Let's Encrypt DNS challenge with multiple public DNS providers

There are plenty of 3rd party ACME (LetsEncrypt) clients out there that provide more features than the default certbot. They maintain a list on their site here: ACME Client Implementations

A lot of them have some sort of DNS plugin architecture and some allow you to specify different plugins for different names in a cert. But none that I know of allow you to combine plugins per-zone (such that more than one plugin would service a single zone's TXT record).

However, if you're already considering writing pre/post hooks to get this done. I'd suggest using something like acme.sh. It has a ton of pre-written DNS plugins. You could probably fairly easily combine two or more of them into a single merged plugin that would effectively accomplish your goal.

Letsencrypt validates your TXT entries by just querying a random resolver, with no control whatsoever about which one of your name servers is going to be used.

• letsencrypt/boulder/bdns/dns.go

  chosenServer := dnsClient.servers[rand.Intn(len(dnsClient.servers))]

I recommend you delegate the _acme-challenge.example.com. zone to just one dns provider you have automated access to. You will never have a DoS situation at any of your DNS providers for longer than it takes to change this - or for longer than letsencrypt certificates are valid for. Therefore, its okay to skip the redundancy for ACME only, so you can use all the automation just like before you added more name servers.

edit based on comments: This strategy will not allow to continue certbot, as the respective certbot plugins is not correctly handling aliased or delegated validation domains. It should look to modify the zone of the validation record, but attempts to modify the zone of the validated domain, disregarding that it is very valid and for them to differ.

Other acme clients may require to explicitely state the location of the validation record, as is the case with acme.sh