Hi Cloudflare-users,
I work for a US Higher-Ed who is not a Cloudflare customer. We manage our own DNS, do our own hosting, etc.
One of our departments is contracting with a SaaS vendor who DOES want to use Cloudflare services for the site, which will be in our DNS domain. Cool.
So this vendor is now asking us to add a TXT record to our domain to prove DCV to Cloudflare. What’s that get them?
I assume it’s DCV so they can get a cert for the single (1) domain name their app is hosted under. However, I know that with other providers (Google, MS Azure, Zoom) providing DCV in this fashion gets you a lot more than just a TLS cert - it’s pretty much confirmation that the customer (in this case, the 3rd party) has full control of the domain, and therefore can take actions on behalf of the domain.
I’m fine with them getting a cert for that single (1) domain name. I’m not fine saying that this 3rd party vendor, whom I have never met, has full control of our domain.
Can anyone reassure me that TXT DCV in this case only gets them the right to generate a single cert?
Alternately, if this is just for a single cert/domain name, why can’t they use ACME HTTP-01 challenge?