CNAME validation

Buchi · April 10, 2026, 1:55pm

What is different between the CNAME and DNS-01 challange?

rg305 · April 10, 2026, 1:57pm

100%
There are no similarities between them.

Buchi · April 10, 2026, 1:59pm

so what is difference here for using CNAME method i need to add txt for every renewal

petercooperjr · April 10, 2026, 2:14pm

I think you need to be a lot clearer in your questions in order to get more helpful advice. I'll try to cover an overview of possible validation methods, though:

Let's Encrypt follows CNAME records when validating records, just like any system querying DNS does. The current challenge types that Let's Encrypt supports include DNS-01, which yes requires a new TXT record for each renewal (which generally would be done by your client automatically updating your DNS server when making a request). Some people use NS or CNAME records to point to a system like acme-dns, a special-purpose DNS server just for answering such challenges.

Let's Encrypt (along with various standards bodies and other CAs) are working on implementing a new challenge type called DNS-PERSIST-01, which allows for leaving a single TXT record in place across multiple renewals.

Some other CAs might instruct you to make CNAME to their systems, either as the DNS record that they're directly checking for, or just like any other service provider so that they can respond to challenges on your behalf. Again, you might need to give a lot more details about what "CNAME method" you're asking about if you want more specific information.

rg305 · April 10, 2026, 3:24pm

The is no CNAME authentication method.
You can augment authentication methods by using a CNAME to delegate your FQDN to some other FQDN; but no CA ~~will~~ [currently] validates merely because you created a CNAME record in DNS.

petercooperjr · April 10, 2026, 3:38pm

Well, not through ACME (directly, though yes of course CNAME records get followed).

But a CA can validate a domain name through method 3.2.2.4.7 DNS Change, which allows for a CNAME with a random value.

aarongable · April 10, 2026, 3:38pm

This is not quite true. The Baseline Requirements allow the Random Token to be placed in a CNAME record, e.g. as part of a subdomain label. However, few CAs actually do this, and no ACME CAs do it. But the mere existence of this possibility does make OP's question even more ambiguous.

AtmosphericIgnition · April 10, 2026, 5:05pm

I had what seems to be a similar question a couple of weeks ago, maybe this thread will help you understand CNAME better.

Topic		Replies	Views
Does Certbot support CNAME challenge? How does CNAME validation work vs DNS-01? Help	3	134	April 20, 2026
CNAME Unknown for certbot renew Help	8	2100	May 30, 2021
How to know which _acme-challenge DNS record to configure? Help	20	10018	November 4, 2021
Instructions for renewing ACME wildcard certificates Help	12	1372	March 15, 2021
DNS-PERSIST-01 and _validation-persist CNAME Issuance Tech	4	253	May 7, 2026

CNAME validation

Related topics