[dns_snek]

> Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?

I'd look for a custom DNS challenge provider plugin which delegates the task of creating DNS records to another machine which holds the actual token.

[throw0101a]

There's at least one ACME client that has this as an explicit feature:

> Get certificates for remote servers - The tokens used to provide validation of domain ownership, and the certificates themselves can be automatically copied to remote servers (via ssh, sftp or ftp for tokens). The script doesn't need to run on the server itself. This can be useful if you don't have access to run such scripts on the server itself, e.g. if it's a shared server.

* https://github.com/srvrco/getssl

It's written in Bash, so dependencies aren't too heavy.

[justin_oaks]

Ah, that's a clever mechanism. That way the secondary machine could not only keep the token secure, but also validate which DNS records to create.