-1

I hope you could help me with this one. Here is the case:

I have a domain in ZoneEdit name dummysite.org.

This domain has the following A records:

HOST IP ADDRESS TTL
@.dummysite.org 193.10.xx.xx default
@.dummysite.org 52.67.xxx.xxx default
www.dummysite.org 193.10.xx.xx default
www.dummysite.org 52.67.xxx.xxx default

Basically, dummysite.org is just a domain that redirects to either one of the IP addresses listed above. Both IP addresses have their own servers and SSL Certificates.

Now, is it possible for dummysite.org to have its own SSL certificate, given that it does not have a physical host/server. It's really just a domain that redirects to my other servers.

I am asking this because one user of my site tried to access dummysite.org via HTTPS (https://dummysite.org) and he encountered "Your connection is not private" error.

"This server could not prove that it is dummysite.org; its security certificate is from 193.10.xx.xx. This may be caused by misconfiguration or an attacker intercepting your connection.

Haetnim Ha
  • 11
  • 1
  • 1
    `123.456.78.99` and `998.765.43.21` are not IPv4 addresses. Please stop obfuscating badly, including for names too. – Patrick Mevzek Nov 17 '22 at 03:57
  • Ask your CA, you can validate DV-certificates typically with dns-01 validation method, if you don't want to do http-01, so a simple `TXT` record in DNS can be enough. – Patrick Mevzek Nov 17 '22 at 03:58

1 Answers1

1

TLS certificates live on web servers (or other devices/software providing network services). They don't live on a domain in DNS.

So in short, no. You can't host a certificate just in the DNS zone you control and have it work with a web server you don't control.

However, as the owner (or person in control) of the DNS zone, you could obtain a certificate for that domain and send it to the web server owner to use. Due to the way public certificate validation works, the web server owner could also obtain the certificate themselves because you've pointed your domain name at their server (effectively delegating control of that DNS name).

P.S. When you point your DNS records at a web server's IP address, you're not technically "redirecting" anything. The web client goes directly to the IP you've pointed to. The term "redirect" usually implies a specific HTTP protocol response where the web server a client initially hits tells the client to go somewhere else (a different URL or web server entirely).

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • Thank you for your answer! I would just like to clarify things based on your answer: this means that I cannot create an SSL cert for my domain in DNS **alone**, but I could create an SSL cert for my domain DNS together with the other web servers that it is pointing too? like a wildcard SSL cert? – Haetnim Ha Nov 17 '22 at 07:44
  • It might help to separate the concept of creating/obtaining the cert from using the cert with a web server. You can obtain a cert via DNS alone (wildcard or not is irrelevant) from your personal desktop, but it's useless without a web server to install it on. And if the cert needs to live on a web server you don't control, it would usually be more efficient for the person who controls the web server to obtain it in the first place. – Ryan Bolger Nov 17 '22 at 18:38