> ## Documentation Index
> Fetch the complete documentation index at: https://docs.certgovernance.app/llms.txt
> Use this file to discover all available pages before exploring further.

# DNS Validation

> Configure DNS accounts for ACME DNS-01 challenge solving.

ACME's DNS-01 challenge requires placing a TXT record at `_acme-challenge.yourdomain.com` to prove domain ownership. CertForge handles this automatically using DNS accounts configured in the UI — no `config.yaml` changes are needed.

## Why DNS-01?

| Feature                      | HTTP-01 | DNS-01                        |
| ---------------------------- | ------- | ----------------------------- |
| Wildcard certificates        | No      | Yes                           |
| Works without open HTTP port | No      | Yes                           |
| Works for internal domains   | No      | Yes                           |
| Fully automated              | Yes     | Yes (with supported provider) |

CertForge uses DNS-01 exclusively. HTTP-01 is not supported.

## Step 1: Create a DNS account

Go to **Admin → DNS Accounts → New** and select your provider.

### Cloudflare

1. In Cloudflare → Profile → API Tokens → Create Token
2. Use the **Edit zone DNS** template
3. Restrict the token to the zone(s) CertForge needs to manage
4. Copy the token

In the DNS account form:

| Field     | Value                           |
| --------- | ------------------------------- |
| Provider  | Cloudflare                      |
| API Token | Paste your Cloudflare API token |

### RFC 2136 / TSIG (bind, Windows DNS, Infoblox, etc.)

For any DNS server that supports RFC 2136 dynamic updates with TSIG authentication:

| Field           | Value                                        |
| --------------- | -------------------------------------------- |
| Provider        | RFC 2136                                     |
| Server          | IP or hostname of your DNS server            |
| Zone            | The DNS zone to update, e.g. `corp.com.`     |
| TSIG Key Name   | The TSIG key name configured on the server   |
| TSIG Key Secret | Base64-encoded TSIG key secret               |
| TSIG Algorithm  | `hmac-sha256` (recommended) or `hmac-sha512` |

Save the account. CertForge will show a connection status indicator once the account is saved.

## Step 2: Link the DNS account to a DTP

Each Domain Trust Profile that uses an ACME CA must reference a DNS account to use for challenge solving.

1. Go to **Admin → Domain Trust Profiles**
2. Edit the profile backed by an ACME CA
3. Under **DNS Settings**, select the DNS account from the dropdown
4. Save

When CertForge needs to validate a domain for that profile, it uses the linked account's credentials to create and remove the `_acme-challenge` TXT record automatically.

## Multiple DNS providers

Different DTPs can reference different DNS accounts. This allows you to use Cloudflare for one zone and RFC 2136 for another without any per-request configuration.

Create one DNS account per provider or credential set, then link each account to the appropriate DTP.
