diff --git a/dnsapi/dns_nsupdate.sh b/dnsapi/dns_nsupdate.sh
index e82a2251..ca9945ae 100755
--- a/dnsapi/dns_nsupdate.sh
+++ b/dnsapi/dns_nsupdate.sh
@@ -10,6 +10,7 @@ dns_nsupdate_add() {
   NSUPDATE_SERVER_PORT="${NSUPDATE_SERVER_PORT:-$(_readaccountconf_mutable NSUPDATE_SERVER_PORT)}"
   NSUPDATE_KEY="${NSUPDATE_KEY:-$(_readaccountconf_mutable NSUPDATE_KEY)}"
   NSUPDATE_ZONE="${NSUPDATE_ZONE:-$(_readaccountconf_mutable NSUPDATE_ZONE)}"
+  NSUPDATE_CNAME_ZONE="${NSUPDATE_CNAME_ZONE:-$(_readaccountconf_mutable NSUPDATE_CNAME_ZONE)}"
 
   _checkKeyFile || return 1
 
@@ -18,14 +19,27 @@ dns_nsupdate_add() {
   _saveaccountconf_mutable NSUPDATE_SERVER_PORT "${NSUPDATE_SERVER_PORT}"
   _saveaccountconf_mutable NSUPDATE_KEY "${NSUPDATE_KEY}"
   _saveaccountconf_mutable NSUPDATE_ZONE "${NSUPDATE_ZONE}"
+  _saveaccountconf_mutable NSUPDATE_CNAME_ZONE "${NSUPDATE_CNAME_ZONE}"
 
   [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
   [ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53
 
-  _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+  if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
+      _info "adding _acme-challenge.${NSUPDATE_CNAME_ZONE}. 60 in txt \"${txtvalue}\""
+      _info "the record ${fulldomain}. must be a CNAME to this record for validation to succeed"
+  else
+      _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+  fi
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
-  if [ -n "${NSUPDATE_ZONE}" ]; then
+  if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
+server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
+zone ${NSUPDATE_CNAME_ZONE}.
+update add _acme-challenge.${NSUPDATE_CNAME_ZONE}. 60 in txt "${txtvalue}"
+send
+EOF
+  elif [ -n "${NSUPDATE_ZONE}" ]; then
     nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
 zone ${NSUPDATE_ZONE}.
@@ -59,10 +73,21 @@ dns_nsupdate_rm() {
   _checkKeyFile || return 1
   [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
   [ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53
-  _info "removing ${fulldomain}. txt"
+  if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
+      _info "removing _acme-challenge.${NSUPDATE_CNAME_ZONE}. txt"
+  else
+      _info "removing ${fulldomain}. txt"
+  fi
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
-  if [ -n "${NSUPDATE_ZONE}" ]; then
+  if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
+server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
+update delete _acme-challenge.${NSUPDATE_CNAME_ZONE}. txt
+zone ${NSUPDATE_CNAME_ZONE}.
+send
+EOF
+  elif [ -n "${NSUPDATE_ZONE}" ]; then
     nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
 update delete ${fulldomain}. txt