[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)

Brian Candler b.candler at pobox.com
Mon Jul 8 16:03:55 UTC 2019

On 08/07/2019 14:31, Dominik Menke wrote:
> Just for clarification, in your example.com zone, you have an NS 
> record pointing to your "challenge DNS server", i.e.
>     _acme-challenge       IN   NS   nsacme.example.org.
> right? What about subdomains of example.com? Won't they need an NS 
> record as well?
>     _acme-challenge.db    IN   NS   nsacme.example.org.
>     _acme-challenge.git   IN   NS   nsacme.example.org.
>     ; etc. 

That's correct: a separate NS record for each domain you want a 
certificate for.  This is static, so you just add it manually the first 
time you want a certificate.

The top-level one should also allow you to get a wildcard certificate 
but I've not tried that yet.

Note that if you have split DNS, e.g. where "int.example.org" is an 
internal domain on hidden private DNS servers, then on the outside you 
can just have a single NS record:

int    IN    NS    nsacme.example.org.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190708/f16f01c4/attachment.html>

More information about the Pdns-users mailing list