DNS-01 Challenge including more DNS Records than TXT

For the ACME v2 DNS-01 Challenge we all know " ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN> ."

But will the ACME v2 DNS-01 Challenge allow for more than just the DNS TXT record for _acme-challenge.<YOUR_DOMAIN>?

Can I have a DNS A Record and a DNS TXT Record for _acme-challenge.<YOUR_DOMAIN> without issue for the ACME v2 DNS-01 Challenge?

I have the Domain zjhzcrxvjcidp.ml, I have created both TXT and A records for _acme-challenge.zjhzcrxvjcidp.ml
I just pick Google's IPv4 Address for the DNS A Record
And for the TXT Record the string _acme-challenge goes here

nslookup can query each of them successfully.

If I were to try a DNS-01 Challenge and update _acme-challenge.zjhzcrxvjcidp.ml TXT field with the Challenge Token should the challenge succeed?
Or am I violating ACME v2 DNS-01 Challenge requirements?
(if so, how? a description or a URL to a document, etc)

$ nslookup -q=a _acme-challenge.zjhzcrxvjcidp.ml ns1.he.net.
Server:         ns1.he.net.

Name:   _acme-challenge.zjhzcrxvjcidp.ml
$ nslookup -q=txt _acme-challenge.zjhzcrxvjcidp.ml ns1.he.net.
Server:         ns1.he.net.

_acme-challenge.zjhzcrxvjcidp.ml        text = "_acme-challenge goes here"

I would expect so.

The spec says that the ACME server will "Query for TXT records for the validation domain name", so I don't see why other records for that name would be relevant, whether there or not.

Be aware that the concept of "v2" is just Let's Encrypt's API versioning due to them starting things before ACME was all standardized, by now there's just the relevant RFCs which don't really have version numbers in that way as best as I understand it.


Thanks @petercooperjr! :slight_smile:

Well it worked using https://gethttpsforfree.com/ and manually editing the _acme-challenge.zjhzcrxvjcidp.ml TXT Record.

Here is the Precertificate crt.sh | 8601507005

1 Like

Yeah, I mean you could always try against LE Staging, Pebble, and maybe even some actual CAs if you want to see how it works in practice, rather than relying on my quick glancing through the spec.


I had asked due to this Help Topic Nextjs-nginx:No TXT record found at _acme-challenge.agoratsp.com - #30 by rg305

1 Like

I would love to hear more thoughts and opinions on this Topic; even though @petercooperjr seems to have nailed it on Post #2.

1 Like

I believe you can also have multiple completing TXT records as well. IIRC, LetsEncrypt will inspect all the DNS records for a match but some providers will only support one or their own maximum number of records.


Since I was doing it all manually with https://gethttpsforfree.com/ just had 1 TXT Record that I edited and updated (and wait for propagation), and for the second challenge just reedited the TXT Record again.

1 Like

At this point I am not going to challenge fate by trying a DNS TXT Record and a DNS CNAME Record together; TXT & A are enough for me today. :slight_smile:

You can't have a CNAME at the same time as any other type of record for the same name, but that's nothing specific to ACME. :slight_smile:


That should fail big time.
Having the CNAME record should void all other records.
CNAME record - Wikipedia


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.