Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: surrogate validation domain/zone support #369

webprofusion-chrisc opened this Issue Sep 28, 2018 · 2 comments


None yet
1 participant
Copy link

webprofusion-chrisc commented Sep 28, 2018

Using DNS validation it can be useful to have a surrogate domain for validation only, this means that DNS API credentials only have access to the validation domain/subdomain instead of the real domain DNS.


  • is a CNAME pointing to TXT record (or any other domain) in the surrogate domain/subdomain.
  • Let's Encrypt will follow the CNAME redirection when checking the challenge response.

Currently Certify DNS api's will attempt to create/update the TXT record in the '' zone related to the API credentials, if the credentials actually apply to the surrogate domain zone '' this fails because '' is not found in the zone.

The app needs to allow an optional surrogate domain to be specified for validation to allow for this case.


This comment has been minimized.

Copy link
Contributor Author

webprofusion-chrisc commented Dec 4, 2018

See also #391 regarding acme-dns support


This comment has been minimized.

Copy link
Contributor Author

webprofusion-chrisc commented Dec 14, 2018

As an extension to this idea, the proposed solution for CNAME redirection is to provide a hosted/managed service for DNS validation:

  • User selected to use DNS Validation, CNAME Redirection Service
  • Service provides user a TXT record name in a CTW managed domain (e.g. with they point the CNAME to.
  • Service then takes care up updating and managing the validation TXT record values.

This approach is similar to acme-dns, but perhaps simpler.

  • Advantages: easy for the user, no more DNS APIs required, DNS credentials don't need to be stored on server etc.
  • Disadvantage: if the managed CNAME service is compromised then the attacker has control over validation for those domains and can issue certificates from their own ACME client. So 2FA client registration etc is likely necessary as well as other access control safe guards.

Proposal is to host the redirected TXT records within AWS Route53 or other cloud DNS providers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.