Since we run multiple DNS-over-TLS servers, the method used here employs a single 'certificate management' server to renew the certificates, update the zone with the dns-01 challenge and make the renewed certificates available via ftp. A script is then run on each DNS server to download any new certificates using ftp to each server and restart the DNS service. In this example we use TLS proxies in front of BIND, or Knot resolver.
You could put the dns-01 challenge responses in your organisations main zone. However it is more flexible to dedicate a separate zone for that, especially if you are responsible for running the servers but someone else or some other organisation is responsible for the DNS.
For authoritative DNS we use knot https://www.knot-dns.cz/ because it has a nice interface for managing zones. The same effect could be obtained using dynamic updates.
It is a good idea to sign your zone if you are going to be putting challenge response records in it. However, the nameserver must be able to sign updates as they are applied.
Lets assume that we are managing certificates for two servers dnsovertls1.<YOURDOMAIN>. and dnsovertls.<YOURDOMAIN>.
Add CNAME RRs to the <YOURDOMAIN> zone like these. These will redirect queries for the dns-01 challenge to a dedicated zone which can exist on and be served by a dedicated certificate management server
Delegate acme.<YOURDOMAIN> to the certificate management server by adding NS and DS RRs to the <YOURDOMAIN> zone. Lets assume the server is called ns1.acme.<YOURDOMAIN>
Create an empty zone for acme.<YOURDOMAIN> (SOA and NS and A/AAAA RRs). Configure knot to sign the domain
Get dehydrated https://github.com/lukas2511/dehydrated and create some config.
Uncomment the first two lines until you are sure everything is working. This will allow you to run the scripts for debugging without exceeding the production Let's Encrypt limits
The two PRIVATE_KEY lines ensure that the key is not replaced and so SPKI pinning will work.
Create a domains file
Create a dehydrated.domains file (/<PATH>/dehydrated/dehydrated.domains)
Write a hook script
Create a hook.sh script (/<PATH>/dehydrated/hook.sh).
Write a script to download the certificates to your DNS servers
Do something like the following on each servers to download the certificates from your main certificate server.