Clarifying DNS-01 Alias behavior

I am currently using posh-acme and testing switching over to simplify our management. When we set up DNS Alias, it creates the TXT record in the our acme zone it is for record provided. So, for example if I had the following CNames

• _acme-challenge.stage.mydomain.com → mystagecertproxy.acme.mydomain.com
• _acme-challenge.stage.whitelabel.thridparty.com → thirdparty1stage.acme.mydomain.com

When I run poshacme it would create the TXT record on the following locations based on the configuration .

• mystagecertproxy.acme.mydomain.com
• thirdparty1stage.acme.mydomain.com

When reading your documentation, I am not sure if this is the same behavior or instead it would create the text records at

• _acme-challenge.mystagecertproxy.acme.mydomain.com
• _acme-challenge.thirdparty1stage.acme.mydomain.com

Could you clarify what record it would update if I used the following configuration string?(broken out for readability)

*.stage.whitelabel.thridparty.com:thirdparty1stage.acme.mydomain.com;
stage.whitelabel.thridparty.com:thirdparty1stage.acme.mydomain.com;
*.stage.whitelabel.thridparty.com:mystagecertproxy.acme.mydomain.com;
stage.whitelabel.thridparty.com:mystagecertproxy.acme.mydomain.com;

Hi,

Yes for the CNAME delegation rule you want actualdomain:surrogatedomain

e.g.

*.example.com:*.auth.somewhere.org

But your surrogate domain will be populated automatically with _acme-challenge records as appropriate, so you don’t actually create a record in your surrogate domain.

Example:

You want a cert for www.example.com and you want to use the somewhere.org zone for your auth. For good housekeeping/fun you decide to put these under the auth subdomain.

If you setup the rule as:
*.example.com:*.auth.somewhere.org

The app will get the request to create _acme-challenge.www.example.com and transpose that to the surrogate name _acme-challenge.www.auth.somewhere.org.

Your CNAME would therefore be _acme-challenge.www in the example.com zone, pointing to _acme-challenge.www.auth.somewhere.org (a currently non-existent record). The app will add/update the surrogate record as required.

So note, we are keeping the _acme-challenge label on both sides.

You can test the configuration with the “Test” option, and you will see it create an _acme-challenge-test record in your surrogate zone.