Delegated DCV allows zones with partial DNS setups - meaning authoritative DNS is not provided by Cloudflare - to delegate the DCV process to Cloudflare.
DCV Delegation requires you to place a one-time record that allows Cloudflare to auto-renew all future certificate orders, so that there’s no manual intervention at the time of the renewal.
|Included with Advanced Certificate Manager||Included with Advanced Certificate Manager||Included with Advanced Certificate Manager||Included with Advanced Certificate Manager|
When to use
You should use Delegated DCV when all of the following conditions are true:
- Your zone is using a partial DNS setup.
- Cloudflare is not already performing DCV automatically.
- Your zone is using an Advanced certificate.
- Your zone is not using multiple CDN providers.
- The Certificate Authority is either Google or Let’s Encrypt
To set up Delegated DCV:
- Order an advanced certificate for your zone. You can choose any Certificate validation method.
- On SSL/TLS > Edge Certificates, go to DCV Delegation for Partial Zones.
- Copy the hostname value.
- At your authoritative DNS provider, create a
CNAMErecord:_acme-challenge.example.com CNAME example.com.<COPIED_HOSTNAME>.
Once this is complete, Cloudflare will add TXT DCV tokens for every hostname on the Advanced certificate, as long as the zone is active on Cloudflare.
Because DCV happens regularly, do not remove this
CNAME record at your authoritative DNS provider. Otherwise, Cloudflare will not be able to perform DCV on your behalf and your certificate will not be issued.
If your certificate covers wildcard hostnames, any subdomains are covered by the single
CNAME record added for your zone apex.
However, if your certificate covers subdomains specified by their name, you will need to add multiple
CNAME records to your authoritative DNS provider.
For example, a certificate covering
sub.example.com would require the following records.
_acme-challenge.example.com CNAME .example.com.<COPIED_HOSTNAME>._acme-challenge.sub.example.com CNAME sub.example.com.<COPIED_HOSTNAME>.
If you move your zone to another account, you will need to update the
CNAME record at your authoritative DNS provider with a new hostname value.