đź“ź Delegated Domain Verification in DNS
In the previous post I talked about the work we’re doing at the IETF to establish best practices around DNS-based domain verification. One thing we don’t really discuss in the draft yet is delegated domain verification.
The context here is that you use an intermediary or a content delivery network (CDN) for your website and you want to let the intermediary manage your TLS certificates. A lot of CDNs offer this service (Cloudflare, Fastly). In order to be issued a TLS cert from a Certificate Authority like Let’s Encrypt, you need to prove that you control the domain. Typically, this is done via the DNS-01 challenge where you place a unique token that Let’s Encrypt gives you in your DNS (we went over this in the previous blog post). But what happens when you want to renew the cert?
Let’s Encrypt only issues certs with a 90 day validity period for security reasons. This means that after 90 days, you need to re-do the DNS-01 challenge and replace the unique token with a new one. Doing this manually is a pain, and the consequences of messing it up are huge given that browsers heavily penalize non-HTTPS websites. This is why CDNs offer to automate this process for you, but this cannot be done via TXT records because you’d have to hand over access to your entire DNS in order to let them do that. CNAMEs to the rescue!
CNAMEs let you say that “the DNS record for this name actually lives over there”. This works great for delegation. You can put a CNAME record in your DNS for the Let’s Encrypt domain verification challenge, and point it to a CDN-controlled DNS name. For example, if you were trying to delegate your domain example.com
’s Let’s Encrypt certificate renewal via Cloudflare, you could add the following CNAME once and be done with it:
Cloudflare would add something like:
Now, Cloudflare can request certificate renewal on your behalf. Every 90 days, Let’s Encrypt will give Cloudflare a unique token asking to prove that it controls example.com
, which Cloudflare will put at the TXT record (the <random-token-given-by-let’s-encrypt>). Now, Let’s Encrypt can do a DNS query for _acme-challenge.example.com
and be redirected to the name <random-token-given-by-cloudflare>.cloudflare.com.
and verify the unique token needed for renewal. Importantly, the CNAME record you add which points to Cloudflare also needs a random token. This proves to Cloudflare that you control the example.com
domain.