DNS Zone Setup¶
When using DNS-01
the ACME Client requires access to create and delete
TXT records on the
_acme-challenge subdomain of the target domain. In order to reduce risk of
compromise of the main DNS zone, it is necessary to serve challenges from a
different DNS zone with separate credentials, or even a dedicated DNS server.
In order to serve the challenge from a different zone, it is necessary to
either delegate the
_acme-challenge subdomain to another DNS server
NS records or to alias the subdomain into a dedicated zone using
Services in the following domains should be protected using Let’s Encrypt
Note, many public DNS providers do only support privilege separation on a per-domain level. Thus subdomains cannot be managed from a different account. In this case it is recommended to simply host challenge zones using a different public DNS provider. It is recommended to choose one which is supported well by the ACME Client in use.
As an alternative to public DNS providers, there is the option to run a dedicated stripped down non-recursive DNS server only hosting challenge zones.
Assuming that a dedicated DNS service reachable at
_acme-challenge zones. The service needs to host one
_acme-challenge zone for each target domain. Thus if a certificate should
be requested containing
www.example.com, then the DNS
service needs to host two zones. I.e.,
In that case the following DNS records need to be added to the main zone:
_acme-challenge.www.example.com. IN NS acme-ns1.example.net _acme-challenge.example.com. IN NS acme-ns1.example.net
Assuming that there is a DNS zone
auth.example.net dedicated to host ACME
challenges. One or more DNS label(s) needs to be choosen in the dedicated DNS
zone to host the
TXT records. Note that there is no strict rule on how
labels need to be named. In general it is recommended that records in a label
are only updated by one ACME client at a time.
The following DNS records need to be added to the main zone if the label
www-example-com should be used to serve
TXT records inside
_acme-challenge.www.example.com. IN CNAME www-example-com.auth.example.com _acme-challenge.example.com. IN CNAME www-example-com.auth.example.com
Note: Some ACME clients require advanced configuration to support
records. Otherwise they will attempt to update records on the main zone.