Successful certificate issuance depends on correctly configured and consistent DNS records. Google Trust Services performs domain validation (DV) to verify control over a domain. Inconsistencies or misconfigurations in your DNS records can lead to validation failures.
Tools
We recommend using public tools to verify your DNS configuration from an external perspective:
- Google Public DNS (Web Interface) - A quick way to check your DNS records. Check for CAA records or TXT records used for ACME challenges.
- dig Command Line - Use the dig tool to query Google Public DNS directly:
dig @8.8.8.8 example.com CAA
Common Issues
These are the most common problems we see:
CAA Records
Certificate Authority Authorization (CAA) records must permit pki.goog to issue certificates for your domain. Use the previously mentioned tools to verify your CAA records.
Global Availability (MPIC)
Google Trust Services performs validation from multiple global locations. Ensure your DNS and web servers are not geo-blocking requests, or otherwise replying differently depending on the origin of requests, as this can lead to validation failures.
We expect DNS records to be available publicly; do not exclusively serve them to Google DNS resolvers, or validations could fail.
Inconsistent Records
Ensure that your DNS records are consistent across all of your authoritative name servers. Validation may fail if different servers return different results.