Use DNS validation for certificates

[bugeats]

Instead of sending an email, you can just use Route53 to add a new DNS record to verify new certificates. This would in theory require no user intervention at all.

[brandonweiss]

Yeah, I saw that AWS added this feature. I considered supporting it, but the problem is that DNS can take a really variable amount of time to propagate. Right now verification by email takes seconds or maybe minutes. Verification by DNS could take hours. 😕

[bugeats]

In my case I don't have easy access to whatever email address is being introspected here.

In my experience DNS validation happens in a matter of seconds when using the AWS console during a certificate create flow.

[brandonweiss]

Ah, I see. It looks at the contact information in the WHOIS database to determine what email addresses to send to.

I think that problem is a bit of an edge-case. If there was an easy way to solve it I would, but switching to DNS verification would be more problematic, I think. Route53 might be quite fast, but not all DNS providers are.

I could support both methods of verification, but that adds complexity to the tool and makes it slightly more confusing to use.

I’m not sure there’s a great improvement to be had here, unfortunately 😞

[dominiquedutra]

I am having trouble with verification by email. It seems .com.br domain information are not available for lookup. I never received my verification e-mail.

Speaking of DNS for validation, I think it`s a great idea. If you are hosting your website on S3 and distributing using CloudFront you probably will use Route53 for DNS - I mean, why wouldn't you?

[brandonweiss]

@dominiquedutra Did you wind up sorting out the verification issue?

Well, some people might use Route53, but some people might not. For example, I don’t. I already have my DNS handled for all my sites in a place I like so there’s no reason for me to switch. I really wouldn’t want to lock people into a specific DNS provider in order to use Discharge.