Knowledge Base

During domain control validation (DCV), DigiCert performs checks from multiple global locations using our MPIC (Multi-Perspective Issuance Corroboration) agents. In some cases, these validation attempts fail or produce inconsistent results.

Typical symptoms you may experience:

• Domain validation takes longer than expected or times out.
• Certificate issuance is delayed or fails due to validation errors.
• Validation works intermittently — succeeds sometimes but fails at other times.
• Different validation attempts produce inconsistent results.

What causes these issues?

The most common causes are firewall rules, DNS rate limiting, or DDoS protection policies that inadvertently block or restrict queries from DigiCert's global validation agents.
 

Checklist for Resolving Validation Failures

Please review each item with your network or DNS provider.

1. Firewall & allowlist
   
   • Ensure your firewall allows inbound UDP and TCP traffic from DigiCert MPIC agent IP addresses
   • Official IP list: MPIC agent IP addresses
   • Recommendation: If possible, allowlist the user agent DigiCert DCV Bot/1.1  instead of only specific IPs — this automatically includes future IP addresses.
2. Open UDP & TCP port 53 globally
   
   • DNS must be accessible worldwide. Ensure both UDP and TCP port 53 are open to all sources, not just local or regional traffic. 
   • TCP port 53 is especially important for DNSSEC and large DNS responses (e.g.,CAA records).
3. Check DDoS protection & DNS rate limiting
   
   • Concurrent session limits:Some DNS providers limit the number of simultaneous connections from a single client. We have seen cases where raising this limit from 25 to 200 resolved all validation failures.
   • Queries per second (QPS): Check for per-IP query caps that may throttleDigiCert's validation agents.
   • Geo-blocking: Verify that your DNS does not block queries from specific geographic regions. DigiCert validates from multiple global locations.
4. Review managed DNS provider settings
   
   • If you use services like Akamai, Cloudflare, AWS Route53, Azure DNS, or similar, contact their support to verify.
   • Concurrent session limits are at least 200 per client IP.
   • No asymmetric rate limiting applies to different regions.
   • "DNS firewall" or "security" features are not blocking legitimate validation bots.
5. Check DNS server logs
   
   • Review your DNS server logs for dropped queries, REFUSED or SERVFAIL responses originating from DigiCert IP ranges.
   • Look for timeout patterns — queries that take too long to respond may indicaterate limiting.

Real-world example: A customer using a managed DNS service had aconcurrent session limit of 25. After they worked with their DNS provider to increase the limit to 200, all validation checks completed successfully. The intermittent failures and timeouts stopped completely.

Understanding inconsistent validation results: If validation sometimes succeeds and sometimes fails, or if you are told that "some agents succeed while others fail," this typically indicates regional rate limiting or geo-blocking. DigiCert's validation agents are located in multiple regions worldwide — if your DNS restricts traffic from certain regions, only some validation attempts will succeed.
 

Summary Table

Why validation may work intermittently

Intermittent failures — where validation sometimes passes and sometimes fails — are almost always caused by rate limiting or concurrent session caps. When multiple MPIC agents query your DNS simultaneously, a low session limit may allow the first few queries to succeed while later ones are rejected or timed out.

If you observe that validation succeeds during off-peak hours but fails during business hours, this also points to rate limiting or resource contention on your DNS infrastructure.