Validation of Domains for SWITCHpki

Registering a domain for SWITCHpki requires a proof of control over the domain by the organization.

SWITCH will request such a proof

  • for each new domain being registered for usage in SWITCHpki
  • for existing domains on a regular basis

Organizations can choose from the two methods described below.

Validation Methods

Method "DNS Change"

This is the recommended method.

The organization can proof the control over the domain by creating a DNS TXT record for the domain containing tha random value.

The organization will receive a random value specific to the domain to be validated from SWITCH. The organization needs to add the following DNS record:

<domain.tld>.  IN  TXT  "<random value>"

Adding the TXT record for the main domain name, as shown above, is the preferred way. But if a conflicting CNAME for the main domain name already exists, adding a TXT record for the main domain name is not allowed. In this case, the following alternative DNS record can be added instead:

_dnsauth.<domain.tld>.  IN  TXT  "<random value>"

Example records:

example.org.           IN  TXT  "QuoVadis=5605c035-711a-48ad-a08d-44e98b08de7e"
_dnsauth.example.org.  IN  TXT  "QuoVadis=5605c035-711a-48ad-a08d-44e98b08de7e"

Note: only one of the two records needs to be added. The prefix "QuoVadis=" must be incuded.

Required steps:

  1. SWITCH will request a random value for the domain from QuoVadis.
  2. SWITCH will provide you with the random value for the domain
  3. Add the DNS TXT record containing the random value, as described above.
  4. Tell SWITCH that the DNS record has been added.
  5. SWITCH will ask QuoVadis to validate the domain.

Method "Agreed-Upon Change to Website"

The organization can proof the control over the domain by storing a random value at a well-know location on the webserver available via HTTPS at a URL reachable via the domain name.

The organization will receive a random value specific to the domain to be validated from SWITCH. The organization needs to place a text file containing the random value on a single line at one of the following locations:

https://<domain.tld>/.well-known/pki-validation/fileauth.txt

If this URL is redirected, e.g. to https://www.<domain.tld>/.well-known/pki-validation/fileauth.txt, the method will still work.

Example file:

URL:

https://example.org/.well-known/pki-validation/fileauth.txt

File contents:

QuoVadis=5605c035-711a-48ad-a08d-44e98b08de7e

Required steps:

  1. SWITCH will request a random value for the domain from QuoVadis.
  2. SWITCH will provide you with the random value for the domain
  3. Store the random value in the file on the webserver as described above.
  4. Tell SWITCH that the file is ready.
  5. SWITCH will ask QuoVadis to validate the domain.

Further information

Don't hesitate to contact us (preferrably through pki@switch.ch) if you have any questions regarding the validation of domains.