-
It is possible with DNS-01 to have a CNAME record to redirect the auth request to another DNS record. This means that it is possible to have a different authentication zone. I can see many resons you might want to do this. My current reson is that the zone I want to use is hosted on NSD (which I want to keep), but doesn't easily support dynamic zone updates. It also means that production zones don't need dynamic updates (just a one off static CNAME record).
This requires a small tweak to the registration of the auth TXT record, where a CNAME record is queried first. If the CNAME exists, then the name used for the TXT needs to be rewritten to that name.
e.g. for a cert 'name.example.com', the following moves the authentication zone to 'acme.example.com'
_acme-challenge.name.example.com. IN CNAME _acme-challenge.name.acme.example.com
then the auth script would need to register the token against the name '_acme-challenge.name.acme.example.com'.
Are there plans to add this redirect style support please?
example bash script:
function resolve_cname { local domain="$1" local cname=$( ${DIG} '+short' ${domain} CNAME ) echo "${cname:-${domain%.}.}" } -
Not yet, but it's something I'd like to add to the package eventually.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.