Automatic DNS-01 challenge in Windows


On Linux I use to make DNS-01 challenges with and it works perfectly. On Windows I’ve been using the win-acme to make HTTP-01 challenges and it has also worked great.
However, now I want to make DNS-01 challenges on my Windows Servers as well.

I see that I can choose Run external program/script to create and update records but I was wondering if there are any existing scripts that will update to a Bind DNS server?
I have all the DNS stuff worked out already and I can make DNS changes dynamically so I just need a script that will do the updating part.

I can’t seem to find anything that will do this and was hoping someone here could point me in the right direction. Or recommend another client that could do this like does.


Posh-ACME has a bunch of plugins for DNS providers. (note: I'm the author)

However, BIND isn't currently supported because the only way I know of to update a BIND server programmatically is via RFC 2136 and there is a distinct lack of libraries that support sending arbitrary DDNS updates to a BIND server from .NET (and more specifically .NET Core). The closest project I found is ARSoft.Tools.Net, but seems to be somewhat abandoned by the author and it's a bit heavy to use as-is. I contemplated trying to pull out enough of the code to make a plugin. But it's going to take a lot of work and I'm not quite up to the challenge yet.

I have all the DNS stuff worked out already and I can make DNS changes dynamically so I just need a script that will do the updating part.

Out of curiosity, how were you planning on doing the TXT record updates?

Thanks for the info.

I’ve played around with win-acme a bit and I’m trying to make a script that will handle the DNS.
I’ve only found one way to make this on Windows and that’s through installing the ISC Bind (tools only) and using nsupdate. However I have only managed to get it working running the script manually and not in win-acme yet.
It would be nice if it would be possible to do this natively in Windows through.

please install cygwin on you Windows server. can work in cygwin.

Yes I actually did that too lat night and it worked perfectly but it would be awesome to have something more native that doesn’t require any other software to work.
But I guess CygWin will have to work for now!

Thank you for the info.

If you want another native option, Lego supports BIND via RFC2136 (the protocol that nsupdate uses), and is a Go program, so it’s a standalone native binary across Linux/Windows/macOS etc.

If you have nsupdate or something else you can add/remove records with, you can give it a go with
ZeroSSL Windows and a plugin file to execute nsupdate (or something else) to manipulate the records - see an example of such plugin.

NB: Despite that Plugin code being in Perl, you do not actually need to install Perl or anything - it will work with the le64.exe (and le32.exe) just fine.

If the plugin is placed in the same directory as the le.exe client, then the command line would be similar to:

le64.exe -key account.key -domains -csr test.csr -csr-key test.key -crt test.crt -generate-missing -handle-with -handle-as dns -api 2

Otherwise just specify the full path to it. More details can be found at GitHub or

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.