Set Up DNS Verification

Starting with NetSuite 2024.1, HTTP-based challenges to verify domain ownership have been replaced by DNS-based verification.

DNS verification uses the Automatic Certificate Management Environment (ACME) protocol. ACME is a modern, standard protocol for automatically validating, issuing, and renewing X.509 certificates from a certificate authority (CA). With ACME, machines can receive certificates from a CA without human interaction.

All domain types in NetSuite must be secure. For secure domains, you need to set up a CNAME record for DNS verification with your domain provider. See Point Your Domain Name at Your Domain (DNS Settings).

How DNS Verification Records Work

DNS verification adds extra security when confirming ownership of your domain.

With DNS verification, a user requests a certificate from a CA by using ACME client software that supports DNS-based verification. When the client software requests a certificate, the CA asks the client to verify domain ownership by sending a unique token to the ACME client.

For example, if a client is trying to validate the domain example.com, the validation subdomain would be _acme-challenge.example.org. When the token value is added to the DNS zone, the client tells the CA to go ahead with validation. The CA then runs a DNS query on the domain’s DNS servers, and if the servers reply with the correct challenge token, domain ownership is verified and the certificate is issued.

NetSuite-hosted domains use CNAME records to delegate DNS verification to a NetSuite domain. For example, a DNS verification domain, like _acme-challenge.example.com, is delegated to NetSuite’s verification server, example.com.hosting-verify.netsuite.com.

In the DNS area of the Domain record in NetSuite, there is one CNAME record for DNS verification and one for web hosting. You need to set up both as CNAME records with your domain provider.

The CNAME record for DNS verification always starts with the prefix _acme-challenge.

Set Up DNS Verification Records

When you add a new secure domain in NetSuite, records for DNS verification and website hosting are automatically created and displayed on the Domain record page. You need to copy both and add them as CNAME records at your domain provider’s website.

In the following example, the record for DNS verification is highlighted.

Example of DNS verification CNAME

See Point Your Domain Name at Your Domain (DNS Settings) for information about setting up CNAME records on your domain provider’s website.

You should set up CNAME records with your domain provider before finishing domain setup in NetSuite. After you have set up the CNAME records with your domain provider, return to the Domain record in NetSuite and click Save. If you already saved the Domain record, go to Commerce > Hosting > Domains > and click Edit next to your domain, then click Save to redeploy.

DNS Verification Status Field

You can view the DNS verification status in the Status area of the NetSuite Domain record. The DNS Verification Status field lets you know if the ACME challenge is set up and configured correctly for your domain.

The DNS Verification Status field can have one of the two following statuses:

  • Your DNS record is configured correctly.

    A green tick icon is displayed to the left of this message.

  • Your DNS record is configured incorrectly.

    A red cross error icon is displayed to the left of this message. There will also be a red cross displayed in the DNS column on the Set Up Domains page.

    Note:

    The DNS status on the Set Up Domains page includes both the DNS and DNS verification statuses.

If there's an error with the DNS Verification Status, check with your domain provider to make sure the CNAME record for DNS verification is set up correctly.

Related Topics

General Notices