The End of WHOIS-Based DCV Methods: What You Need to Know and How to Transition
Because of critical weaknesses in the WHOIS system, the CA/Browser Forum has required that WHOIS-based Domain Control Validation (DCV) methods be retired.
This change applies to all CAs, and there was a broader effort to improve the security and reliability of publicly trusted SSL/TLS certificates.
To be compliant, all big CAs, including Sectigo and DigiCert, will not utilize WHOIS email addresses or contact data to verify a domain. It impacts organizations that employ WHOIS-based techniques and require immediate lea to transition to other standard DCV practices within the industry.
Key Dates and Timeline
The background to do away with WHOIS-based Domain Control Validation methods was anchored on severe security deficits and risks. Therefore, the changes outlined below must be applied to all CAs, namely, DigiCert and Sectigo, at the industry level. Here is the detailed timeline of the changes and their implications:
Phase 1 – January 8, 2025: LINX048 End of web-based https whois lookups: Reuse Possibilities for WHOIS Validations
That marks the end of the HTTPS web-based WHOIS lookups
Starting January 8, 2025, CAs cannot do HTTPS web-based WHOIS lookups to obtain domain contact information for DCV.
Background:
Previously, where WHOIS protocol queries fail, for instance, due to rate limits or the lack of data, validation agents have relied on, for many a year now, manual HTTPS-based WHOIS lookups to ascertain the contact data of the particular domain.
These lookups enable the validations to continue even when other, more automated methods break down. However, this world will no longer be allowed as a workaround.
Impact:
- Since the DCV methods were founded on WHOIS, which used such lookups, they will become unusable.
- This means that domain owners migrate to other forms of validation, such as DNS TXT, HTTP file-based, or constructed email DCV methods.
End of Reusing WHOIS-Based Domain Validations
CAs will cease to accept the reuse of domain validations acquired from HTTPS WHOIS lookups regardless of the fact they have not expired and still have 397 days of validity.
Impact:
All certificates issued or renewed through WHOIS-based validations shall be validated non-WHOIS based methods.
It is high time to move to other forms of DCV, indicated by the change in these regions.
Phase 2 – May 8, 2025: Discontinuation of WHOIS-Based Email and Phone Domain Control Validation
CAs will also cease to allow the use of telnumbd@ and.ORG contact-verification methods for both email and phone.
Impact:
WHOIS-based methods of validation of requests will not be accepted.
Customers depending on email or phone validation via WHOIS will need to migrate to one of the supported methods, including:
Constructed Email DCV: Employing admin@, administrator@, hostmaster@, postmaster@ or webmaster@.
DNS TXT Record Validation.
HTTP File-Based Validation.
Phase 3 – July 8, 2025: The Final Conclusion of WHOIS-Based DCV for Certificate Reissuance Trials is made.
These specific WHOIS-based validations will no longer be allowed to be reused even in the instance where a certificate will be renewed or reissued.
Impact:
Domains validated by the WHOIS server must be validated by other DCV methods to request a renewal of certificates. The change would apply to all TLS/SSL Certificates.
Sectigo’s and DigiCert’s Currently Supported DCV Methods:
As WHOIS-based DCV methods gradually disappear, Sectigo and DigiCert have defined other supported methods to secure domain validation. Below is a breakdown of their currently supported DCV methods:
The DNS TXT Record Validation is (Recommended Method):
Overview
In this method, the user is required to add a DNS TXT record with a token you will be provided with by the Certificate Authority (CA). It is believed to be very safe and efficient.
Steps to Perform DNS TXT Record Validation:
- The next step is to log into the DNS management system that goes with your website.
- Add a TXT record with the values given by Sectigo or DigiCert.
- Wait for DNS propagation (can take up to 24 hours).
- Notify the CA or wait for automated verification.
Advantages:
- Most secure method.
- Does not need access to email or hosting environments.
- Ideal for automated workflows and large-scale deployments.
HTTP File-Based Validation
Overview:
This is achieved by copying a file provided by the CA to a directory on your web server that you are supposed to. The CA ensures that it checks on the ownership of the domain by using a specific URL to download the file.
Steps to Perform HTTP File-Based Validation:
- It is possible to download the validation file from the CA’s portal.
- Store this file in the directory indicated at the URL http://www.yourwebsite.com/.well-known/pki-validation/
Example: http://yourdomain.com/.well-known/pki-validation/fileauth.txt.
- Verify that the file is easily downloadable from the Internet.
- Either inform the CA or wait for an automated notice.
Advantages:
- Installation that does not require much from the average user who has control of the domain web server.
- Single-domain certificates work well but are not so effective when dealing with multiple domains simultaneously.
Build Email DCV (Email Addresses to Support)
Overview:
Email Validation: This is achieved by sending a confirmation message to the email you create with a fake address at your domain. The message recipient approves validation from the email by clicking a link provided on the email body.
Supported Email Addresses:
Steps to Perform Email Validation:
- Ensure at least one of the mail-to links above is active and working.
- Email DCV Request from the CA.
- The next step is to receive a verification email and click on a verification link from this email.
Advantages:
- Easy to use for small commercial entities or individual web domains.
- It doesn’t need Domain Name System (DNS) or hosting access in any way.
Also Read: DigiCert Elevates Industry Standards with New Open-Source DCV Library
Comparison of Sectigo and DigiCert’s Supported Domain Control Validation Methods
Validation Method | Sectigo | DigiCert | Recommendation |
DNS TXT Record | ✅ | ✅ | Best for automation, scalability, and security. |
HTTP File-Based | ✅ | ✅ | Simple for users with server access, suitable for small-scale operations. |
Constructed Email DCV | ✅ | ✅ | Convenient for individuals or small organizations with admin email access. |
Impact on Organizations:
If you currently rely on WHOIS-based email or phone validation methods:
Domain Validations at Risk:
Certificates validated through WHOIS methods must be revalidated with other methods on or before this date.
Delayed Certificate Issuance:
Organizations relying on instant issuance also risk delaying their mail without proactive revalidation.
Compliance Requirements:
This is important to achieve compliance and avoid shutting down the services at some point, which would occur if going back to using unsupported mechanisms for copying between data centers.
What Should You Do Next?
Follow these steps to ensure a smooth transition:
1. Audit Your Certificates
Determine cases of certificates authenticated by WHOIS-based techniques.
It is helpful to mark validations with expiry dates and assess whether existing validations match the reuse period.
2. Select an Alternative Supported DCV Method
Choose DNS TXT record validation because it is simpler and provides higher security.
You can also create the bogus, in other words, by using other bogus email addresses or using HTTP validation.
3. Revalidate Your Domains
All domain validation must be done with one of the above forms before the deadline.
4. Update Automation Processes
Significant concerns exist about updating the automated workflows to support the new DCV methods.
5. Watch Updates
Ensure that you receive updates from your CA regarding changes in validation.
Conclusion
The deprecation of WHOIS-based DCV methods represents a significant evolution in the SSL/TLS validation practice, furthering security and trust. Organizations should act quickly to migrate to supported DCV methods such as DNS TXT records, constructed email addresses, and HTTP demonstrations.
Plan ahead, revalidate your domains, and ensure seamless certificate issuance; rest assured that you have met the most current industry standards. Don’t hesitate to contact our support team if you continue to require support with the DCV methods or have any queries regarding this update.
Frequently Asked Questions (FAQs)
1. Why are WHOIS-based validation methods being removed from use?
WHOIS-based DCV methods do not provide security due to the existence of vulnerabilities like spoofing, incomplete contact data, and query rate limit. These risks have incited the demand from the CA/Browser Forum for a more robust mode of alternatives.
2. Can I still use email for domain Validation?
Yeah, but through a specifically created email, either [email protected] or one would have to be set in the DNS TXT record.
3. What happens if I fail to revalidate my domain?
Certificates based on WHOIS-based validations will no longer be issued nor will they be able to be reused. If they are not revalidated before deadlines, there could be service disruptions.
4. Which DCV method is the most secure?
DNS TXT record validation is secure, easy to set up, and least likely to be deprecated.
5. How do I prepare for these transformations?
Auditing certificates, transitioning to a supported DCV method, and pre-validating domains in advance will help keep compliance and prevent certificate issuance from being disrupted.