[SC-82 Redux] Looking for Feedback on "3.2.2.4.22 DNS Record with Static Value" Language

Michael Slaughter

unread,

May 1, 2025, 3:39:13 PMMay 1

to Validation Subcommittee (CA/B Forum)

Hello,

Thank you for all of the feedback and discussion provided earlier on today's call. The proposed language we discussed can be found here: https://github.com/slghtr-says/servercert/pull/3/files.

I encourage you to continue to add questions, suggestions and clarifications as GitHub comments (ideally with suggested language!).

Thanks,

M. Slaughter

Amazon Trust Services

Doug Beattie

unread,

May 21, 2025, 10:55:37 AMMay 21

to valid...@groups.cabforum.org

Hi Slaughter,

I’m trying to catch up on the latest approach for “CA assisted DNS Validation”. As I understand it, an applicant can create a DNS TXT record that perpetually permits the CA to keep that domain validation up to date and there is no longer a need for a random value challenge to be used each time.

So, here is an example:

If a customer wants a CA (specificCA.com) to keep the domain example.com updated all the time, then they can create a DNS TXT record:

Record location: _validation-persist.example.com

Contents: TXT "specificCA.com; accounturi=https://example.com/acct/123"

Where 123 is the account value supplied by the CA to this applicant and it’s unique per applicant.

It’s up to the CA as to when this is checked – can be done at time of issuance, or within X days, where X is the current domain re-use period.

Do I have that right?

Thanks!

Doug

--
You received this message because you are subscribed to the Google Groups "Validation Subcommittee (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to validation+...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/validation/d5f1bc0e-1799-4f10-9fa9-1ac00ece9a49n%40groups.cabforum.org.

Michael Slaughter

unread,

May 21, 2025, 12:25:13 PMMay 21

to Validation Subcommittee (CA/B Forum), doug.b...@globalsign.com

Hi Doug,

The content of the TXT would be in the form of:

" specificCA.com; accounturi=https://specificCA.com/account/123"

Where specificCA.com is the CA and the accounturi: “https://specificCA.com/account/123” represents a unique applicant for specificCA.com.

> It’s up to the CA as to when this is checked – can be done at time of issuance, or within X days, where X is the current domain re-use period.

Like all other DCV methods, this method must be performed prior to certificate issuance to verify control of the domain by the Applicant.

The re-use period of that successful DCV for subsequent certificate issuances however is limited to the TTL of the TXT record or 8 hours (whichever is greater). This re-use period also SHALL not exceed the validation reuse period specified in section 4.2.1.