DNS validation

DNS validation works as follows:

For each domain, e.g. sub.example.com, the ACME server provides a challenge consisting of an x and y value. The truth is actually a little more complicated than that, but for the sake of this explanation it will suffice.
The client has to make sure that when the ACME server requests the TXT records for _acme-challenge.sub.example.com, there should be at least one record called x with content "y".
There may be more than one validation lookup for the same token, e.g. from different locations or different protocols (IPv4/IPv6).
Let’s Encrypt validates the DNSSEC chain.
Let’s Encrypt follows CNAME records and respects delegated autority.
Let’s Encrypt does not disclose the source locations of these lookups, which effectively means that the DNS records have to be public, at least for the duration of the validation.

acme-dns	Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
Aliyun	Create verification records in ALiYun DNS
Azure DNS	Create verification records in Azure DNS
Cloud DNS	Create verification records in Google Cloud DNS
Cloudflare	Create verification records in Cloudflare DNS
Custom script	Create verification records with your own script
DigitalOcean	Create verification records on DigitalOcean
DNS Made Easy	Create verification records in DnsMadeEasy DNS
DNSExit	Create verification records in DNSExit DNS
Domeneshop	Create verification records in Domeneshop DNS
DreamHost	Create verification records in DreamHost DNS
GoDaddy	Create verification records in GoDaddy DNS
Hetzner	Create verification records in Hetzner DNS
Infomaniak	Create verification records in Infomaniak DNS
Linode	Create verification records in Linode DNS
LuaDNS	Create verification records in LuaDNS
Manual	Create verification records manually (auto-renew not possible)
NS1/NSONE	Create verification records in NS1 DNS
RFC2136	Create verification records using dynamic updates
Route 53	Create verification records in Route 53 DNS
Simply.com	Create verification records in Simply.com DNS
Tencent Cloud	Create verification records in Tencent DNS
TransIP	Create verification records at TransIP

Substitution / aliasing

If your goal is to get a certificate for example.com using DNS validation, but the DNS provider for that domain does not support automation and/or your security policy doesn’t allow third party tools like simple-acme to access the DNS configuration, then you can set up a CNAME from _acme-challenge.example.com to another (sub)domain under your control that doesn’t have these limitations. acme-dns is based on this principle, but the same trick can be applied to any of the plugins.

Settings

`Validation.PreValidateDns`	If set to `true`, it will wait until it can verify that the validation record has been created and is available before beginning DNS validation. Type: boolean Default: `true`
`Validation.PreValidateDnsRetryCount`	Maximum numbers of times to retry DNS pre-validation, while waiting for the name servers to start providing the expected answer. Type: number Default: `5`
`Validation.PreValidateDnsRetryInterval`	Amount of time in seconds to wait between each retry. Type: number Default: `30`
`Validation.PreValidateDnsLocal`	Normally the program will verify the existence of the TXT record by querying the authoritative DNS servers for the record. Changing this to `true` will also wait until at least one of the configured `DnsServers` see the correct value, making the process potentially slower but more robust. Type: boolean Default: `false`
`Validation.AllowDnsSubstitution`	If your goal is to get a certificate for `example.com` using DNS validation, but the DNS service for that domain does not support automation, there is no plugin available for it and/or your security policy doesn't allow third party tools like simple-acme to access the DNS configuration, then you can set up a `CNAME` from `_acme-challenge.example.com` to another (sub)domain under your control that doesn't have these limitations. acme-dns is based on this principle, but the same trick can be applied to any of the DNS plugins. Set this value to `false` to disable the feature. Note that for the program to understand your DNS setup, the `CNAME` record will have to visible to it. If you have a complicated DNS setup with an internal-facing "split brain" that is lacking the relevant records, you can let simple-acme use a public DNS server like `1.1.1.1` instead of your system server using the next setting. Type: boolean Default: `true`
`Validation.DnsServers`	A list of servers to query during DNS prevalidation checks to verify whether or not the validation record has been properly created and is visible for the world. These servers will be used to locate the actual authoritative name servers for the domain. You can use the string `"[System]"` to have the program query your default name servers. Type: string[] Default: `[ "[System]" ]`

Looking for win-acme?

simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.