I agree, I’ve raised that concern on previous occasions 1 & 2.
Apart from acme-dns, assisted-dns-01 was also suggested on the IETF ACME list by jsha which is a kind of “official acme-dns”, but I don’t think it was received so well.
It is possible to use the documented approach safely, though. You can run certbot in certonly mode on a server that has no internet accessible services. Pr-distribute the private key of the certificate to downstream users of the certificate, and then just copy the certificate on a regular automated schedule down via ssh/rsync/whatever else. Private key never has to touch the network.
I would guess though, that this is way too much work/thinking for the majority of users.
Edit: I would also add:
- As long as you keep the API secrets only readable as root and you don’t run your software at a high privilege level, a complex compromise is required
- This problem exists across pretty much all ACME clients that support the DNS challenge