Google Trust Services | DNS Debugging

Introduction

Successful certificate issuance depends on correctly configured and consistent DNS records. Google Trust Services performs domain validation (DV) to verify control over a domain. Inconsistencies or misconfigurations in your DNS records can lead to validation failures.

Tools

We recommend using public tools to verify your DNS configuration from an external perspective:

Google Public DNS (Web Interface) - An easy way to check your DNS records as seen by Google's resolvers. Check for CAA records or TXT records used for ACME challenges.
dig Command Line - Use the dig tool to query Google Public DNS directly:
```
dig @8.8.8.8 example.com CAA
```

Common Issues

CAA Records

Certificate Authority Authorization (CAA) records must permit pki.goog to issue certificates for your domain. Use the tools above to verify your CAA records.

Global Availability (MPIC)

Google Trust Services performs validation from multiple global locations. Ensure your DNS and web servers are not geo-blocking requests, as this can lead to validation failures if checks from some locations are blocked.

Inconsistent Records

Ensure that your DNS records are consistent across all of your authoritative name servers. Validation may fail if different servers return different results.