Here are a couple of other useful resources on addressing this problem on the client side. Essentially, you can run your own nameserver dedicated to answering challenges, and delegate to it with CNAMEs.
https://github.com/joohoi/acme-dns https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation To the question of whether Let's Encrypt would implement a new DNS-related challenge: We're potentially interested, but as Ryan Sleevi mentioned, it would have to be specified in detail, either in an I-D or elsewhere. It would then need to be accepted by root programs, possibly via the CA/Browser Forum, since that's a convenient place to get agreement among root programs. That's a fair amount of work, and when I last proposed a similar change in 2018 it looked like there was significant opposition: https://mailarchive.ietf.org/arch/msg/acme/6_j3fecaxIgwNTpJ3693U_n0Kec/ https://mailarchive.ietf.org/arch/msg/acme/rIV6jrETVXO2EmoG_tmRitDL0tA/ So, right now Let's Encrypt isn't prioritizing the work to advocate for changes here, but hearing from subscribers that have trouble with the current DNS challenges definitely helps inform our thinking.
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme