DNS validation works as follows:
sub.example.com, the ACME server provides a challenge consisting of an
yvalue. The truth is actually a little more complicated than that, but for the sake of this explanation it will suffice.
_acme-challenge.sub.example.com, there should be at least one record called
If your goal is to get a certificate for
example.com using DNS validation,
but the DNS provider for that domain does not support automation and/or your
security policy doesn’t allow third party tools like win-acme to access the
DNS configuration, then you can set up a CNAME from
to another (sub)domain under your control that doesn’t have these limitations.
acme-dns is based on this principle,
but the same trick can be applied to any of the plugins.