can i use acme-dna for the entire domain including example.org instead of auth.example.org?

[krouter]

i would like to setup one _acme-challenge CNAME record at the domain level e.g. "_acme-challenge.example.org CNAME d53gsf-gn67e-rogm98cd.auth.acme-dns.io." and use acme-dns-client to additionally setup CAA record.

From there on, i can install acme.sh and continue to get new ssl certs issued and renewed for various subdomains without having to manually mess with the TXT records on google dns anymore.

Is this a correct understanding of how this acme-dns works?

[CaptiveCreeper]

Yes you can create certs for your entire domain. The only catch is you need to make a CNAME record that points to the txt record under your auth.acme-dns.io.

So if you wanted a cert for "test.example.org" your client would make a unique id for a txt record on auth.acme-dns.io lets call it d53gsf-gn67e-rogm98cd.auth.acme-dns.io. You now need to make a CNAME record that points _acme-challenge.test.example.org to d53gsf-gn67e-rogm98cd.auth.acme-dns.io. You will need a CNAME for each cert that is created.

If you don't want to have to handle that many CNAME's you can do a * (wildcard) cert with the DNS challenge. (I haven't set one of these up yet so don't have any input on how the CNAME will work. Although your client will likely tell you what CNAME to make when you use it).