When Domain Control Validation (DCV) records silently expiring in DNS, causing certificate renewals to fail. While DigiCert provides warnings in their portal about expiring validations, there's no automated way to verify that the DNS records required for validation are actually present and correct.
The Problem
DigiCert domain validations expire after 397 days (approximately 13 months). When domains are validated using the DNS TXT method, a specific token must exist in your DNS at _dnsauth.[yourdomain]. The challenge is:
- You can't see these tokens easily - They're buried in DigiCert's API
- DNS records can be accidentally deleted - During DNS migrations or cleanup
- Validation expiry warnings don't check DNS - DigiCert warns you it's expiring, but not if the DNS record is missing
- Failed renewals happen at the worst time - Usually when a certificate is about to expire
I needed a way to programmatically check all my DigiCert domains and verify that the DNS TXT records matched what DigiCert expected.
Understanding DCV DNS Records
When you validate a domain using DNS TXT with DigiCert, you create a record like this:
Host: _dnsauth.croucher.cloud
Type: TXT
Value: fdy6m0wy5lq063sz4h0r6qmdt722gyfc
TTL: 3600
This token proves you control the domain. DigiCert checks for this record during validation, and it needs to remain in place for the validation to stay active.
Extracting DCV Tokens via API
DigiCert's API provides access to these tokens through the domain details endpoint:
# Get domain details including DCV information
$domainDetails = Invoke-RestMethod `
-Uri "https://certcentral.digicert.eu/services/v2/domain/$domainId?include_dcv=true&include_validation=true" `
-Headers @{
'X-DC-DEVKEY' = '<apikey>'
'Content-Type' = 'application/json'
} `
-Method Get
The critical part is include_dcv=true in the query string - without this parameter, the API won't return the DCV token information.
The response structure contains:
{
"id": 179376,
"name": "croucher.cloud",
"status": "active",
"dcv_method": "dns-txt-token",
"dcv_token": {
"token": "fdy6m0wy5lq063sz4h0r6qmdt722gyfc",
"status": "active",
"expiration_date": "2025-08-22T20:21:10+00:00"
},
"dcv_expiration_datetime": "2026-11-15T00:00:00+00:00"
}
Querying Live DNS Records
With the expected token from DigiCert, I needed to query the actual DNS record to see if it matched. I used PowerShell's Resolve-DNSName cmdlet with Google's public DNS (8.8.8.8) for reliable results:
function Get-DnsTxtRecord {
param(
[string]$Domain,
[string]$RecordName = "_dnsauth"
)
$fullDnsName = "$RecordName.$Domain"
$dnsResults = Resolve-DnsName -Name $fullDnsName -Type TXT -Server 8.8.8.8 -ErrorAction SilentlyContinue
if ($dnsResults) {
$txtRecords = $dnsResults | Where-Object { $_.Type -eq "TXT" } | ForEach-Object {
$_.Strings -join ""
}
return $txtRecords
}
else {
return $null
}
}
Using an external DNS server like Google's ensures I'm checking what DigiCert will actually see when they perform validation, rather than potentially stale internal DNS caches.
Comparing Tokens
The comparison logic is straightforward - check if the DNS record matches the expected token:
$dnsRecords = Get-DnsTxtRecord -Domain $domainName -RecordName "_dnsauth"
$matchFound = $false
foreach ($record in $dnsRecords) {
if ($record -eq $ExpectedToken) {
$matchFound = $true
break
}
}
This handles cases where multiple TXT records might exist at the same DNS name, checking each one for a match.
Visual Output
The script provides color-coded output for quick assessment:
========================================
DCV TOKEN VALIDATION RESULTS
========================================
Domain: croucher.cloud
Status: active | DCV Method: dns-txt-token | DCV Expires: 2026-11-15
Expected Token: fdy6m0wy5lq063sz4h0r6qmdt722gyfc
DNS TXT Value: fdy6m0wy5lq063sz4h0r6qmdt722gyfc
Validation: MATCH
Domain: bythepowerofgreyskull.con ⚠ EXPIRING SOON!
Status: active | DCV Method: dns-txt-token | DCV Expires: 2025-12-28
Expected Token: abc123xyz456token789012345
DNS TXT Value: wrongtoken999888777666555
Validation: MISMATCH
Domain: api.croucher.cloud
Status: active | DCV Method: dns-txt-token | DCV Expires: 2026-03-15
Expected Token: token567890abcdef123456789
DNS TXT Value: NOT FOUND
Validation: NOT FOUND
========================================
SUMMARY
========================================
Total Domains: 16
Domains with DCV Tokens: 3
DCV Expiring Soon: 1
Matching Records: 1
Mismatched Records: 1
Records Not Found: 1
Results exported to: C:\Scripts\dcv_validation_results.csv
⚠ WARNING: 1 domain(s) have DCV expiring soon!
These domains will need revalidation.
You can generate new tokens to refresh the validation.
Identifying Expiring Validations
The script also checks if validations are expiring within 30 days:
if ($dcvExpirationDate) {
try {
$expDate = [DateTime]::Parse($dcvExpirationDate)
$daysUntilExpiry = ($expDate - (Get-Date)).Days
if ($daysUntilExpiry -le 30 -and $daysUntilExpiry -ge 0) {
$isExpiring = $true
$expiringCount++
}
}
catch {}
}
Domains with expiring validations are flagged with ⚠ in the output, allowing me to prioritize which ones need attention.
CSV Export for Tracking
All results are exported to a CSV file for historical tracking and reporting:
DomainName,DomainStatus,DcvMethod,DcvExpiring,DcvExpirationDate,ExpectedToken,TokenStatus,TokenExpiration,DnsRecordFound,DnsTxtValue,ValidationResult
croucher.cloud,active,dns-txt-token,False,2026-11-15T00:00:00+00:00,fdy6m0wy5lq063sz4h0r6qmdt722gyfc,active,2025-08-22 20:21:10,True,fdy6m0wy5lq063sz4h0r6qmdt722gyfc,MATCH
bythepowerofgreyskull.con,active,dns-txt-token,True,2025-12-28T00:00:00+00:00,abc123xyz456token789012345,active,2025-11-30 14:30:00,True,wrongtoken999888777666555,MISMATCH
api.croucher.cloud,active,dns-txt-token,False,2026-03-15T00:00:00+00:00,token567890abcdef123456789,active,2025-09-10 08:15:00,False,NOT FOUND,NOT FOUND
This CSV can be imported into monitoring systems or used for compliance reporting.
Handling Different Scenarios
The script handles several common scenarios:
Scenario 1: Perfect Match (Green)
Domain has correct DCV token in DNS - validation will work when needed.
Scenario 2: Mismatch (Red)
DNS has a TXT record at _dnsauth but it's not the correct token. This typically happens when:
- DNS was restored from an old backup
- Token was manually updated in DNS but not in DigiCert
- Multiple tokens exist and the wrong one is being checked
Scenario 3: Not Found (Yellow)
No _dnsauth TXT record exists. This is the most critical failure - certificate renewals will definitely fail.
Scenario 4: Expiring Warning
Domain validation is expiring within 30 days. Even if DNS is correct now, action is needed soon.
Read-Only Operation
It's important to note that this script is completely read-only:
function Invoke-DigiCertApi {
param([string]$Endpoint)
$response = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
# ^^^ Always uses Method Get - no modifications possible
return $response
}
The script never calls any POST, PUT, or DELETE endpoints. It only:
- Reads domain information from DigiCert
- Queries DNS records
- Compares and reports results
Solving the DCV Failure Problem
When the script identifies mismatches or missing records, the solution depends on the scenario:
If DNS is wrong but DigiCert token is valid:
- Update the DNS TXT record to match DigiCert's expected value
- Wait for DNS propagation (typically 5-60 minutes)
- Re-run validation check to confirm
If validation is expiring soon:
- Generate a new DCV token in DigiCert (this resets the 397-day clock)
- Update DNS with the new token
- Complete the validation to refresh the expiry date
If DNS is correct but validation failed previously:
- Use DigiCert's "Check DCV" function to re-validate
- Verification usually completes within minutes
The Value of Proactive Monitoring
Before implementing this check, I experienced several certificate renewal failures due to missing or incorrect DCV records. These failures were always discovered at the worst possible time - when certificates were about to expire and urgent action was needed.
With automated DCV record validation, I now:
- Identify issues weeks in advance - Before they cause outages
- Track validation expiry proactively - No surprises when renewals are due
- Maintain DNS hygiene - Catch accidental deletions immediately
- Document validation state - CSV exports provide audit trails
The script provides visibility into an often-overlooked aspect of certificate management, turning reactive firefighting into proactive maintenance.
Conclusion
DigiCert's domain validation system works well, but the disconnect between their API, DNS records, and expiration warnings creates a monitoring gap. By programmatically checking that DNS records match DigiCert's expectations, I've eliminated a significant source of certificate renewal failures.
The read-only nature of the script makes it safe to run frequently, and the color-coded output makes it easy to spot problems at a glance. For anyone managing multiple domains with DigiCert, having visibility into DCV record validity.