in ACM, I always have to register the CNAME record that is provided by ACM. It says that it checks the domain ownership with this CNAME record, but how does it actually check whether the domain I specified in ACM is actually owned by me? Any explanations would be greatful!
In short a certificate authority (such as ACM) will try to resolve the CNAME record for your domain via the public DNS. After that it compares the value it retrieved from the DNS with the value it stored internally, i.e., the value send to you. If they match, your domain is validated.
In layman's terms it tells you a secret and then asks you to display that secret in say a window of your house. After that it drives by your window to check it the displayed secret is correct. If it is, it means you own the house (or at least have access to it).
Best, Stefan
luk2302 explained the idea in the comments already, I'll elaborate a bit.
As you correctly observed, ACM can use DNS validation to confirm ownership of a specific domain.
Ownership in this case is roughly defined as "the ability to make changes to the official DNS records", so it's more like control and not technically ownership.
How do you check if somebody is able to control a domain?
You ask them to set some records on the domain that contain values you have created and later check if these records exists. If they do, they control the domain.
Why does this work?
DNS is a hierarchical distributed database.
A DNS record like stackoverflow.com. (the last dot is intentional, but usually omitted) consists of multiple levels that are read from right to left.
The . on the right denotes the root zone.
The root zone holds all the records directly below it, the so called top level domains (TLDs) like .com, .net or .org.
The nameservers behind the .com TLD hold all the records directly below it, so they know who controls stackoverflow.com..
If you start at the top of the hierarchy and work your way to the bottom, you will find out which servers own a domain.
You could set up your own DNS server and create records for stackoverflow.com, but nobody is going to talk to it and explicitly query it, because it's not part of the hierarchy. You could configure your local DNS-resolver to talk to your own DNS-Server, but Amazon (who verify ownership) won't do that.
Related
I am getting an error when trying to create a new domain for another website. I am a web developer and I host many sites so I need to have a lot of domains. How can I add more domains?
Currently on the Free plan (because my sites don't exceed the limit) however it seems like I need to upgrade... I can't find any limitations at all for domains.
Does any one know what I can do to resolve this issue?
You are correct that the free plan does not allow for custom domains. Once you add a credit card, you will be given 5,000 emails for free and a 3 month trial of the flex plan. This plan allows for up to 5 domains max. If you have more than 5 domains you may want to reach out to the sales team to see about a custom plan, they are able to accomodate adding more domains. Here is a link to the differences between plans.
Once you have upgraded (or added a credit card!), you can add a domain by following these steps:
Inside the Mailgun Control Panel (options displayed down the left-hand side on a dark column), use the following instructions:
First, click on Sending on the left-hand side of your the Mailgun dashboard. Then click the green Add New Domain button. Enter your Domain Name and choose your additional options. The region your domain will reside: US or EU.
Next step is to create DKIM Authority - you would generally leave this checked by default. Then, decide on DKIM Length - a longer DKIM key will make spoofing your emails by malicious spammer more difficult. 1024-bit is selected by default, but 2048-bit can be used as well. Keep in mind that some DNS providers may have an issue with a 2048-bit DKIM keys, as they produce a string longer than 255 characters (exceeding the maximum character limit for a DNS entry). Once your options are set, click Add Domain to save your new domain.
Through the api for Amazon AWS Route 53 I'm adding a new CNAME record to an existing zone. I want to test to see if the record was added correctly.
Do I need to wait for propagation? Or since its a new record will it be grabbed immediately?
I saw an article which mentioned waiting for it to propagate but it was for creating a whole new zone; which I do not have to do since im adding it to an existing one.
The use case is I could be adding these (CNAME Records) on the fly and need to check to make sure they were added correctly.
I think you are mixing two things: the delay between your updates on your provider web based interface and the change on all Route53 authoritative nameservers on one side, and on the other side after the change in authoritative nameservers the delay for all recursive nameservers in the world to be aware. The first case depends only on Amazon infrastructure. But you can query its authoritative nameservers and see if the resource is published. The second case is not really a propagation, and depends on TTLs and negative TTLs.
So I will focus more on the second case.
The methodology is simple:
start by querying the authoritative nameservers for your resource, double check they reply correctly. You can even use online troubleshooting tools for that: https://zonemaster.net/ and https://graphviz.net/
after that it is time to check recursive nameservers around the world.
First, a bit of terminology. Everyone uses that term, but "propagation" is wrong in the context of DNS. Because when you change something on the authoritative nameservers they do not push their changes top down to all other recursive nameservers in the world, as it would be just impossible.
On the contrary, recursive nameservers will "at some point" (it depends both on the zone content, state of their cache, and local policies), after a query redirected to them (except rare cases of upfront automated cache renewals) contact again one of the authoritative nameserver and pull the newest data.
So, you can start querying some "well known" open recursive nameservers to see what they learned for your resource: 1.1.1.1, 8.8.8.8, or 9.9.9.9, besides your own local ones (running on your own servers or using your ISP one), and it may be useful to use more than one as their caches will be in different states which will impact the results as explained above.
Here are some details on what happens exactly when you query a specific recursive nameserver for your resource:
if its cache is completely empty for your domain/resource (for example it was just rebooted) it will immediately query the authoritative nameserver for the info, hence your change is immediately visible to it and all its clients
this resource will be cached by the nameserver based on the TTL given by the authoritative one. "Normally" this is the maximum amount of time the record will stay in the recursive cache during which it will not query again the authoritative nameservers to check if something has changed. Two important points: one, the consensus is that the standards mandate it to be a maximum value, so caches are free to be cleared before it (for example space constrained caches may wish to evict oldest entries to make some space); two, it is known that some nameservers and/or nameservers deployments will alter the TTL value, for whatever local policy, so they may extend it for example if they deem it as being too low (it is considered in a way to be against the standard but that case exists as well as people putting TTLs as low as 1 or 5 seconds which is just as silly)
now, another important case that often baffles people, especially those testing. If you add a new resource in your zonefile but query for its existence just before the change, the authoritative nameservers will reply with NXDOMAIN ("this resource does not exist") and this information will also be cached by recursive nameservers, for an amount of time called "negative TTL" (it is still a positive number acting as a delay, but called negative because it applies to negative replies such as "this resource does not exist). So in a way you "pollute" the cache because if you do the changes in your authoritative nameservers and just after query your recursive one again, it will still reply "no such resource" because it has this information in its cache.
So the key point is always to clearly separate tests on authoritative vs recursive nameservers and to be fully aware of the properties attached to a recursive cache.
Route53 is a distributed DNS management system. When you create a new CNAME or any record set within a Hosted Zone, it needs to be propagated to distributed servers running in AWS edge locations. This can take few seconds to few minutes.
Note: The creating propegation of a record set differs from updating. This is because even after the update, the old record set could live up to the TTL value defined in the external caches.
Let's say I have a contact form where a user can enter his email address along with his other contact details. I need to check the validity of Generic top level domain or top level domain of the email address. An example:
scarlet.1992#examplemail.paris
I need to check if .paris is a valid top level domain.
Please refer to this link for the list of domains available, which gives a number around 1200. Storing the domain names in a local table and searching is not an option since new domains are being introduced everyday.
Please let me know if there is any web service or free API available for this, or there is any other way to validate the email address.
The simplest way to find out whether a domain exists is to check whether it has a name server.
Considering that a TLD costs around $100,000 it is very likely that every one that is purchased is in use. Also, if it doesn't have a name server, you can't send anything to it anyway.
Using dig you can run
dig NS +short paris
which will give
h.ext.nic.fr.
d.nic.fr.
g.ext.nic.fr.
f.ext.nic.fr.
whereas
dig NS +short adsfadfs
returns nothing.
There is nothing wrong with storing a list of TLDs locally when you need a quick answer for client-side validation or don't want to consume network resources for a reverse DNS lookup.
Email addresses from newer TLDs are extremely rare for most use cases. I update my list about once per year and find that it's good enough.
Websites that have sort of a secondary domain.
What are links like these called?
Can it be done trough code or is it a domain thing?
This isn't a coding question - this is related to network and DNS administration.
The "drive" part of "drive.google.com" is just a subdomain or machine name on the "google.com" domain. As far as DNS is concerned, it is even easier - these are just additional entries in your DNS configuration. There is almost nothing special that needs to be done.
I am maintaining a project with quite a large server infrastructure.
At the moment I am using several SSL certificates for different subdomains, and that's not easy on the pocket.
A far more economical solution for me would be to get one wild card certificate and use it on all of my servers.
However those servers are spread across the globe, and if one of them gets compromised - physically or by any other means, the secret certificate key would fall into the hands of whoever gets into the system.
In that case, if I used a wild card certificate, the key compromised key would also be the key for all other components of the system (because they have the same certificate).
I do not want to compromise the SSL security of my main website because some unimportant edge server has been compromised.
That's why I wondered whether I can sign my own CSR for my own subdomains somehow.
Something like a "self service top level domain wide intermediate certificate authority"
Is there such a thing? As far as I understand certificate authorities and intermediate certificate authorities are not limited to specific scopes on their common name (domain).
However I know that for example Google on the fly generates certificates for security purposes on special parts of their website.
I wonder how they do that. Or are they a certificate authority on their own?
Hope the question is clear,
any help is appriciated!
I don't know if Google is a certificatation authority, I don't seem to find their CA.
Anyway, no Certification Authority should ever deliver a global intermediate CA. Some did and it lead to abuse, as expected. There is no way to deliver a intermediate CA limited to a CN, so no, there is no way to do what you are looking for.
It could be done by using DANE, though, but it will not be mainstream before many years. See https://www.rfc-editor.org/rfc/rfc6698
MPKI, Managed Public Key Infrastructure will give you the ability to create your own certs instantly on your pre-approved domains.
I do not think this will save you any money but does allow you to do many of the items you requested.
About Google: Google has an intermediate certificate issued by GeoTrust.