ACME DNS Challenge Readiness Check

ACME DNS-01 readiness

Identifier:

Accepted: example.com, www.example.com, or *.example.com.

ACME profile:

Use Let's Encrypt unless your client only follows TXT or CNAME.

Challenge host override:

Example: delegated-zone.example when _acme-challenge lives elsewhere.

Resolver:

Use Auto for normal checks; pin one resolver to compare a report.

Compare resolvers:

Turn on before retrying issuance after a DNS change.

Setup intent:

Choose a route type only when you already know the intended setup.

Expected token:

Paste one TXT token value; leave blank to inspect topology only.

CNAME depth limit:

Accepted: 2 to 6 hops.

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Resolver	Verdict	Route	TXT view	Retry hint	TTL	Notes	Copy
{{ row.resolver }}	{{ row.verdict }}	{{ row.route }}	{{ row.tokenView }}	{{ row.retryHint }}	{{ row.ttl }}	{{ row.note }}

Area	Status	Wait	Evidence	Next action	Copy
{{ row.area }}	{{ row.status }}	{{ row.wait }}	{{ row.evidence }}	{{ row.action }}

Check	Command	Why	Copy
{{ row.check }}	`{{ row.command }}`	{{ row.why }}

Export to PDF Fullscreen

Include query parameters

Embed:

Customize embed code

Include query parameters

Wrap embed in collapsible toggle

Collapse panel by default

Hide card frame (bare iframe)

Loading behavior

Width

Height

Aspect ratio (width : height)

Max height (optional)

Collapsible heading

Collapsible description (optional)

Allow fullscreen

Referrer policy

Sandbox tokens

ACME DNS-01 validation proves control of a certificate identifier by publishing a token-derived TXT value under the _acme-challenge owner name. The challenge is simple in shape, but operational failures are common because DNS caches, wildcard identifiers, delegated zones, and CNAME chains can make the visible owner differ from the name an operator first edits.

Readiness means two things are true at the same time: the route to the final TXT owner is valid for the ACME client being used, and the expected TXT value is visible from public resolvers. A delegated route without the token is not ready yet. A visible token on a route the client will not follow can still fail issuance.

ACME DNS challenge route from identifier to TXT validation

DNS-01 checks are resolver views, not guarantees about every CA resolver at the same moment. Use negative-cache hints and resolver agreement to decide when to retry, then confirm with the ACME client logs if issuance still fails.

Technical Details:

The expected owner is derived by placing _acme-challenge. before the normalized identifier. Wildcards use the base identifier, so *.example.com still maps to _acme-challenge.example.com. An override can model delegated management when the visible route is intentionally anchored somewhere else.

ACME DNS challenge route checks
Route shape	Evidence collected	Readiness effect
Direct TXT	TXT answers on the challenge owner	Ready when the expected token or any token is visible.
CNAME delegation	One CNAME chain to a terminal owner	Ready only for profiles that follow CNAME and when the terminal TXT is visible.
NS delegation	NS records at the challenge owner	Route ready for delegated challenge zones; TXT must exist inside that zone.
Invalid conflict	CNAME plus TXT or NS at the same owner	Blocked because CNAME cannot coexist with other owner data.

The check samples Cloudflare and Google DNS-over-HTTPS views unless a single resolver is selected. TXT, CNAME, and NS records are fetched for each route node, CNAME depth is capped, loops are flagged, and SOA-derived negative-cache hints are shown when available. Status values are Ready, Route Ready, Waiting, and Blocked.

Everyday Use & Decision Guide:

Enter the exact certificate identifier first. Use *.example.com for a wildcard and a normal host or domain for non-wildcard issuance. Add the expected token when you have it; leaving the token blank makes the check focus on route shape and visible TXT values.

Use Let's Encrypt DNS-01 for the common client profile.
Choose CNAME-following client only when your ACME client is known to follow delegated CNAME routes.
Use Strict TXT-only client when delegation should not count as ready.
Wait for the Negative-cache hint when the last query saw an empty owner and a recent DNS change may still be cached.

If resolver views disagree, retrying immediately can waste an issuance attempt. Confirm with pinned dig commands from the runbook and wait for public views to align.

Step-by-Step Guide:

Enter the identifier and run the check.
Select the ACME profile that matches the client behavior.
Use Challenge owner override only when you intentionally manage the challenge under a different base host.
Paste Expected TXT token when available so mismatched visible TXT values are flagged.
Review Challenge Route for owner, route detected, terminal TXT owner, and recommendation.
Use Retry Window and ACME DNS Runbook before another issuance attempt.

Interpreting Results:

Ready means the selected primary resolver sees a compatible route and the token requirement is satisfied. Route Ready means delegation exists but the TXT value still needs to appear. Blocked means the route shape itself must be fixed.

Visible TXT is not enough when it is on the wrong terminal owner or mismatches the expected token. Check Delegation path and Expected token before telling the ACME client to retry.

Worked Examples:

Wildcard certificate. Entering *.example.com checks _acme-challenge.example.com. If the expected token appears directly there and both sampled resolvers agree, the result is Ready.

Delegated CNAME. If _acme-challenge.app.example.com points to app.example.net, the route can be valid for a CNAME-following client. A strict TXT-only profile marks that route as incompatible.

Stale negative cache. After publishing TXT, one resolver may still show no TXT and an SOA hint of 300 seconds. Wait roughly that long, then rerun before spending another validation attempt.

FAQ:

Why does a wildcard not include the star in the owner?

DNS-01 uses the base identifier for wildcard challenges, so the owner is still under _acme-challenge for the domain name.

Can CNAME delegation be used?

Some clients and CAs follow it, but the tool makes that profile-specific. Use the profile that matches your client, not the route you wish it supported.

What does resolver drift mean?

The sampled public resolvers did not return the same verdict. Wait for convergence or check authoritative servers directly.

Glossary:

DNS-01: An ACME challenge method that proves control through a DNS TXT value.
Challenge owner: The _acme-challenge name where validation begins.
Negative cache: Cached evidence that a record was absent.
Terminal TXT owner: The final name where TXT should be visible after delegation.