Don’t forget that whether or not the RFC2136 plugin follows CNAMEs (it doesn’t look like it to me right now, but I’m not 100% sure), you can always perform the same task with a simple Certbot authentication hook.
For example:
/root/auth.sh
#!/usr/bin/env bash
RFC2136_SERVER="127.0.0.1"
RECORD_TO_UPDATE="_acme-challenge.cname-example.com"
case "$1" in
auth)
echo -e "server ${RFC2136_SERVER}\nupdate add ${RECORD_TO_UPDATE}. 1 TXT ${CERTBOT_VALIDATION}\n\n" | nsupdate
sleep 10
;;
cleanup)
echo -e "server ${RFC2136_SERVER}\nupdate delete ${RECORD_TO_UPDATE}. TXT\n\n" | nsupdate
;;
esac
may be combined with:
certbot certonly --manual --manual-auth-hook "/root/auth.sh auth" \
--manual-cleanup-hook "/root/auth.sh cleanup" --preferred-challenges dns \
-d points-to-cname.com -d also.points-to-cname.com