Hello. We currently create LetsEncrypt certificates using a DNS challenge. We do not want every machine to be able to make DNS changes, so what we have been doing is having one locked down machine requesting and renewing the certificates, then using Puppet to distribute them.
What I'd really know to know is if there instead is some sort of ACME "proxy" where we can have each machine run certbot to request the certificate, but have the request happen on the central machine. Sort of like a private ACME server, but not using a private CA. I don't want to reinvent the wheel if something already exists that will do this.
I think acme-dns is an elegant solution indeed. However, if you want something else: CNAME RRs are followed (that's also how acme-dns works) and also NS RRs could be used. If you have e.g. multiple BIND instances running with their own hostname, you could also redirect the _acme-challenge to a single BIND and use the RFC 2136 protocol (e.g. using the certbot-dns-rfc2136 plugin) to get a cert.