Not to rain obscure race conditions on area parades, but Route 53 isn’t a perfect platform for this, IMO. It’s awkward to simultaneously issue two certificates for the same name from two different clients with two different challenges.
UPSERT code that plugin uses now, the second client would simply overwrite the first one’s
TXT record, and one of them may fail.
The only “perfect” option i can think of is to loop
CREATE calls, waiting in line until any other clients have finished and deleted their records. And you either have to hope some client didn’t crash out and leave a dangling record a month ago, or eventually overwrite it.
On the plus side, it’s great that you can use
GetChange to wait until new changes have propagated to all of their nameservers. That’s a yucky pitfall with a lot of DNS providers.
Edit: API-wise, S3 and
HTTP-01 give the smoothest experience, IMO, but yet another way to do
HTTP-01 is less useful than a
DNS-01 plugin, of course.
Edit: Or, possibly, one of the clients may fail with
PriorRequestNotComplete. I don’t know when Route 53 actually returns that.