Skip to main content

DNS Validation Profiles

DNS validation profiles define how Certeasy resolves and validates DNS challenges. Each profile controls which DNS zones are in scope, which resolver to use, and which resolved IP addresses are acceptable.

Configuration

dns-validation-profiles:
  - name: internal-default
    mode: local
    zones:
      - suffixes:
          - "corp.internal"
        system: true
        authoritative: false
        dnssec: false
        protocol: udp
    resolved-ip-policy:
      allow-cidrs:
        - "10.0.0.0/8"
      deny-cidrs:
        - "127.0.0.0/8"
        - "169.254.0.0/16"
        - "::1/128"
        - "fe80::/10"

Fields

Profile

| Field | Default | Type | Description | |---|---|----------|------|---------------------------------------------| | name | — | string | Unique profile name. Referenced by issuance policies. | | mode | local | string | Validation mode. Only local is currently available. | | timeout | — | duration | Overall validation timeout. |

Zones

Each zone entry defines which DNS zones this profile handles and how to resolve them.

FieldDefaultTypeDescription
suffixesList stringList of DNS zone suffixes (e.g. corp.internal)
systembooleanUse the system resolver for this zone
dns-serverList stringExplicit DNS server address (overrides system)
authoritativebooleanRequire authoritative responses
dnssecbooleanRequire DNSSEC validation
protocolstringDNS protocol: udp or tcp

Resolved IP Policy

After a challenge DNS name resolves, Certeasy checks the resulting IP against these rules.

FieldTypeDescription
allow-cidrsList stringIP ranges that are acceptable
deny-cidrsList stringIP ranges that are explicitly rejected (loopback, link-local, etc.)

Deny rules are evaluated first. If an IP matches a deny CIDR, the challenge fails regardless of allow rules.

Multiple Profiles

You can define multiple profiles for different DNS zones or resolution strategies:

dns-validation-profiles:
  - name: corp-internal
    mode: local
    zones:
      - suffixes: 
        - "corp.internal"
        system: true
    resolved-ip-policy:
      allow-cidrs: 
       - "10.0.0.0/8"

  - name: dmz
    mode: local
    zones:
      - suffixes: 
        - "dmz.example.com"
        dns-server: "192.168.100.1"
    resolved-ip-policy:
      allow-cidrs: 
       - "172.16.0.0/12"

When multiple profiles exist, each issuance policy must explicitly reference the profile to use.