in ACM, I always have to register the CNAME record that is provided by ACM. It says that it checks the domain ownership with this CNAME record, but how does it actually check whether the domain I specified in ACM is actually owned by me? Any explanations would be greatful!
Asked
Active
Viewed 275 times
2
-
2By resolving the record via the public DNS. Only if you own the actual domain can you register a CNAME that will actually be delivered publicly. You can create a CNAME for me.google.com but that record will never see the light of day because google.com will not ask your nameserver for that name. (I am not sure of the exact terminology here) Note that this is not specific to ACM, a lot of certificate authorities do the DNS validation. – luk2302 Jun 25 '21 at 08:03
2 Answers
1
In short a certificate authority (such as ACM) will try to resolve the CNAME record for your domain via the public DNS. After that it compares the value it retrieved from the DNS with the value it stored internally, i.e., the value send to you. If they match, your domain is validated.
In layman's terms it tells you a secret and then asks you to display that secret in say a window of your house. After that it drives by your window to check it the displayed secret is correct. If it is, it means you own the house (or at least have access to it).
Best, Stefan
StefanN
- 527
- 1
- 4
- 12
1
luk2302 explained the idea in the comments already, I'll elaborate a bit.
As you correctly observed, ACM can use DNS validation to confirm ownership of a specific domain. Ownership in this case is roughly defined as "the ability to make changes to the official DNS records", so it's more like control and not technically ownership.
How do you check if somebody is able to control a domain?
You ask them to set some records on the domain that contain values you have created and later check if these records exists. If they do, they control the domain.
Why does this work?
DNS is a hierarchical distributed database.
A DNS record like stackoverflow.com. (the last dot is intentional, but usually omitted) consists of multiple levels that are read from right to left.
The . on the right denotes the root zone.
The root zone holds all the records directly below it, the so called top level domains (TLDs) like .com, .net or .org.
The nameservers behind the .com TLD hold all the records directly below it, so they know who controls stackoverflow.com..
If you start at the top of the hierarchy and work your way to the bottom, you will find out which servers own a domain.
You could set up your own DNS server and create records for stackoverflow.com, but nobody is going to talk to it and explicitly query it, because it's not part of the hierarchy. You could configure your local DNS-resolver to talk to your own DNS-Server, but Amazon (who verify ownership) won't do that.
Maurice
- 11,482
- 2
- 25
- 45