parameter	Description
   Name	Host record returned by the domain name service provider on the domain name verification page of the certificate. Note that host records returned by domain name service providers are different. Ensure that the host record is correct. Examples If the host record returned by the domain name service provider is _dnsauth.example.com, set Name to _dnsauth. If the host record returned by the domain name service provider is example.com, leave Name empty.
   Type	Select TXT – Specify text records.
   Alias	Select No.
   Line	Select Default.
   TTL (s)	Set this parameter to 5 min. A larger TTL value indicates less frequency of DNS record synchronization and update.
   Value	Record value returned by the domain name service provider on the domain name verification page of the certificate. NOTE: Record values must be quoted with quotation marks and then pasted in the text box.
   Keep other settings unchanged.

4. Click OK.
   If the status of the record set is Normal, the record set is added successfully.

   

   The TXT record can be deleted only after the certificate is issued.

Step 4: Checking Whether Domain Ownership Verification Takes Effect

1. On the Windows menu, click Start and enter cmd to start the command dialog box.
2. Run the following command in the cmd dialog box to check whether the configuration of DNS verification takes effect:

   nslookup -q=TXT xxx

   xxx indicates the Host Record value returned by the domain name service provider.

   • If the record value in the command output (value of text) is the same as that returned by the domain name service provider, the configuration of domain name ownership verification has taken effect. Figure 4 shows an example.
     Figure 4 Effective configuration of domain name ownership verification
     
   • If the command output does not contain a TXT record and Non-existent domain is displayed, the configuration does not take effect.
     Figure 5 Non-effective domain name verification configuration
     

3. If the configuration of DNS verification does not take effect, rectify the fault based on the following possible causes until the verification takes effect:

   Table 2 Possible causes

   Possible Cause	Procedure
   The record configuration is incorrect.	Check whether the Name or Type is correct. The following uses the DNS configuration on HUAWEI CLOUD as an example: Figure 6 Adding a record The returned host record varies depending on the domain name service provider. The following are two examples: Example: If the host record returned by the domain name service provider is _dnsauth.www.huawei.com, set Name to _dnsauth. If the host record returned by the domain name service provider is www.huawei.com, leave Name empty. NOTICE: Check whether full domain names are supported. If not, delete the suffix of the root domain name.
   It requires a long period of time for the configuration to take effect.	Check whether the effective time (TTL) is too long. It is recommended that you set the TTL to 5 minutes. This value varies depending on the DNS service provider. In HUAWEI CLOUD DNS, the default value is 5 minutes, so the configuration takes effect within 5 minutes by default. If the configured effective time does not arrive, verify after the time is right. Figure 7 Setting TTL