What Is CNAME Delegation?
A conceptual overview of CNAME delegation: what it is, how QuietLS uses it, and why it matters.
What Is a CNAME Record?
A CNAME (Canonical Name) record is a type of DNS record that maps one domain name to another. When a DNS resolver encounters a CNAME, it follows the alias and resolves the target name instead.
Example:
blog.example.com. CNAME example.github.io.
In this example, anyone looking up blog.example.com is transparently redirected to example.github.io at the DNS level.
What Is CNAME Delegation?
CNAME delegation is the practice of pointing a specific subdomain to a third-party service via a CNAME record, effectively delegating control of that name to the service.
The key idea: you create the CNAME once, and from that point on the third-party service controls what that subdomain resolves to — without you needing to make further DNS changes.
This pattern is widely used for:
- Domain verification (proving ownership to a service)
- SSL certificate validation (ACME DNS-01 challenges)
- Email authentication (DKIM, SPF via include)
- CDN configuration
How QuietLS Uses CNAME Delegation
QuietLS uses CNAME delegation to verify that you own your domain. When you add a domain, QuietLS asks you to create a single CNAME record:
_pki-validation.example.com. CNAME <token>.verification.quietls.com.
Here's what each part means:
_pki-validation.example.com:
A subdomain under your domain. The _pki-validation prefix is a convention that signals "this name is used for PKI (Public Key Infrastructure) validation." It does not affect your website, email, or any other services.
<token>.verification.quietls.com:
The target, hosted on QuietLS infrastructure. The token is a unique identifier generated from your account and domain name.
What Happens During Verification
- You create the CNAME record in your DNS provider.
- QuietLS queries public DNS servers (Google
8.8.8.8and Cloudflare1.1.1.1) for a CNAME record at_pki-validation.example.com. - If the resolved value matches the expected token, ownership is confirmed.
Why CNAME Delegation?
One-time setup
You add the CNAME record once. After that, QuietLS can verify your domain at any time without requiring you to log in to your DNS provider again.
No ongoing manual steps
Unlike file-based verification (uploading a file to your web server) or email-based verification, DNS CNAME delegation doesn't depend on your server being reachable or a specific email address existing.
Non-intrusive
The _pki-validation subdomain is a dedicated namespace that doesn't interfere with your website, email, or any other DNS records. It's invisible to your users.
Works for all domain types
CNAME delegation works the same way for single domains (example.com), subdomains (app.example.com), and wildcard domains (*.example.com).
Security Model
Unique token per user and domain
The verification token is derived from a combination of your user account ID and the domain name:
token = sha256(userId + ":" + domain)[0..32]
This means:
- Every user gets a different token for the same domain.
- Every domain gets a different token for the same user.
- The token is deterministic — adding the same domain again produces the same token (no need to update DNS).
Protection against ownership changes
Because the token is tied to a specific user account, transferring a domain to a new owner invalidates the old verification. If someone else adds the same domain to their QuietLS account, they receive a different token and must create their own CNAME record. The previous owner's CNAME no longer matches and their domain becomes unverified.
Public DNS resolution
QuietLS verifies CNAME records through public DNS resolvers (Google and Cloudflare), not through direct queries to your nameservers. This ensures that the record is globally propagated and visible, matching what certificate authorities would see during actual SSL validation.