Clarification for DNS-01 and zone delegation

Hey guys,

TL;DR: is there any way how to redirect all ACME requests for subdomains of a domain (e.g. "", "") to a specific instance of a"acme-dns" server without creating corresponding DNS CNAME entries for each of those subdomains in the main DNS server?

I'd like to use dns-01 for the creation of certificates that are to be used by my internal systems. All of them are reachable via FQDN ("", "", ...), but only from behind a firewall.

So far I only use dns-01 for a few publicly accessible systems (, - port 80 is blocked on those systems, thus no http-01).
I installed the joohoi acme-dns on a separate system (hostname, then - on the main DNS server - added a nameserver delegation ( 3600 IN NS, of course with corresponding glue record) and created the respective CNAME entries to delegate the _acme-challenge subdomains to my account on the acme-dns server (e.g. CNAME

This setup works flawlessly, but as I said, I created a CNAME record for each system which I wanted to provide with certificates.
If I took the same approach for our internal systems I would need to pollute the main DNS server with another 20+ entries and I've got the feeling I am missing something here.

As I'm writing this, it just pops into my head if maybe I can delegate the entire internal zone ( to the acme-dns server? Would that work? After all, I have no other connections from the outside except for the ACME accesses.


Unfortunately, wildcards are only allowed as the left-most label in a FQDN. Otherwise you might have gotten what you require with _acme-challenge.*, but this isn't allowed.

As far as I know, there's no clear cut solution to your issue with regular DNS zones which are also used for other things besides ACME (see below).

That could work, but indeed, this would make sure the zone is only usable for ACME requests.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.