0

I am trying to get a domain validated by a registrar for SSL purchase. Example - abc.example1.com

Registrar asked to put a TXT record with a certain value. There is already a CNAME record for abc.example1.com pointing to say, my.example2.com. I added the TXT record for my.example2.com.

Shouldn't this work?

However when I go to the registrar (Godaddy) and click on the Verify/Validate button, it says it cannot verify.

Any pointer would be helpful. Thanks

Nishant
  • 143
  • 5
Traveller
  • 319
  • 1
  • 2
  • 3
  • Sometimes it takes up to an hour to propagate. Check https://mxtoolbox.com/TXTLookup.aspx to see if it is visible – Nishant Nov 13 '20 at 06:44
  • I checked in 8.8.8.8 at that time. The TXT record was showing up. – Traveller Nov 13 '20 at 06:47
  • Just to clarify - Godaddy will verify the TXT record for abc.example1.com. I cannot add in there since a CNAME is already present. So I added the TXT to my.example2.com which is where the CNAME in abc.example1.com points to. I thought this should work – Traveller Nov 13 '20 at 06:58
  • 2
    Does this answer your question? [Adding both CNAME and TXT DNS records for one subdomain](https://serverfault.com/questions/834320/adding-both-cname-and-txt-dns-records-for-one-subdomain) – AndrewL64 Nov 13 '20 at 08:01
  • When you put `abc.example1.com` in TXT Lookup, the verification code should appear. There can be multiple TXT assigned to the same subdomain (like abc.example1.com), you should be able to add CNAME, and TXT records for abc.example1.com – Nishant Nov 13 '20 at 08:11
  • @andrewL64 Thanks. I think my issue has to do with the fact that Godaddy doesn't follow redirects when doing verification. Since CNAME is kind of a redirection it may not be following. My guess. – Traveller Nov 13 '20 at 10:10
  • If you gave the real names people could help you better, but your question is probably offtopic as does not seem related to a business environment. – Patrick Mevzek Nov 13 '20 at 18:46
  • "Since CNAME is kind of a redirection it may not be following. My guess. " Probably wrong (but difficult to say as you hide relevant information in your question). A CNAME is just a CNAME, the authoritative just publishes it. It is the consumer, aka the recursive resolver that the CA will use that will see it and follow it. Using CNAME records to pass CA DV-based validation is pretty much standard behavior used in a lot of places. You need to place the data or the CNAME exactly on the label given by the CA, not `my.example2.com` or whatever that is. – Patrick Mevzek Nov 13 '20 at 18:48
  • @Nishant There is no DNS propagation, this is a myth and please do not give false information such as "it takes up to an hour". If you want to test things, publish your records and you should be able to immediately see them if you do a proper `dig` query towards the authoritative nameservers. Do not rely on any recursive nameserver, such as Google Public DNS or any other one, for that job of checking. – Patrick Mevzek Nov 13 '20 at 18:49
  • @PatrickMevzek oh... isn't it true that DNS resolvers cache your resource record sets according to their time to live (TTL) and if it set to 3600 it will take an hour? I mean, I do not know how GoDaddy is resolving it. Does is use auth nameservers? – Nishant Nov 13 '20 at 20:18
  • 1
    @Nishant If you query authoritative nameservers there are no TTLs coming into play, and this is the first step in debugging DNS related problems, only after that you can use recursive nameservers. They do (mostly) respect TTLs, whose values can be anything. Depending on what you change in the zone, various other timers may have to be taken into account too, like the SOA negative TTL for example. So there is not just one value that could explain all cases, which was the point of my comment. – Patrick Mevzek Nov 13 '20 at 21:30
  • @PatrickMevzek got it, thanks for the explanation. – Nishant Nov 14 '20 at 06:21

0 Answers0