I’m hoping I’ve put this in the right place.
Due to many reasons, dynamic DNS updates aren’t permitted to the main zone for one of my customers (their main infrastructure zone, which all the servers have hostnames inside). They require every server to have SSL (including internal servers which aren’t public-facing in any way). Yes, they should be doing their own CA, but want to consider using LE with DNS challenges.
We looked at the details of ACME, and worked out that currently, it ought to be possible to issue certs by pointing _acme-challenge.<domain> to a different nameservers (one which does allow Dynamic DNS for that zone) and then using that to do a dynamic DNS update.
I decided to set up a test VM to prove this theory (playground.dchosted.net), which seems to work.
_acme-challenge.playground.dchosted.net has a pair of NS records for ns1 and ns2 (dot) dchosted.net to delegate the zone over.
_acme-challenge.playground.dchosted.net then has the relevant ACME challenge TXT record as an @ record in the domain.
My client has asked, though, is this permitted by design (and will therefore continue to work), or are we likely to see a patch to the CAs to prevent this? I can see arguments for either way, and I’m not sure which is more sensible.
Thanks in advance for your input and thoughts.