Skip to content

DNS01 ACME Verification

TSIG keys can be limited to only allow modifications to the TXT records required for ACME DNS01 verification of domains (for example for Let's Encrypt wildcard certificates).


The certbot-dns-rfc2136 plugin can be used for DNS01 verification with HexDNS.

The config file for this plugin should be formatted as follows;

dns_rfc2136_server =
dns_rfc2136_port = 53
dns_rfc2136_name = <your key record name> (such as
dns_rfc2136_secret = <your secret> (in base64 form)
dns_rfc2136_algorithm = HMAC-SHA512

The --dns-rfc2136-propagation-seconds command line flag should be set to ~60 seconds.

Further documentation on this plugin can be found here.

Last update: September 24, 2020