DNS providers who easily integrate with Let's Encrypt DNS validation

In the spirit of Web Hosting who support Let's Encrypt and CDN Providers who support Let's Encrypt, I wanted to compile a list of DNS providers that feature a workflow (e.g. an API and existing ACME client integrations) that is a good fit for Let's Encrypt's DNS validation.

It should serve as a signpost for those who want to use DNS validation (wildcards, firewall problems) and are looking for an automatic solution.

FYI: The DNS hosts listed here are ones that are confirmed to support automated certificate issuance and renewal with existing ACME clients. Although it is technically possible to issue and renew certificates by manually updating TXT records every 60-90 days, it is not a recommended way to use Let's Encrypt DNS validation.

FYI: Your DNS host is not the same place where you register your domain (but it can be). Your DNS host is where you manage your DNS records and where your domain's nameservers point. You can change DNS hosting at any time, for free.

Criteria for inclusion:

1. It must support automation for all users (i.e. it has an API and the API is not restricted to certain users)
2. At least one ACME client must support it (indirect support like Lexicon is OK) or a published hook for an ACME client must exist for it
3. DNS updates must apply reasonably quickly: within 30 minutes

The List

Wiki instructions:

Please list DNS Hosting providers first by their type ('DNS Host', 'Domain Registrar', 'Web Host' or 'Self-Hosted') and then alphabetically.

For the 'Cost' column, please include the lowest cost to host a zone where any ACME client can perform automatic DNS validation.

For the 'ACME Client Support' column, feel free to include other ACME clients, but please make a reasonable and honest effort to keep the order of the clients in descending popularity (e.g. Certbot should always be first). Covering all platforms (UNIX-likes + Windows) is a good target also.

NameCheap is intentionally not included because they do not open API access unless some opaque requirements are met (spend at least $x), failing the first criteria.

acme.sh supported more than 60 dns apis:

I think you can add more here.

Thanks.

There are quite a few listed that are non-English, I would appreciate it if native speakers would be able to confirm cost and absence of other conditions to API access. The post is a wiki that anybody can edit.

Oh, I didn’t noticed that everyone can edit your post.

I will edit it soon.

Thanks.

Hi @_az

Where can I find the full dns support list of certbot ?

Thanks.

I’m not sure what the official reference is - I just looked at the certbot-dns-* directories in https://github.com/certbot/certbot/tree/master/ . I have not included every one of them, as they were also in other languages and I wasn’t able to confirm their nature.

Hi @_az ,
I just added some, would you please take a look?
please let me know if you have any thoughts.

I will add more later.

Thanks.

Linode’s DNS service is no extra cost for customers, but not available for free in general like something like dns.he.net.

Thanks

Thanks a lot. If you do not mind, I moved all the "selfhosted" software to the bottom of the list, since they are not really DNS Providers. But if you think they are worth including then that sounds OK to me.

Also, is the "reseller-only" comment about do.de accurate? I notice that acme.sh implements do.de twice - once for reseller API, once for consumer API. Is that the right interpretation?

ahhhh, yes, you are correct. I just removed the comment.
Thanks

Just another question: It will be better to add the providers not in alphabetically.
You know it’s really a pain to add 60+ providers alphabetically.
I would suggest to just append to the end.
what do you think?

I think it helps readability a lot. I’ll be happy to sort them occasionally if you want to just append to end.

That will be good.

but I don’t agree with you that it help a lot about the readability.
If I were a user to check the list, I won’t read the list(It’s also a pain to READ such a list, even alphabetically, the list will be too loooooong to read, just try it), instead, I just press Ctrl+F and search my dns provider name.

Let me know what you think.
Thanks.

The Aliyun entry indicates it is Chinese only. However, Alibaba Cloud DNS appears to be the english equivalent site. The URL for the DNS management console (for example) is https://dns.console.aliyun.com/#/dns/domainList (and ultimatley what I used to develop Posh-ACME’s plugin for it).

Not sure if that means we should remove “Chinese Only” or add something like “English supported via Alibaba Cloud”.

Is the “Domain Registrar” tag supposed to imply it’s primarily or only a domain registrar or just that it happens to provide registrar services as well?

P.S. Thanks for this! It has been sorely needed for some time.

The thought occurs to me that it might help to separate providers that are basically just Domain Registrars with an API versus everyone else. These tend to be less useful to potential LE users because it requires either buying the domain directly from them or at least transferring the domain to them which can be a bit of a hassle (particularly if you're trying to help a another person move to that provider).

It might also be useful to differentiate between providers whose primary business is DNS hosting versus more generic cloud providers who happen to have a DNS hosting option. But that's probably less important. The main distinction should probably be whether you can simply point NS records from your existing registrar to this provider or whether you have to do a domain transfer in order to get your zone hosted with them.

Dynamic DNS providers where you must use their domain name might also be a useful separation.

(Man, this is why I never started a thread like this myself...too many complications)

Yeah! That's what I wanted to achieve. . Any reader should be able to show up to the thread and pick out a new DNS provider for their domain without strings attached.

ISTM everything like DuckDNS, Yandex.Mail, StackPath etc should be removed, along with all the self-hosted stuff, and arguably all the registrars and web hosts too. Otherwise the list is just a compatibility matrix. But I'm afraid to pull the plug on that so early on.

Thanks, re-organized it and added English links.

I notice that every entry (with two exceptions, StackPath and cPanel) is supported by acme.sh. In the interest of simplifying the list, might it be better to note something like “unless noted otherwise, all of the following are supported by acme.sh”, and then removing it from the relevant entries?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.