Delegated DCV

Delegated DCV allows zones with partial DNS setups - meaning authoritative DNS is not provided by Cloudflare - to delegate the DCV process to Cloudflare.

DCV Delegation requires you to place a one-time record that allows Cloudflare to auto-renew all future certificate orders, so that there’s no manual intervention at the time of the renewal.

Availability

	Free	Pro	Business	Enterprise
Availability	Included with Advanced Certificate Manager	Included with Advanced Certificate Manager	Included with Advanced Certificate Manager	Included with Advanced Certificate Manager

When to use

You should use Delegated DCV when all of the following conditions are true:

Your zone is using a partial DNS setup.
Cloudflare is not already performing DCV automatically.
Your zone is using an Advanced certificate.
Your zone is not using multiple CDN providers.
The Certificate Authority is either Google or Let’s Encrypt

Setup

To set up Delegated DCV:

Order an advanced certificate for your zone, choosing TXT as the Certificate validation method.
On SSL/TLS > Edge Certificates, go to DCV Delegation for Partial Zones.
Copy the Cloudflare validation URL.
At your authoritative DNS provider, create CNAME record(s) considering the following:

If your certificate only covers the apex domain and a wildcard, you only need to create a single CNAME record for your apex domain. Any direct subdomains will be covered as well.

_acme-challenge.example.com CNAME example.com.<COPIED_VALIDATION_URL>.

If your certificate also covers subdomains specified by their name, you will need to add multiple CNAME records to your authoritative DNS provider, one for each specific subdomain.

For example, a certificate covering example.com, *.example.com, and sub.example.com would require the following records.

_acme-challenge.example.com CNAME .example.com.<COPIED_VALIDATION_URL>._acme-challenge.sub.example.com CNAME sub.example.com.<COPIED_VALIDATION_URL>.

Remove previous TXT records

Existing TXT records for _acme-challenge will conflict with the delegated DCV CNAME record. Make sure to check and remove records such as the following:

_acme-challenge.example.com TXT <CERTIFICATE_VALIDATION_VALUE>

Once the CNAME records are in place, Cloudflare will add TXT DCV tokens for every hostname on the Advanced certificate that has a DCV delegation record in place, as long as the zone is active on Cloudflare.

Because DCV happens regularly, do not remove the CNAME record(s) at your authoritative DNS provider. Otherwise, Cloudflare will not be able to perform DCV on your behalf and your certificate will not be issued.

Further details

Testing

If you use a dig command to test, you should only be able see the placed tokens if the certificate is up for issuance.

This is because Cloudflare places the tokens when needed and then cleans them up.

$ dig TXT +noadditional +noquestion +nocomments +nocmd +nostats _acme-challenge.example.com. @1.1.1.1_acme-challenge.example.com. 3600    IN    CNAME    example.com.<COPIED_VALIDATION_URL>

Renewal

Currently, at certificate renewal, Cloudflare attempts to automatically perform DCV via HTTP if your certificate matches certain criteria:

Hostnames are proxied.
Hostnames on the certificate resolve to the IPs assigned to the zone.
The certificate does not contain wildcards.

Note that settings that interfere with the validation URLs can cause issues in this case. Refer to Troubleshooting for guidance.

Moved domains

If you move your zone to another account, you will need to update the CNAME record at your authoritative DNS provider with a new validation URL.

Delegated DCV

​​ Availability

​​ When to use

​​ Setup

​​ Further details

​​ Testing

​​ Renewal

​​ Moved domains