Can this one provide wildcard certificates without having to update DNS entries every three months?

That is the one pain point I have with Let's Encrypt.

PS: Yes, you can automate the DNS updates. That is the paintpoint I am talking about. It is one more moving part. One more dependency on a third party. One more thing to set up. One more thing that can break. One more thing that will rot (APIs always change at some point in time).

Many people seem to solve the "automate DNS" by putting their DNS credentials on the server which serves their website. This is the worst thing from a security perspective. Now someone who breaks into your application can take over your DNS, point your domain to wherever they like and get any certificate for it they like. This probably enables them to also overtake your email and then escalate further from there.

What I've done is delegate (NS record) only the subdomain _acme-challenge to a standalone DNS-zone the webserver has write access to. This way it cannot escalate to changing root A/MX.

Oh that is really smart. Is there a way to build a simple DNS server into a certbot (or other client) plugin? That DNS server doesn't really have to be available outside of the verification time window.

DNS validation has been a thorn in my side for a while. Not only do I use DNS hosts that don't have APIs (like Google Domains), I also don't really want to give every web server access to my entire zone. That seems like a huge attack surface.

I already had Bind on the machine so it was logical to add the zone there and utilize nsupdate : https://gist.github.com/kronthto/893715f12cc0b1cda9fcfdbd8dc...

But what you are suggesting should work just fine aswell - there should be no need for a persistent service. Of course the service would need to run on port 53, so you actually cannot have another nameserver on that machine already, and also require CAP_NET_BIND_SERVICE .

A quick search lead me to this python project that could be an inspiration: https://github.com/pawitp/acme-dns-server