I remember being annoyed because the docs don't actually say you can't do it: https://certbot-dns-rfc2136.readthedocs.io/en/stable/

...but they also don't say how to specify the zone to be updated like acme.sh does: https://github.com/acmesh-official/acme.sh/blob/master/dnsap...

So say you want a cert for *.foo.com, and you have:

    _acme-challenge.foo.com CNAME _acme-challenge.foo.bar.com

...I can make certbot talk to the foo.bar.com DNS server, but it tries to add the TXT record for _acme-challenge.foo.com, which that DNS server obviously rejects (and even if it accepted it, that obviously wouldn't work).

I'd be happy to hear there's a way to do it that I missed. Also I'm specifically talking about the rfc2136 support, maybe some of the proprietary certbot backends do support this.

EDIT: Here are more references:

https://github.com/certbot/certbot/issues/6566

https://github.com/certbot/certbot/pull/5350

https://github.com/certbot/certbot/pull/6644