Azure allows a principal to manage individual records of a zone. This allows to have different credentials per record.
It would be nice to clear the TXT record (setting it to blank ot '-') instead of deleting the record, so the role assignment is persisted.
IMHO, security-wise, not sure how much advantage leaving a blank record instead of deleting it, as you can query https://crt.sh/ (certificate transparency logs) for a given domain, so knowing that exists an _acme-challenge entry in a domain isn't any different at all from querying crt.sh.
Still, when combined with #14 is very useful to have a single zone to hold challenges across several domains without having multiple zones registered in Azure DNS (saving on billing, since it charges per zone + per million queries).
Azure allows a principal to manage individual records of a zone. This allows to have different credentials per record.
It would be nice to clear the TXT record (setting it to blank ot '-') instead of deleting the record, so the role assignment is persisted.
IMHO, security-wise, not sure how much advantage leaving a blank record instead of deleting it, as you can query https://crt.sh/ (certificate transparency logs) for a given domain, so knowing that exists an _acme-challenge entry in a domain isn't any different at all from querying crt.sh.
Still, when combined with #14 is very useful to have a single zone to hold challenges across several domains without having multiple zones registered in Azure DNS (saving on billing, since it charges per zone + per million queries).