DNS Challenges and NS Delegation


I’m hoping I’ve put this in the right place.

Due to many reasons, dynamic DNS updates aren’t permitted to the main zone for one of my customers (their main infrastructure zone, which all the servers have hostnames inside). They require every server to have SSL (including internal servers which aren’t public-facing in any way). Yes, they should be doing their own CA, but want to consider using LE with DNS challenges.

We looked at the details of ACME, and worked out that currently, it ought to be possible to issue certs by pointing _acme-challenge.<domain> to a different nameservers (one which does allow Dynamic DNS for that zone) and then using that to do a dynamic DNS update.

I decided to set up a test VM to prove this theory (playground.dchosted.net), which seems to work.

_acme-challenge.playground.dchosted.net has a pair of NS records for ns1 and ns2 (dot) dchosted.net to delegate the zone over.
_acme-challenge.playground.dchosted.net then has the relevant ACME challenge TXT record as an @ record in the domain.

My client has asked, though, is this permitted by design (and will therefore continue to work), or are we likely to see a patch to the CAs to prevent this? I can see arguments for either way, and I’m not sure which is more sensible.

Thanks in advance for your input and thoughts.



I’ve just found https://www.ietf.org/mail-archive/web/acme/current/msg00920.html - so that sounds like that’s expected and “supported”.

Would welcome feedback from anyone with any suggestions otherwise.


It is permitted by design and we wouldn’t change our position on this or break renewals using this approach without announcing it ahead of time and working to ensure minimal disruption.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.