Lets Encrypt support for DNS-01 with CNAME redirect

  • It is possible with DNS-01 to have a CNAME record to redirect the auth request to another DNS record. This means that it is possible to have a different authentication zone.  I can see many resons you might want to do this. My current reson is that the zone I want to use is hosted on NSD (which I want to keep), but doesn't easily support dynamic zone updates.  It also means that production zones don't need dynamic updates (just a one off static CNAME record).

    This requires a small tweak to the registration of the auth TXT record, where a CNAME record is queried first. If the CNAME exists, then the name used for the TXT needs to be rewritten to that name.

    e.g. for a cert 'name.example.com', the following moves the authentication zone to 'acme.example.com'

    _acme-challenge.name.example.com. IN CNAME  _acme-challenge.name.acme.example.com

    then the auth script would need to register the token against the name '_acme-challenge.name.acme.example.com'.

    Are there plans to add this redirect style support please?

    example bash script:

    function resolve_cname {
        local domain="$1"
        local cname=$( ${DIG} '+short' ${domain} CNAME )
        echo "${cname:-${domain%.}.}"

  • Rebel Alliance Developer Netgate

    Not yet, but it's something I'd like to add to the package eventually.

Log in to reply