I took the path of least resistance, and modified the apache module to “whitelist” /.well-known/acme-challenge/*
It’s not as bad as it could be since the acme-challenge directory only exists while certbot is active.
Creating a zone cut & delegating _acme-challenge.example.net. to a dedicated nameserver is a pretty costly approach - the maintenance effort for a nameserver is non-trivial - and this one would be used for a few seconds every 2 months. Technically, one would be required to have at least TWO, geographically dispersed servers for the zone. Perhaps if one has a LARGE number of domains/certificate renewals it might be worth the effort.
I’ll also note that dynamically updating DNS (for dns-01) can be a challenge if you use external nameserver services. The larger suppliers provide APIs, but rarely support DNS UPDATE+TSIG, instead offering some proprietary mechanism.If you’re lucky, something like JSON over http. The less enlightened ones provide a webform interface, nowadays with a Captcha, making automation painfult to impossible. They rarely let you specify a zone cut / different credentials for subdomains. I do use dns-01 for some systems - and have had to write interfaces to some of the proprietary mechanisms where I don’t use my own servers. Not a lot of fun. Which is why the .well-known path is sometimes the better choice.
It would be helpful if you would publish the list of validation servers in DNS as I suggested above, since this would allow whitelisting by IP for all kinds of security screens (firewalls, webservers, intrusion alarms, etc).
As I noted, publishing a list in DNS doesn’t prevent you from adding, deleting, or reconfiguring the validation servers. Just add the record for a new server a TTL or so before activating it, and the world will let it work. And don’t release the IP of a discontinued server (as if anyone gives up IPv4 addresses these days!) until a TTL has passed. Even if you don’t precisely sync the DNS records with the servers, in the worst case a client will block renewal – but a subsequent retry will work.
There is no practical limit to the number of address records that can be associated with a hostname - if you need 100 servers, just add the records. (Though an anycast address might be a better choice…) And if the zone is DNSSEC signed, the appearance of an IP address in (say) validation-servers.letsencrypt.org would be a pretty strong guarantee that LE is behind the probe.
Depending on whether your ISP(s) delegate reverse (PTR) records to you or make it easy to update them, setting them up might be more painful for you. While this would make life simplest for clients (look up the inbound IP, match the name & check signature), it’s not difficult to create the reverse mappings for this special case at the clients. It’s not uncommon for hosts to be missing PTR records, nor for ISPs not to sign their reverse zones, so coping is a solved problem. Just having the forward records would be a step forward.
In any case, for now I have a workaround for my situation.
Thanks for your consideration.