Add support for delegating DNS-01 challenge to a different domain

[cuu508]

Use case

DNS-01 challenge requires storing DNS API key in maddy.conf. DNS providers do not typically offer API keys that can be restricted to setting and removing _acme_challenge TXT records and nothing else. Storing an API key that controls DNS for the whole domain in maddy.conf is not great for security.

One workaround is to delegate DNS-01 challenges to a separate domain using a CNAME record: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation (see the "Use a "Throwaway" Validation Domain" section)

Your idea for a solution

DNS01Solver in the certmagic package has a OverrideDomain field:

// Override the domain to set the TXT record on. This is
// to delegate the challenge to a different domain. Note
// that the solver doesn't follow CNAME/NS record.
OverrideDomain string

Allow it to be specified in maddy.conf, and pass it to DNS01Solver. Configuration mockup:

tls {
    loader acme {
        hostname example.com
        email hello@example.com
        agreed
        challenge dns-01
        override_domain example-acme-challenge.com
        dns cloudflare {
            api_token "..."
        }
    }
}

• I'm willing to help with the implementation – I'm a Go newbie and an absolute maddy newbie, but I can try :-)

[cuu508]

I've been using override_domain option for a couple months now and it works great. Thanks @foxcpp !