Help understanding DNS-01 domain delegation


I'm just looking for a bit of clarity on how the dns delegation works with acme/dns-01.
I've had a look at some other threads and couldn't really find a clear answer.
Currently I have cert-manager running inside a k8s cluster using letsencrypt.
I have it using dns-01 via route53 to an isolated subdomain so credentials are restricted.

I want users to be able to self service certificates easily for our domain.

In the main zone I have the _acme-challenge cname. CNAME

Where I am getting a bit lost is this allows me to only generate the exact domain name "" or a wildcard "*"
For any other domain name i require additional aliases?

So if I want to allow my users to generate certs easily for any app they make in k8s, they would either have to use a wildcard or we would have to make a CNAME every time they need a new domain name for an application?
Is there a way to simply delegate all requests for a domain to a subdomain without needing a CNAME for every single required fqdn?

Or am I possibly looking at the wrong implementation or letsencrypt for my use case?


Name reduction only happens when you can group similar names within a single wildcard.
Then you can CNAME the _acme-challenge entry required for that wildcard (and all others) to any other FQDN.
Otherwise, you will likely need one-for-one CNAME entries for each name requiring a cert.
[some can be grouped in DNS with the "*" - but that usually fails for root folder domain entries]


Can all be easily CNAMED with:
* >

But it is not so easy with:

As trying to create * would overlap/conflict with many required DNS entries in that zone.

And to answer your question:
No. There is no simple way to delegate all requests.


That's awesome, thank you @rg305 for that response.
That clears things up for me!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.