CertAutoPilot logo CertAutoPilot
Get started

Zones

A zone binds a DNS apex to a credential. This is what CertAutoPilot consults when it has to publish a DNS-01 challenge for a name.

01The zone model

Each zone has:

  • Apexexample.com, internal.example, etc.
  • Credential — one of the configured DNS credentials.
  • Optional aliases — names that should be answered via CNAME redirection (see CNAME aliasing).

When a certificate request includes api.example.com, CertAutoPilot looks up the longest-matching zone (example.com), uses its credential to publish _acme-challenge.api.example.com TXT, and waits.

02Multiple credentials per apex

Sometimes you need different credentials for different sub-trees of the same apex — e.g. internal.example.com lives in Route 53, cdn.example.com in Cloudflare. Register them as separate zones; the longest-match wins.

ZoneCredentialMatches
example.comcloudflare-prodwww.example.com, api.example.com
internal.example.comroute53-internaldb.internal.example.com

03CNAME aliasing

Common pattern when the production zone is locked down (regulated, or owned by another team): publish a CNAME at _acme-challenge.api.example.com pointing to _acme-challenge.api.acme.example.org, where acme.example.org is a zone CertAutoPilot can write to. The CA follows the CNAME and validates the record where it lives.

; Once, manually, in the production zone:
_acme-challenge.api.example.com.  CNAME  _acme-challenge.api.acme.example.org.

In CertAutoPilot, register the alias on the certificate request: DNS challenge override = _acme-challenge.api.acme.example.org. The worker writes there instead.

04Public Suffix List corner cases

Apex detection respects the Public Suffix List. foo.co.uk is registrable; co.uk is not. The UI prevents you from registering a suffix-only zone; the API does too.

05Reachability checks

On save, CertAutoPilot:

  1. Calls the credential to list zones and verifies the apex exists.
  2. Writes a probe TXT record (_certautopilot-probe.<apex>), reads it back, deletes it.
  3. Records propagation latency on the zone detail page.

If propagation is consistently above 60 s, set the DNS propagation budget on the zone higher so issuance jobs don't timeout.

06API

POST /api/v1/projects/{project}/zones
GET  /api/v1/projects/{project}/zones
POST /api/v1/projects/{project}/zones/{id}/test
DEL  /api/v1/projects/{project}/zones/{id}