Allow wildcard and private host certificates with non-DNS-01 challenges using DNS delegation?

I’ve been working on setting up DNS-01 validation for my domains, and in the course of dealing with the attendant complexity and difficulties compared to the traditional validation methods have found myself wondering why a simpler scheme wouldn’t suffice.

My understanding is that the two benefits the DNS-01 challenge provides over HTTP-01/TLS-ALPN-01 are that it allows issuing wildcard certificates and certificates for hosts that aren’t exposed to the public internet, and the reason that wildcard certificates for * can’t be issued after a successful HTTP-01/TLS-ALPN-01 challenge for is that network delegation of a single subdomain through A/AAAA/CNAME records does not necessarily imply the intent to delegate control over the entire DNS tree rooted there.

I think that there’s a simpler way to achieve these same guarantees without running the entire ACME challenge machinery over DNS. As an illustrative example, here’s my understanding of the flow of a DNS-01 validation for a private domain when using a server like acme-dns to keep _acme-challenge records separate from your general DNS keys (a best practice in general, but especially relevant here because of the delegation involved):

  • the client initiates a DNS-01 validation for;
  • the CA queries its DNS resolver for the records for and gets the CNAME response;
  • the CA queries its DNS resolver for the authoritative nameserver for and gets;
  • the CA queries for the TXT records for and verifies the challenge.

My proposal is to add support for a CNAME record _acme-delegate that acts the same way a CNAME/NS record for _acme-challenge does, but for the existing HTTP-01/TLS-ALPN-01 challenges. You would add a record like: CNAME

with the meaning "ACME challenges for should instead be directed to". An example validation flow using this would be:

  • the client initiates a TLS-ALPN-01 validation for, requesting use of DNS delegation;
  • the CA queries its DNS resolver for the the records for and gets the CNAME response;
  • the CA connects to and runs a normal TLS-ALPN-01 challenge for the domain

As far as I can tell, the two flows here are basically equivalent; this should have all the same guarantees with regards to zone authority that the existing DNS-01 challenge machinery does, but only require one-time DNS setup rather than dynamic TXT record adjustments for every renewal. The use of a specialized validation protocol like TLS-ALPN-01 avoids the need for complex DNS API integration with concerns about overpowered keys, TTLs, propagation, and so on, and allows for the elimination of the verbose UUID subdomains acme-dns relies on.

A wildcard certificate would correspond to _acme-delegate.*; to make this valid we can map it to instead, so that the simple case where you want to be able to issue certificates for * could be expressed as: CNAME

Alternatively, the presence of an _acme-delegate record could be treated as delegating permission to issue a wildcard certificate, the same way DNS-01 _acme-challenge records currently work; this shouldn’t reduce expressivity, as you could still forbid wildcard issuance with CAA records, but it feels a little less orthogonal to me.

There are, of course, lots of bikesheddy debates to be had (should these be SRV records rather than CNAMEs? should _acme-delegate-wild imply _acme-delegate?), but it seems to me like this would allow for the issuance of private and wildcard certificates in a way that requires fewer moving parts than the existing DNS challenge machinery and integrates better with clients. It would also address one of the listed downsides of HTTP-01/TLS-ALPN-01 challenges – “If you have multiple web servers, you have to make sure the file is available on all of them.” – by allowing domains to opt in to delegating challenges elsewhere.

My feeling is all that this is too simple to not already have been thought of, so please feel free to explain to me why this obviously wouldn’t work!

First of all, there are limits to how a domain validation can be passed by CA/B Baseline Requirement Section (v1.6.8 as of writing).
DNS-01 challenge is Section DNS Change.
HTTP-01 challenge is Section Agreed-Upon Change to Website.
TLS-ALPN-01 challenge is Section TLS Using a Random Number.

The BR required that every HTTP validation file must locate in the Authorization Domain Name (including CNAME) or being redirected with HTTP status 3xx or being CNAMEd.

The method you suggested wasn’t allowed by CA/B Forum, which I guess is why Let’s Encrypt or other CA didn’t offer such feature.


That’s unfortunate but makes sense; I didn’t realise the CA/B requirements specified validation so precisely. Given that basically includes ACME by reference I guess there’s still some hope for such a protocol to be standardized, but getting through CA/B is indeed a major obstacle.

Interestingly, it seems like the requirements HTTP-01 falls under actually permit issuance of wildcard certificates, so I guess a subset of this could be implemented to allow HTTP-01-validated wildcard certificates with a special DNS record, but it’s a lot less compelling if it can’t support private hosts or TLS-ALPN-01 challenges.

CA/B Forum allows issuance of wildcard certificate based on successful validation for the base domain (and some CA already implemented such). I think it’s Let’s Encrypt’s choice to not implement that option (for wildcard certificates, for now)
My guess for the decision is that it’s not beneficial for automation. (Consider the circumstance where subdomains are on another server, it’ll be hard for acme clients to automate the issuance when initiated from subdomain server). However, only Let’s Encrypt staff knows the reason behind their decision…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.