DCV Provisioners

Description

A DCV Provisioner is the connection to the DNS infrastructure where validation challenges are published. When the Provider issues a challenge token for a domain, the Provisioner writes it into the appropriate DNS zone so the CA can look it up and confirm domain control.

A single Provisioner can be reused across multiple DCV Policies.

Common Prerequisites

All provisioner types require:

  • Credentials: Authentication to the DNS provider API (varies by type: API token, login/password, or IAM role).

  • Permissions: The credentials must allow creating and deleting TXT records in the target DNS zones.

Advanced Concepts

Zone ID Mappings

DNS providers organize domains into zones, each identified by a unique zone ID in their API. When publishing a challenge, the Provisioner automatically deduces the correct zone from the domain name, this requires the configured credentials to have permission to list zones on the DNS provider.

Zone ID mappings override this automatic resolution for specific domains. Each mapping is a pair: a zone ID and a regex pattern matching the domain names that belong to that zone. If a domain matches a configured mapping, that zone ID is used directly and no zone listing call is made.

Configure zone ID mappings in two situations:

  • Automatic resolution produces incorrect results — for example, when a domain lives in a zone that does not align with its TLD.

  • The configured credentials must not have zone listing permissions — explicitly mapping zone IDs removes the need for that permission entirely.

If a domain name matches more than one zone ID mapping regex, the validation fails with an error. Ensure mapping patterns are mutually exclusive.

Delegation Zone

A delegation zone is a DNS subdomain that has been delegated to a separate, dedicated set of nameservers, typically a specialized DCV validation system isolated from the organization’s main DNS zones.

When configured, instead of publishing the challenge record directly into the domain’s authoritative zone, the Provisioner writes it into the delegated zone. This is transparent to the CA: it follows the delegation and finds the challenge record normally.

This offers two practical benefits:

  • Security: the Provisioner only needs credentials for the dedicated delegated zone, not the organization’s main DNS infrastructure. This limits the blast radius if credentials are compromised.

  • Isolation: teams using shared or managed DNS services can still perform DCV without requiring API access to their primary zones.

Setting up a delegation zone requires a one-time DNS configuration outside of Horizon: create the delegated subdomain, assign it its own nameservers, and add a CNAME record in the domain’s authoritative zone pointing the challenge lookup to the delegated zone.