Help understanding DNS-01 domain delegation

Hey,

I'm just looking for a bit of clarity on how the dns delegation works with acme/dns-01.
I've had a look at some other threads and couldn't really find a clear answer.
Currently I have cert-manager running inside a k8s cluster using letsencrypt.
I have it using dns-01 via route53 to an isolated subdomain so credentials are restricted.
E.g certs.example.com

I want users to be able to self service certificates easily for our domain.

In the main example.com zone I have the _acme-challenge cname.
_acme-challenge.example.com CNAME _acme-challenge.certs.example.com

Where I am getting a bit lost is this allows me to only generate the exact domain name "example.com" or a wildcard "*.example.com"
For any other domain name i require additional aliases?
E.g
_acme-challenge.myapp.example.com CNAME _acme-challenge.certs.example.com
_acme-challenge.webapp2.example.com CNAME _acme-challenge.certs.example.com

So if I want to allow my users to generate certs easily for any app they make in k8s, they would either have to use a wildcard or we would have to make a CNAME every time they need a new domain name for an application?
Is there a way to simply delegate all requests for a domain to a subdomain without needing a CNAME for every single required fqdn?

Or am I possibly looking at the wrong implementation or letsencrypt for my use case?

2 Likes

Name reduction only happens when you can group similar names within a single wildcard.
Then you can CNAME the _acme-challenge entry required for that wildcard (and all others) to any other FQDN.
Otherwise, you will likely need one-for-one CNAME entries for each name requiring a cert.
[some can be grouped in DNS with the "*" - but that usually fails for root folder domain entries]

Example:

Can all be easily CNAMED with:
*.us.company.com > some.other.domain.name

But it is not so easy with:

As trying to create *.company.com would overlap/conflict with many required DNS entries in that zone.

And to answer your question:
No. There is no simple way to delegate all requests.

3 Likes

That's awesome, thank you @rg305 for that response.
That clears things up for me!

3 Likes