hi @nneul
There are 2 things that may help your case
A) Wildcard certificates coming in the future Wildcard Certificates Coming January 2018
B) Running a Pre-Flights check
I believe what you want is a universal challenge i.e. a single record you can add to your DNS that will validate all upcoming requests?
If that is the case this is probably not feasible due to the way the ACME spec is written
Although it may seem like a good idea, it would be a disaster as if there was a universal challenge then everyone with an ACME client will be able to issue valid certificates for your domain (as the challenges are automatically passed)
Though this may be prevented by private account keys it still doesn’t make sense to me from a security point of view.
I use CloudFlare and Route53 has also been suggested my feeling is moving to a DNS provider that propagates the record in a reasonable time frame is the only feasible solution
And by reasonable I mean modern web reasonable (30 second -5 minutes)
Andrei