How to Delegate _acme-challenge With CNAME or NS

DNS-01 delegation sounds more exotic than it is.

In plain terms, it means you let some other DNS zone answer the _acme-challenge question instead of keeping that record in the main zone with everything else.

That can be a very good idea.

What Let’s Encrypt allows

For DNS-01, Let’s Encrypt follows normal DNS behavior. That means _acme-challenge can be delegated with either:

• CNAME
• NS

So yes, the TXT record can live somewhere else, as long as the public validation path reaches it correctly.

Why teams do this

Most teams reach for delegation when one of these starts hurting:

• the main DNS provider is slow to update
• the main DNS API key is too powerful to leave on an app server
• wildcard issuance needs its own automation path
• several systems need certificate automation without full control of the whole zone

That last point matters. Delegation is often a security and ownership decision as much as a convenience decision.

CNAME vs NS

CNAME delegation

This is the lighter option.

_acme-challenge.example.com points to another name, and the TXT record lives at that target. The public check still starts at _acme-challenge.example.com, then DNS follows the CNAME.

Use this when you want a simple handoff.

NS delegation

This is the stronger separation.

You delegate the _acme-challenge subtree itself to another set of authoritative nameservers. That makes the challenge space its own mini zone.

Use this when a separate platform or automation service should fully own the challenge namespace.

When delegation is worth the trouble

Delegation helps when the current setup is the bottleneck:

• slow propagation
• awkward provider API
• broad credentials
• too many systems competing for DNS-01 updates

If DNS-01 is already simple and reliable in the main zone, delegation may just add moving parts.

Why the security angle matters

Putting full DNS API credentials on every server that needs a cert is usually a bad bargain. If one box gets compromised, the attacker may get control over the entire zone.

Delegation gives you a smaller blast radius. The certificate automation can control the challenge path without owning mail, web, or the rest of the domain.

That is usually the real win.

What delegation does not solve

It does not make propagation disappear.

If the delegated provider is inconsistent, or if anycast visibility is uneven, you can still have one resolver seeing the new TXT while another does not. Delegation gives you a chance to pick a better path. It does not magically make DNS fast.

What to check before you do it

1. Make sure DNS-01 is actually the right challenge

If you need wildcard certs or validation for private services, DNS-01 makes sense. If not, simpler challenges may be easier to operate.

2. Identify the real bottleneck

If the main DNS provider is not the problem, delegation may just be extra complexity.

3. Pick the right ownership model

Use CNAME for a simple pointer. Use NS when you want the challenge subtree to be fully owned somewhere else.

4. Test propagation where it counts

Do not assume the new design is better until you have seen it work cleanly in staging.

Common misunderstandings

"Let’s Encrypt cannot follow delegation"

It can. That is why this pattern works at all.

"Delegation fixes propagation problems"

Sometimes it improves them. It does not eliminate them.

"This is only for big hosting companies"

No. Small teams use it too, mostly to narrow DNS credential scope or make wildcard automation less risky.

FAQ

Can Let’s Encrypt follow a CNAME for DNS-01?

Yes.

Can I delegate _acme-challenge with NS records?

Yes.

Why would I move _acme-challenge to another zone?

Usually for tighter security, cleaner ownership, or faster and more predictable updates.

Does this help with wildcard certificates?

Often yes, because wildcard issuance requires DNS-01 and delegation can make that path easier to automate safely.