Previously you couldn't tell Let's Encrypt "Just don't use the other challenges" and you couldn't tell them "Just don't let people use their own ACME account" and so even if you only ever do DNS challenges, and you have DNS integrity, bad guys who control one of your systems can run Certbot and get themselves a certificate via the http-01 challenge.
So yeah, it doesn't make the DNS challenges more secure, but in some cases it makes it possible to rule out lots of other risks outside DNS, narrowing your attack surface very considerably if you are able to do that.
This is about raising the low bar, not the high bar.
So yeah, it doesn't make the DNS challenges more secure, but in some cases it makes it possible to rule out lots of other risks outside DNS, narrowing your attack surface very considerably if you are able to do that.
This is about raising the low bar, not the high bar.