Yes proving ownership of the domain can be made by asking to change the content of the zone, be it by a CNAME record or a TXT record. CAs typically asks for things like that before validating the request to generate a certificate (this is called "dns validation").
A single change (with some "random" token) in the zone should be enough to prove ownership. What each provider does is then its own business policies. But from the content you quote, the changes asked for are both to verify ownership (first record) and then (www and @ records) just to really install the site on their infrastructure. So basically they are asking their clients to do both steps at once so that they have to change the content of the zone only once.
The CNAME can be viewed, like any DNS record, by just querying for it. If you had given the real name, people could have shown it to you, but as a generic answer: dig 9aa5s43zpykpn.example.com CNAME will show you if there is a CNAME record or not for that name (and if there is it will show the target).
The specific value could be random, or a hash between known parts (the domain name being verified) and some secret local string.
This is not standardized, but many providers do DNS validations like that. To see the closest thing to a standard you can use documents from the CA world:
- https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.6.pdf section "3.2.2.4.7 DNS Change": "Confirming the Applicant's control over the FQDN by confirming the presence of a Random Value or Request Token for either in a DNS CNAME, TXT or CAA record"
- the ACME protocol at https://www.rfc-editor.org/rfc/rfc8555 section 8.4 DNS Challenge: "When the identifier being validated is a domain name, the client can prove control of that domain by provisioning a TXT resource record containing a designated value for a specific validation domain name."
PS: contrary to the first sentence, there is a slight gap between the fact of "owning the domain" and "being able to change content of the zone". The DNS provider for the domain can change the content of zone, so that is not fully aligned with the "owner of the domain", as displayed in whois of RDAP for example. For current operational needs, everyone just agrees that we can forget about this gap (which could be of course used for tailored attacks).
Answer from Patrick Mevzek on Stack ExchangeVideos
Hi all,
I'm trying to get a basic website set up for a new business. I registered a domain with whois.com (maybe my first error?) and connected it to MS365 for email. That works great. Then, I built a website in Squarespace, but I'm having trouble getting SS to verify that I own the domain.
I've added all the required CNAME and A records through the whois DNS manager, but Squarespace does not recognize them. Also DNSchecker.org does not show any CNAME or A records at all. I don't understand that, as I had added CNAME as part of the MS365 connection, and that worked.
Since the MS365 connection required me to change the nameservers, I also tried to check the MS365 Admin panel, but it doesn't appear that I can add any additional CNAME records there.
I'm at a loss for what to do. Any pointers as to what to try next? Thanks in advance for your help.
I had the same problem, and I had meaningless error messages in squarespace (they didn't give any clue what was wrong), after many tests I managed to find the right combination.
NOTE: I think this was my biggest discovery, DO NOT click on the aws copy button, when you paste it into squarespace it will tell you that the domain is invalid and a couple of other things. Copy data manually (ctr+c)
requested domain name in aws: xxxyyy.com Squarespace Host: put the aws CNAME Name without the domain at the end and without any period at the end.
Data Squarespace: put the aws CNAME Value without the period at the end
It should be validated within next 5 minutes
I've also set up a Hosted Zone through Route 53 as described in this video: https://www.youtube.com/watch?v=ookzXuMr8eY&ab_channel=EndreSynnes, though I'm unsure of how to supply the "Value/Route traffic to" values to Squarespace.
You shouldn't have done that at all. You are using Squarespace as your DNS server. Setting up another DNS server on AWS isn't going to solve anything. Forget about Route53.
All you need to do is go into the ACM domain validation, and find the two DNS records it is asking you to create in order to verify you own the domain. Then go over to your Squarespace DNS settings, and add those two DNS records. After that, the ACM service should soon detect that you have created the records and then it will issue you the SSL certificate.