We'd like DNS-validated certs for a subdomain of a domain we don't control. In other words: certs should be for hosts in ourdomain.example.com, where example.com is on an internal DNS server that is incompatible with LE. But we can create a delgation (NS records) in it pointing requests for ourdomain at a LE-compatible external DNS service. This allows LE to create TXT records in ourdomain.example.com (but not example.com).
My question: if we want certs for eg host1.ourdomain.example.com & host2.ourdomain.example.com, is it enough to tell LE to create the TXT records in ourdomain.example.com? Or must we create a CNAME record: _acme-challenge.example.com pointing at the _acme-challenge.ourdomain.example.com TXT record that LE can create? And if so, is it one static CNAME enough, or must we create for each cert we want (host1 & host2)?
For DNS based challenges and a cert that contains:
host1.ourdomain.example.com
host2.ourdomain.example.com
LE validation servers will be querying for TXT records called:
_acme-challenge.host1.ourdomain.example.com
_acme-challenge.host2.ourdomain.example.com
Assuming the NS records are setup properly in the public example.com to delegate control of ourdomain.example.com to public nameservers you control, no CNAMEs should be necessary. You just create the TXT records in that zone and you're good to go.
The only time CNAMEs are needed is when you don't have direct control over anything in example.com or its subs. The controlling entity would create CNAMEs matching the expected _acme-challenge records that point to names you do control such as:
_acme-challenge.host1.ourdomain.net
_acme-challenge.host2.ourdomain.net
It's more or less an informal delegation of specific records. You then create the TXT records for those names you control on behalf of the names that pointed to them.
The CNAMEs don't have to point to other records that start with _acme-challenge. They could both even point to the same record like challenges.ourdomain.net. Just don't point too many things at the same record such that they'd be trying to validate at the same time because there are response size limits in the validation software that could prevent successful validation if too many TXT records are returned.
P.S. Since you mentioned example.com is an internal domain, I should probably mention that the internal copy is irrelevant. Only the external internet-facing copy of the zone matters. That's where the NS record delegation needs to be created (or the CNAMEs).