DNS Question: Subdomain Delegation with CNAME record

We are using GoDaddy as the DNS provider for our domain. GoDaddy does not provide tools to let you automate using somebody else's certificates.

So, I want to delegate the _acme-challenge subdomain to Amazon Route 53.

From what I've read, there are two ways to do this: with NS records and with a CNAME record.

I think I understand how to do this with a NS records -- I create a new Route 53 hosted zone and record the NS servers it is using. Then back in GoDaddy, I create multiple NS records named _acme-challenge whose value is the name of the NS servers in the Route 53 hosted zone.

How does it work with a CNAME record? What would I point it to?

1 Like

While GoDaddy doesn't have tools help you automate the deployment of 3rd party certs, they do have a REST API for DNS record manipulation. So you don't necessarily have to direct your challenges somewhere else.

In any case, the CNAME record can technically point to any existing TXT record that you can modify. It doesn't have to be called _acme-challenge or anything related.


I cannot find any GoDaddy API for modifying or deleting single records.

So I while could automate adding a record the first time, I'd have to manually delete it before next time.

Could you help me understand better how pointing a CNAME to a TXT record would work?

In my GoDaddy domain, would I create an _acme-challenge.<MY_DOMAIN> CNAME that points to a TXT record in an AWS Route 53 account that I control? What would the value of the CNAME be in order to do that?

1 Like

Heh, yeah. Their REST API is not the most straightforward to work with for sure. It is possible to effectively delete a record though. You're essentially doing a PUT for the set of records that match the name and type of the one you want to delete but without the data value for the one you're removing.

In any case, CNAMEs. So you'd create a CNAME record on the GoDaddy side for _acme-challenge.example.com that points to (for instance) acme.myr53domain.com (a TXT record and the value doesn't matter, could be empty). Then you basically tell your client that DNS challenges for example.com should be written to acme.mr53domain.com and give it the Route53 credentials. It then writes the challenge value directly to Route53 and never touches GoDaddy. How you tell your client about the alias depends a lot on which client it is.