Domain Name System

NAME - dns-01 ACME challenge helper zone


$ curl '' OK

$ curl -d 'secret=1SuperSecretPassphrase' -d 'txt=foo' OK

$ sha224=$(echo -n '1SuperSecretPassphrase' | shasum -a 224 | cut -c 1-56) $ dig $ txt +short "foo"


The DNS zone is meant to ease the use of dns-01 ACME challenges in automated or batch TLS certificate issuance from certificate authorities such as Let's Encrypt.


Let challenge be a dns-01 ACME challenge validation string, secret be a strong password, and sha224 be the SHA-224 hash of secret.

A GET, POST, or PUT request to with secret=secret and txt=challenge specified as URL query parameters or, alternatively for POST and PUT requests, as form values will temporarily add challenge as a TXT record to the domain Responds with body OK and status code 201 on success.

A GET, POST, or PUT to with only secret=secret specified responds with body and makes no update. is meant to be the target of a CNAME at your "_acme-challenge" subdomain.

Remember to properly encode your secret value in your requests if it contains special characters. See curl's "--data-urlencode" option.


Say you want to obtain a wildcard TLS certificate for from Let's Encrypt using Certbot.

First, pick a strong password. We'll use "1SuperSecretPassphrase", but you shouldn't.

Add a CNAME record to point to the subdomain of named by calculating the SHA-224 hash of "1SuperSecretPassphrase". This should look similar to:


Now when Let's Encrypt queries for the challenge TXT record, they will follow the CNAME to 9afcdf… We can give Certbot a command to automatically add the challenge TXT record to that subdomain:

$ certbot certonly \ --manual \ --manual-auth-hook 'curl "$CERTBOT_VALIDATION"' \ --preferred-challenges dns \ -d \ -d '*'