Follow up of "DNS providers who easily integrate with Let’s Encrypt DNS validation"

original post: DNS providers who easily integrate with Let's Encrypt DNS validation

I was experimenting different free DNS hosting providers that have API support, and below is my testing result.

Requirement: I want to CNAME _acme-challenge to a separate zone (e.g. CNAME to, and is a delegated zone), so that I can scope the API key to this zone only.
ref: A Technical Deep Dive: Securing the Automation of ACME DNS Challenge Validation | Electronic Frontier Foundation

  1. DigitalOcean
    The API key cannot be scoped. As long as you have the key you have full access to ALL resources, not limited to DNS. To mitigate this you would need to create a new account specifically for However even doing so this still does not prevent a malicious user having the key to create resources under this new account.

  2. Cloudflare
    You simply cannot add subdomain to cloudflare. It only allow you to add root domain Unable to delegate domain means you cannot scope the API key to limit your acme client access. The API key will have to access to your full zone, which you want to avoid. (And in this case you would not need to CNAME _acme-challenge too.)
    (Note: Subdomain Zones (LTZ) is only available in Enterprise Plan, which you need to contact a sales and no standard pricing.)

  3. OVH
    It meets all the requirements. You can create a delegated subdomain, API key can be scoped too, however the documentation is insufficient on how to create and scope the API key. And there is totally no documentation on how to destroy the key. At last I have to visit the API catalog directly on finding the required API to destroy the key.

  4. DeSec
    It also meets all the requirements. Easy to use. I would give it almost full marks. There are still areas of improvement, but these are not blockers.

    • You need to find the key ID to use the API, however the key ID can only be found in the confirmation dialog when you press the "Delete" button. (Of course you will cancel the delete dialog after figuring out the key ID)
    • Scoping the API key requires direct API access, which means that you need to create another API key and granting this API key with "Manage Tokens" privilege. Then you will use this "uber API key" to call with key scoping API to scope the API key you will use in your acme client.
1 Like

You can delegate a subdomain somewhere else by adding your own NS records. You just can't host the delegated subdomain within Cloudflare.

A separate root domain works just as well as a subdomain for challenge delegation though. And you can limit the API key to just that domain which is fine if all you're using it for is challenge delegation. Also still free if you don't count the cost of the extra domain registration.

With OVH you can scope an API key all the way down to the individual record level which allows you to theoretically skip the delegation entirely and just grant direct access to pre-created TXT records you know you will be updating. Though it's a PITA to setup and Posh-ACME might be the only ACME client that has native support for using it that way.

LuaDns is another provider with a free tier that I think might satisfy your requirements. is free for the first 20 million queries/month. Don't recall what their API scoping options look like though.


Yes, I mean hosting the subdomain itself on Cloudflare, because I am evaluating the API functionality of different providers.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.