Domainee
Sign inGet started

DNS challenge (ACME DNS-01)

DNS-01 proves domain control by publishing a TXT record. The only ACME challenge that works for wildcard certs and on hosts not reachable on port 80.

DNS-01 is one of three challenge types in the ACME protocol used by Let's Encrypt and other ACME-based CAs to verify domain control. To prove you control example.com, you publish a specific TXT record at _acme-challenge.example.com. The CA queries DNS, sees the record, issues the cert.

How the challenge works

  1. Your client requests a certificate for example.com (or *.example.com).
  2. The CA responds with a challenge token and an instruction: "Put a TXT record at _acme-challenge.example.com with value <sha256 of token + your account key thumbprint>."
  3. Your client computes the expected TXT value, writes it to DNS (via your DNS provider's API or manually), and tells the CA to validate.
  4. The CA queries _acme-challenge.example.com from multiple DNS resolvers and checks for the expected value.
  5. If it matches: challenge succeeds, CA issues the cert.

The TXT record is then no longer needed and should be removed (or left in place, doesn't matter, it's small).

Why use DNS-01 over HTTP-01?

Three reasons:

  1. Wildcards. Let's Encrypt only issues wildcard certs (*.example.com) via DNS-01. HTTP-01 can't validate a wildcard because there's no obvious URL to fetch for "all subdomains."
  2. Port 80 unreachable. HTTP-01 requires the CA to fetch http://example.com/.well-known/acme-challenge/.... If your server isn't on port 80 (firewalled, private network, dev environment), HTTP-01 doesn't work. DNS-01 needs no server reachability.
  3. Cert ahead of deploy. You can issue a cert for a hostname before the actual server exists, as long as you control DNS.

Why not use DNS-01 always

Two reasons:

  1. You need DNS API access. Renewal happens every ~60 days. You can't manually add a TXT record every 60 days for every cert. You need DNS API access from your renewal script to your DNS provider. If you're using a DNS provider without an API (or with a clunky API), this is friction.
  2. Propagation delay. TXT records take some time to propagate. ACME clients usually wait 30-120 seconds after writing the record before asking the CA to validate. Slow.

DNS-01 with CNAME delegation

The technique that custom-domain platforms use: ask the customer to set a one-time CNAME at _acme-challenge.theirdomain.com pointing at a subdomain you control (_acme-challenge.theirdomain.com.validation.yoursaas.com). Now you can answer ACME challenges for their domain by writing TXT records on your DNS, not theirs. They never have to touch DNS again after the one-time setup.

This is how Cloudflare for SaaS, Heroku, Vercel, Render, and Domainee handle multi-tenant cert issuance at scale.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.