Updated on 2023-12-20 GMT+08:00

Manual DNS Verification

According to the CA requirements, if you applied for an SSL certificate, you must prove that the domain name to be associated with the certificate belongs to you.

For manual DNS verification, you add a record to the record set configured for the domain name for verification. If the CA verifies that the added record can be resolved, the verification is successful.

If you select manual DNS verification when applying for a certificate, perform the operations described in this section.

Constraints

Manual DNS verification can be performed only on your domain name management platform by following the instructions provided by the domain name service provider.

Prerequisites

You have completed real-name authentication.

Step 1: Confirm the Verification Procedure

When you use DNS to verify your domain ownership, the DNS records can be resolved only on the platform managing your domain name. Perform the verification steps based on the domain name management platform.

Domain Name Management Platform

Verification Procedure

Domain names hosted on our platform

Complete all subsequent steps.

Domain names not hosted on our platform

Do you want to migrate the domain name from another service provider to our DNS?
  • If your answer is "Yes", perform the following steps:
    1. Complete all subsequent steps.
  • If your answer is "No", perform the verification on the corresponding platform.

Step 2: Obtaining Verification Information

  1. Log in to the management console.
  2. On the Verify Domain Name page, view the content for Host Record, Record Type, and Record Value. shows an example.

    If Host Record, Record Type, and Record Value are not displayed, log in to the mailbox to view. The mailbox is the one you provide during certificate application.

Step 3: Performing Verification Using DNS

  1. Log in to the management console.
  2. Choose Networking > Domain Name Service. In the navigation pane on the left, choose Public Zones to go to the Public Zones page.
  3. In the public zone list, click the domain name you want to add a record set for. In the upper right corner of the page, click Add Record Set.

    • Different types of record sets should be added for DNS verification of different domain name types.
      • For a single-domain certificate, if the domain name does not contain www, add a record set for the domain name. If the domain name contains www, add a record set for the corresponding higher level domain name. For example, if your certificate is used for domain name www.example.com, add a record set for example.com.
      • For a multi-domain certificate, add record sets for all domain names associated with the certificate.
      • For a wildcard-domain certificate, add a record set for the higher level domain name corresponding to the wildcard domain.

        For example, if your certificate is used for domain name *.example.com, add a record set for example.com.

    • If there is a DNS record of the corresponding type in the domain name list, click Modify in the Operation column. Modify the record in the displayed Modify Record Set dialog box.
    Table 1 Parameters for adding a record set

    Parameter

    Description

    Name

    Host record returned by the domain name service provider on the domain name verification page of the certificate.

    Type

    Record type returned by the domain name service provider on the domain name verification page.

    Alias

    Select No.

    Line

    Select Default.

    TTL (s)

    Set this parameter to 5 min. A larger TTL value indicates less frequency of DNS record synchronization and update.

    Value

    Record value returned by the domain name service provider on the domain name verification page of the certificate.

    NOTE:

    Record values must be quoted with quotation marks and then pasted in the text box.

    Keep other settings unchanged.

  4. Click OK.

    If the status of the record set is Normal, the record set is added successfully.

    The record set can be deleted only after the certificate is issued.

Step 4: Checking Whether Domain Ownership Verification Takes Effect

  1. On the Windows menu, click Start and enter cmd to start the command dialog box.
  2. Check whether the DNS configuration takes effect by running the corresponding command listed in Table 2.

    Table 2 Verification commands

    Record Type

    Verification commands

    TXT

    nslookup -q=TXT xxx

    CNAME

    nslookup -q=CNAME xxx

    xxx indicates the Host Record value returned by the domain name service provider.

    • If the record value in the command output (value of text) is the same as that returned by the domain name service provider, the configuration of domain name ownership verification has taken effect. Figure 1 shows an example.
      Figure 1 Effective configuration of domain name ownership verification
    • If the command output does not contain any records and Non-existent domain is displayed, the configuration does not take effect.

  3. If the configuration of DNS verification does not take effect, rectify the fault based on the following possible causes until the verification takes effect:

    Table 3 Possible causes

    Possible Cause

    Procedure

    A wrong domain name management platform was selected.

    DNS verification can be performed only on the platform where your domain name is hosted. Check whether the platform you select is the right one.

    The old record set is not deleted.

    The record added can be deleted once the current certificate is issued.

    If the record added for the previous certificate is not deleted, the record added for the current certificate will not take effect. Check whether the record added last time is deleted.

    The record configuration is incorrect.

    Check settings of Host Record, Type or Value.

    It requires a long period of time for the configuration to take effect.

    Check whether the effective time (TTL) is too long. It is recommended that you set the TTL to 5 minutes. This value varies depending on the DNS service provider. In our DNS platform, the default value is 5 minutes, so the configuration takes effect in 5 minutes by default.

    If the configured effective time does not arrive, verify after the time is right.

Step 5: Review the DNS Verification Result

OV and EV certificates

After you complete the verification, it still takes 2 to 3 working days for the CA to validate your DNS verification. The CA will not issue the certificate until they validate your DNS verification.

If the verification fails or other problems occur, contact the CA using the information provided in the CA's validation email.