desec.io allows you to create (through the api) tightly-scoped tokens that can only update the "_acme-challenge.subdomain.example.com" domain needed for DNS-01 challenges.

I switched to them from cloudflare dns for that specific functionality and it works great.