Since subdomain- and record-scoped tokens are not yet available, can I create a separate second account and delegate a subdomain to it? Can I create the necessary NS-Records and create an account for subdomains? Do I have to use a separate email-address for that?
Suppose I have an account for example.com, I would like to have the second account only for _acme-challenge.example.com in order to limit the potential for abuse in case the server where the token needs to be stored is compromised. It’s not optimal since it would still allow the creation of A-Records etc. but seems better than potentially granting access to the whole example.com domain.
It is currently not possible to create a domain in an account when another account owns the parent (or grandparent etc.) domain. If that were possible, an attacker could create an account and hijack other people’s subdomains.
If you really, really need this, please contact support, and we can set it up manually for you. However, we’re working on these token scoping features, and it may be easier for everyone to just wait until the feature is available.
While this does not solve the chocolate covered banana problem, it may be worth noting that if you want to do this for Let’s Encrypt, you can easily CNAME the required names below _acme-challenge to an entirely diffferent domain (even a .dedyn.io one) and Let’s Encrypt will happily read the required TXT recods from there.
