I'm not sure if this is the right place for this request, as it's not just a feature request for LE but for the ACME protocol. It's based on a desire to overcome limitations of the existing challenge methods:
- HTTP-01 requires some integration with the a web server, and is exposed to unwarranted trust in the network layer (subject to BGP hijacking, MITM on networks the traffic is legitimately crossing, etc.).
- DNS-01 solves the trust problem if used with DNSSEC, but otherwise it interacts badly with DNSSEC, requiring a setup with dynamic signing using an online key and precluding a more secure setup where the keys are entirely offline and not accessible by automated processes.
I would like to propose a "challenge method" DANE-01 that would not involve any actual challenge, only validation that the CSR is signed by a key in the TLSA records for the subject name(s). Used with TLSA type "3 1" and persistent keys, this allows certificates to be issued and renewed with no dynamic interaction with other services/infrastructure, and to be based entirely on cryptographic proof of possession of the private key for the relevant service.
As a bonus, offering this would greatly boost the deployment of DNSSEC and DANE by making them a way to streamline ACME certificate issuance.