DNS Zone Setup

When using DNS-01 the ACME Client requires access to create and delete TXT records on the _acme-challenge subdomain of the target domain. In order to reduce risk of compromise of the main DNS zone, it is necessary to serve challenges from a different DNS zone with separate credentials, or even a dedicated DNS server.

In order to serve the challenge from a different zone, it is necessary to either delegate the _acme-challenge subdomain to another DNS server using NS records or to alias the subdomain into a dedicated zone using CNAME records.

Example setup

Services in the following domains should be protected using Let’s Encrypt certificates: www.example.com, example.com.

Note, many public DNS providers do only support privilege separation on a per-domain level. Thus subdomains cannot be managed from a different account. In this case it is recommended to simply host challenge zones using a different public DNS provider. It is recommended to choose one which is supported well by the ACME Client in use.

As an alternative to public DNS providers, there is the option to run a dedicated stripped down non-recursive DNS server only hosting challenge zones.

Delegation

Assuming that a dedicated DNS service reachable at acme-ns1.example.net is hosting _acme-challenge zones. The service needs to host one _acme-challenge zone for each target domain. Thus if a certificate should be requested containing example.com and www.example.com, then the DNS service needs to host two zones. I.e., _acme-challenge.example.com and _acme-challenge.www.example.com.

In that case the following DNS records need to be added to the main zone:

_acme-challenge.www.example.com. IN NS acme-ns1.example.net
_acme-challenge.example.com.     IN NS acme-ns1.example.net

Aliasing

Assuming that there is a DNS zone auth.example.net dedicated to host ACME challenges. One or more DNS label(s) needs to be choosen in the dedicated DNS zone to host the TXT records. Note that there is no strict rule on how labels need to be named. In general it is recommended that records in a label are only updated by one ACME client at a time.

The following DNS records need to be added to the main zone if the label www-example-com should be used to serve TXT records inside auth.example.com.

_acme-challenge.www.example.com. IN CNAME www-example-com.auth.example.com
_acme-challenge.example.com.     IN CNAME www-example-com.auth.example.com

Note: Some ACME clients require advanced configuration to support CNAME records. Otherwise they will attempt to update records on the main zone.