You can do it with an NS record, ie _acme_challenge.realdomain.com pointing to the DNS server that you can program to serve the challenge response. No need to make a CNAME and involve an additional domain in the middle.

▲

aflukasz 2 days ago | parent [-]

Yeah, but then you can just as well use http-01 with like same effort.

▲

gruez 2 days ago | parent [-]

no, because dns supports wildcard certificates, unlike http.

	▲	cpach 2 days ago \| parent \| next [-]
		dns-01 is also good for services on a private network.
	▲	aflukasz 2 days ago \| parent \| prev [-]
		Ah, good point.