If your concern is that certbot has access to your DNS records, you can set up a CNAME or NS record on _acme-challenge.your-domain and serve the TXT record from a separate, isolated DNS server.
That's an interesting solution to mitigating risk. I wasn't aware that LE would follow a CNAME to a different TXT record.
Although it does require an additional NS which is an additional maintenance overhead - that is preferable to leaving automated services sitting around with write access to important domains. At least until I can stop regularly writing DNS records.
Although it does require an additional NS which is an additional maintenance overhead - that is preferable to leaving automated services sitting around with write access to important domains. At least until I can stop regularly writing DNS records.