From 48dda2031f4c8b49787528be46d7df509fe42772 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 27 Apr 2026 11:46:23 -0700
Subject: [PATCH 1/3] Bump github.com/letsencrypt/boulder from 0.20260413.0 to
 0.20260420.0 (#169)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[github.com/letsencrypt/boulder](https://github.com/letsencrypt/boulder)
from 0.20260413.0 to 0.20260420.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/letsencrypt/boulder/releases">github.com/letsencrypt/boulder's
releases</a>.</em></p>
<blockquote>
<h2>v0.20260420.0</h2>
<h2>What's Changed</h2>
<ul>
<li>bump pkimetal to v1.41.0 and ignore new ctlint warning by <a
href="https://github.com/mcpherrinm"><code>@​mcpherrinm</code></a> in <a
href="https://redirect.github.com/letsencrypt/boulder/pull/8713">letsencrypt/boulder#8713</a></li>
<li>observer: use new URL for AllCertificates by <a
href="https://github.com/jsha"><code>@​jsha</code></a> in <a
href="https://redirect.github.com/letsencrypt/boulder/pull/8718">letsencrypt/boulder#8718</a></li>
<li>observer: use CCADB AllCertificates V5 URL by <a
href="https://github.com/jsha"><code>@​jsha</code></a> in <a
href="https://redirect.github.com/letsencrypt/boulder/pull/8719">letsencrypt/boulder#8719</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/letsencrypt/boulder/compare/v0.20260413.0...v0.20260420.0">https://github.com/letsencrypt/boulder/compare/v0.20260413.0...v0.20260420.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/letsencrypt/boulder/commit/05635e877fe2f94c109bab178632f5d1582e21f8"><code>05635e8</code></a>
observer: use CCADB AllCertificates V5 URL (<a
href="https://redirect.github.com/letsencrypt/boulder/issues/8719">#8719</a>)</li>
<li><a
href="https://github.com/letsencrypt/boulder/commit/e987484a9fd4931bf4c25c3c0c82f7dd3f11e13e"><code>e987484</code></a>
observer: use new URL for AllCertificates (<a
href="https://redirect.github.com/letsencrypt/boulder/issues/8718">#8718</a>)</li>
<li><a
href="https://github.com/letsencrypt/boulder/commit/c430d1a4a6035682cdf55caa4c08d8d900cec651"><code>c430d1a</code></a>
bump pkimetal to v1.41.0 and ignore new ctlint warning (<a
href="https://redirect.github.com/letsencrypt/boulder/issues/8713">#8713</a>)</li>
<li>See full diff in <a
href="https://github.com/letsencrypt/boulder/compare/v0.20260413.0...v0.20260420.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/letsencrypt/boulder&package-manager=go_modules&previous-version=0.20260413.0&new-version=0.20260420.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index ed6825a..adcaaa3 100644
--- a/go.mod
+++ b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.57.1
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.99.0
 	github.com/caddyserver/certmagic v0.25.1
-	github.com/letsencrypt/boulder v0.20260413.0
+	github.com/letsencrypt/boulder v0.20260420.0
 	github.com/libdns/route53 v1.6.0
 	github.com/mholt/acmez/v3 v3.1.4
 	github.com/stretchr/testify v1.11.1
diff --git a/go.sum b/go.sum
index a3bc3f7..0845ad4 100644
--- a/go.sum
+++ b/go.sum
@@ -98,8 +98,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/letsencrypt/boulder v0.20260413.0 h1:KUxB0aJ8VUIJYPrSaZaO3IPuDrGfyXmNYyoSUGl6hkk=
-github.com/letsencrypt/boulder v0.20260413.0/go.mod h1:ZisB912eU757QUU0PTH+zq2JScaegVjPVKtPn2K1U3w=
+github.com/letsencrypt/boulder v0.20260420.0 h1:PMFy37+tQAfNe2Qks7NhTrKbULzhVmj19LbaZIaz0SE=
+github.com/letsencrypt/boulder v0.20260420.0/go.mod h1:ZisB912eU757QUU0PTH+zq2JScaegVjPVKtPn2K1U3w=
 github.com/letsencrypt/pkcs11key/v4 v4.0.1 h1:XIXFxOnQJS5QYBlMnHhnlOBVcfylh7m3fjOJmVcEV88=
 github.com/letsencrypt/pkcs11key/v4 v4.0.1/go.mod h1:6KfGBMkPEL6OAIRFSZ0VTj3e9G0Yv9G17W5oQ2x1/UQ=
 github.com/letsencrypt/validator/v10 v10.0.0-20230215210743-a0c7dfc17158 h1:HGFsIltYMUiB5eoFSowFzSoXkocM2k9ctmJ57QMGjys=

From dfe80c88dcf77e93261c8e127611b2adb059e0f6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 27 Apr 2026 11:49:22 -0700
Subject: [PATCH 2/3] Bump github.com/libdns/route53 from 1.6.0 to 1.6.2 (#170)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps [github.com/libdns/route53](https://github.com/libdns/route53)
from 1.6.0 to 1.6.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/libdns/route53/releases">github.com/libdns/route53's
releases</a>.</em></p>
<blockquote>
<h2>v1.6.2</h2>
<h3>Fixed</h3>
<ul>
<li>Concurrent <code>AppendRecords</code> calls targeting the same
<code>(name, type)</code> no longer lose values. The provider now
serializes the read-merge-UPSERT cycle per <code>(zone, name,
type)</code>. Previously, two goroutines (e.g. ACME challenges for
<code>example.com</code> and <code>*.example.com</code> sharing
<code>_acme-challenge.example.com</code> TXT) could both observe
pre-write state and the later UPSERT would clobber the earlier — causing
dropped tokens and validation failures.</li>
<li><code>SetRecords</code> with multiple input records sharing the same
<code>(name, type)</code> now keeps all values. The previous per-record
loop UPSERTed each independently, leaving only the last value.</li>
<li>Pre-existing filter bug in the <code>AppendRecords</code> /
<code>DeleteRecords</code> merge path: <code>getRecords</code> returns
relative names but the filter compared against
<code>libdns.AbsoluteName(...)</code>, so existing values were never
matched. The merge silently treated the set as empty, which (combined
with UPSERT replacing the entire RecordSet) could overwrite data.
Fixed.</li>
</ul>
<h3>Added</h3>
<ul>
<li>Regression tests in <code>libdnstest/</code>:
<code>TestAppendRecords_Concurrent</code> (10 goroutines into one shared
name) and <code>TestSetRecords_MultiValue</code>.</li>
</ul>
<h3>Internal</h3>
<ul>
<li><code>Provider.init</code> now uses <code>sync.Once</code> for AWS
client construction (was a non-atomic <code>nil</code> check).</li>
<li>Removed dead code: <code>createRecord</code>,
<code>changeRecord</code>, <code>updateRecord</code> (orphaned by <a
href="https://redirect.github.com/libdns/route53/issues/294">#294</a>
and the <code>SetRecords</code> rewrite).</li>
<li><code>quote.go</code>: address <code>gosec</code> G115 and
<code>staticcheck</code> QF1012 warnings.</li>
</ul>
<h3>Note on multi-process deployments</h3>
<p>The lock is in-process. Multiple processes writing to the same
RecordSet still need external coordination — <code>certmagic</code>'s
per-identifier storage lock does not cover this case because racing
identifiers (e.g. <code>foo.example.com</code> vs
<code>*.foo.example.com</code>) share a common parent RecordSet.</p>
<h2>v1.6.1</h2>
<h3>Fixed</h3>
<ul>
<li><code>AppendRecords</code> no longer fails when the target
ResourceRecordSet already exists. Single-record appends now merge with
existing values via UPSERT, matching the multi-record path. Resolves
stale ACME challenge TXT failures (<a
href="https://redirect.github.com/libdns/route53/issues/294">#294</a>,
thanks <a
href="https://github.com/andrewseddon"><code>@​andrewseddon</code></a>).</li>
</ul>
<h3>Added</h3>
<ul>
<li><code>Provider.Logger *slog.Logger</code> for structured logging.
Defaults to a discard handler. Wrappers (e.g. caddy-dns/route53) can
adapt their own logger via <code>slog.Handler</code> — for zap, see
<code>go.uber.org/zap/exp/zapslog</code>. Events are Debug-level except
ambiguous zone resolution (Warn).</li>
</ul>
<h3>Internal</h3>
<ul>
<li>Bumped <code>actions/checkout</code> to v6 (<a
href="https://redirect.github.com/libdns/route53/issues/293">#293</a>)
and <code>golangci/golangci-lint-action</code> to v9 (<a
href="https://redirect.github.com/libdns/route53/issues/292">#292</a>).</li>
<li>Fixed <code>libdnstest</code> module to require
<code>github.com/libdns/libdns@v1.2.0-alpha.1</code> (the version that
ships the <code>libdnstest</code> subpackage).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/libdns/route53/commit/840c6120709b2f9da6d74dc5d562e2625334aecc"><code>840c612</code></a>
Fix quote.go lint warnings</li>
<li><a
href="https://github.com/libdns/route53/commit/14cb77fe35d592279a2459b944a8dd650cd02463"><code>14cb77f</code></a>
Serialize per-tuple record-set RMW; fix multi-value SetRecords</li>
<li><a
href="https://github.com/libdns/route53/commit/a2820bea6ee07956a86f4498bc149efcbc7ec000"><code>a2820be</code></a>
Add structured logging via slog</li>
<li><a
href="https://github.com/libdns/route53/commit/7ebfd9f1fa0a7bdb16b1f418cfdd7f06b36bbcff"><code>7ebfd9f</code></a>
Fix libdnstest module: bump libdns, drop stale replace</li>
<li><a
href="https://github.com/libdns/route53/commit/7399dbebe56d2fd707940dd842058fd1203b2af0"><code>7399dbe</code></a>
Merge pull request <a
href="https://redirect.github.com/libdns/route53/issues/293">#293</a>
from libdns/dependabot/github_actions/actions/checkout-6</li>
<li><a
href="https://github.com/libdns/route53/commit/d14a81ad7e5102a069baf23c7d041021468b6f64"><code>d14a81a</code></a>
Merge pull request <a
href="https://redirect.github.com/libdns/route53/issues/292">#292</a>
from libdns/dependabot/github_actions/golangci/golang...</li>
<li><a
href="https://github.com/libdns/route53/commit/351c9e695134bf4579d0064f2b8f659c00a34ee7"><code>351c9e6</code></a>
Merge pull request <a
href="https://redirect.github.com/libdns/route53/issues/294">#294</a>
from andrewseddon/fix-append-records-upsert</li>
<li><a
href="https://github.com/libdns/route53/commit/2687fa662e0ac184ac451ddc5085edc781eb446d"><code>2687fa6</code></a>
fix: use UPSERT instead of CREATE in AppendRecords for single
records</li>
<li><a
href="https://github.com/libdns/route53/commit/35a512a5adbbfc3ed326e9e0f86590af7b97d802"><code>35a512a</code></a>
chore(deps): bump actions/checkout from 5 to 6</li>
<li><a
href="https://github.com/libdns/route53/commit/38b146f5d07164c2d17458584761419e714a2441"><code>38b146f</code></a>
chore(deps): bump golangci/golangci-lint-action from 8 to 9</li>
<li>See full diff in <a
href="https://github.com/libdns/route53/compare/v1.6.0...v1.6.2">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index adcaaa3..111010c 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.99.0
 	github.com/caddyserver/certmagic v0.25.1
 	github.com/letsencrypt/boulder v0.20260420.0
-	github.com/libdns/route53 v1.6.0
+	github.com/libdns/route53 v1.6.2
 	github.com/mholt/acmez/v3 v3.1.4
 	github.com/stretchr/testify v1.11.1
 )
diff --git a/go.sum b/go.sum
index 0845ad4..eb65ef9 100644
--- a/go.sum
+++ b/go.sum
@@ -106,8 +106,8 @@ github.com/letsencrypt/validator/v10 v10.0.0-20230215210743-a0c7dfc17158 h1:HGFs
 github.com/letsencrypt/validator/v10 v10.0.0-20230215210743-a0c7dfc17158/go.mod h1:ZFNBS3H6OEsprCRjscty6GCBe5ZiX44x6qY4s7+bDX0=
 github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
 github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
-github.com/libdns/route53 v1.6.0 h1:1fZcoCIxagfftw9GBhIqZ2rumEiB0K58n11X7ko2DOg=
-github.com/libdns/route53 v1.6.0/go.mod h1:7QGcw/2J0VxcVwHsPYpuo1I6IJLHy77bbOvi1BVK3eE=
+github.com/libdns/route53 v1.6.2 h1:unPlpgC2InQ/xrql5NOwCmFS9vZrRx8lH1WUo8/rjk8=
+github.com/libdns/route53 v1.6.2/go.mod h1:7QGcw/2J0VxcVwHsPYpuo1I6IJLHy77bbOvi1BVK3eE=
 github.com/mholt/acmez/v3 v3.1.4 h1:DyzZe/RnAzT3rpZj/2Ii5xZpiEvvYk3cQEN/RmqxwFQ=
 github.com/mholt/acmez/v3 v3.1.4/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
 github.com/miekg/dns v1.1.70 h1:DZ4u2AV35VJxdD9Fo9fIWm119BsQL5cZU1cQ9s0LkqA=

From 13932bf59bb3eb1a084b2934bcfb01f143d63bc1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 27 Apr 2026 11:52:20 -0700
Subject: [PATCH 3/3] Bump github.com/caddyserver/certmagic from 0.25.1 to
 0.25.3 (#171)

Bumps
[github.com/caddyserver/certmagic](https://github.com/caddyserver/certmagic)
from 0.25.1 to 0.25.3.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/caddyserver/certmagic/commit/c7496f1a6a93025c528b03cde701bf06394440fd"><code>c7496f1</code></a>
More validation of delegated OCSP responders (<a
href="https://redirect.github.com/caddyserver/certmagic/issues/378">#378</a>)</li>
<li><a
href="https://github.com/caddyserver/certmagic/commit/cdc4eb24e7ec1d14fe3a8f71f6069212dae9c265"><code>cdc4eb2</code></a>
fix: Normalization IPv6 addresses for ACME challenge (<a
href="https://redirect.github.com/caddyserver/certmagic/issues/376">#376</a>)</li>
<li><a
href="https://github.com/caddyserver/certmagic/commit/2cf7e0858b0d34834263033536515f91a40ddbec"><code>2cf7e08</code></a>
Revert &quot;Fix HTTP-01 challenge for IPv6 literal addresses (<a
href="https://redirect.github.com/caddyserver/certmagic/issues/377">#377</a>)&quot;</li>
<li><a
href="https://github.com/caddyserver/certmagic/commit/3e3363fcc7cd7a02a4104478ebf832d56df65182"><code>3e3363f</code></a>
readme: add dark-mode banner for GitHub UI (<a
href="https://redirect.github.com/caddyserver/certmagic/issues/379">#379</a>)</li>
<li><a
href="https://github.com/caddyserver/certmagic/commit/3229642925944adf6cd82422153f127303c325e5"><code>3229642</code></a>
go.mod: Upgrade indirect dependencies</li>
<li><a
href="https://github.com/caddyserver/certmagic/commit/60d9d8b415d6e3f2fa7aec9b440c7dc2473126d4"><code>60d9d8b</code></a>
Fix HTTP-01 challenge for IPv6 literal addresses (<a
href="https://redirect.github.com/caddyserver/certmagic/issues/377">#377</a>)</li>
<li><a
href="https://github.com/caddyserver/certmagic/commit/e03792e204502548bb056f9c86ec72dda63d57f3"><code>e03792e</code></a>
Modernize TLSConfig() (close <a
href="https://redirect.github.com/caddyserver/certmagic/issues/375">#375</a>)</li>
<li><a
href="https://github.com/caddyserver/certmagic/commit/fa1257f02bda2d7de97a5f004114b0062b0a6fbd"><code>fa1257f</code></a>
Unblock ManageAsync() by putting manageOne() in a goroutine (<a
href="https://redirect.github.com/caddyserver/certmagic/issues/374">#374</a>)</li>
<li><a
href="https://github.com/caddyserver/certmagic/commit/b9e85a9e914f184eb5ae0f45e2fa2df188ff692e"><code>b9e85a9</code></a>
Don't log nil errors when stapling OCSP (fix <a
href="https://redirect.github.com/caddyserver/certmagic/issues/362">#362</a>)</li>
<li><a
href="https://github.com/caddyserver/certmagic/commit/a7a8ce3b2c2161378323b340b7f9d44f4dd2f86c"><code>a7a8ce3</code></a>
logging: Disable stack traces, fix logger name (<a
href="https://redirect.github.com/caddyserver/certmagic/issues/372">#372</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/caddyserver/certmagic/compare/v0.25.1...v0.25.3">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 22 +++++++++++-----------
 go.sum | 54 ++++++++++++++++++++++++++++++------------------------
 2 files changed, 41 insertions(+), 35 deletions(-)

diff --git a/go.mod b/go.mod
index 111010c..739b025 100644
--- a/go.mod
+++ b/go.mod
@@ -9,10 +9,10 @@ require (
 	github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.20.37
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.57.1
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.99.0
-	github.com/caddyserver/certmagic v0.25.1
+	github.com/caddyserver/certmagic v0.25.3
 	github.com/letsencrypt/boulder v0.20260420.0
 	github.com/libdns/route53 v1.6.2
-	github.com/mholt/acmez/v3 v3.1.4
+	github.com/mholt/acmez/v3 v3.1.6
 	github.com/stretchr/testify v1.11.1
 )
 
@@ -36,13 +36,13 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 // indirect
 	github.com/aws/smithy-go v1.24.2 // indirect
-	github.com/caddyserver/zerossl v0.1.4 // indirect
+	github.com/caddyserver/zerossl v0.1.5 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/google/certificate-transparency-go v1.3.2 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/libdns/libdns v1.1.1 // indirect
-	github.com/miekg/dns v1.1.70 // indirect
+	github.com/miekg/dns v1.1.72 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/weppos/publicsuffix-go v0.50.3 // indirect
@@ -52,13 +52,13 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.1 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
-	golang.org/x/crypto v0.48.0 // indirect
-	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/net v0.51.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
-	golang.org/x/tools v0.41.0 // indirect
+	golang.org/x/crypto v0.50.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260112192933-99fd39fd28a9 // indirect
 	google.golang.org/grpc v1.79.3 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
diff --git a/go.sum b/go.sum
index eb65ef9..7d9375f 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
+code.pfad.fr/check v1.1.0 h1:GWvjdzhSEgHvEHe2uJujDcpmZoySKuHQNrZMfzfO0bE=
+code.pfad.fr/check v1.1.0/go.mod h1:NiUH13DtYsb7xp5wll0U4SXx7KhXQVCtRgdC96IPfoM=
 filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw=
 filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/aws/aws-lambda-go v1.54.0 h1:EGYpdyRGF88xszqlGcBewz811mJeRS+maNlLZXFheII=
@@ -52,10 +54,10 @@ github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
 github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/caddyserver/certmagic v0.25.1 h1:4sIKKbOt5pg6+sL7tEwymE1x2bj6CHr80da1CRRIPbY=
-github.com/caddyserver/certmagic v0.25.1/go.mod h1:VhyvndxtVton/Fo/wKhRoC46Rbw1fmjvQ3GjHYSQTEY=
-github.com/caddyserver/zerossl v0.1.4 h1:CVJOE3MZeFisCERZjkxIcsqIH4fnFdlYWnPYeFtBHRw=
-github.com/caddyserver/zerossl v0.1.4/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
+github.com/caddyserver/certmagic v0.25.3 h1:mGf5ba8F7xA4c5jfDZZbK2buY1VEkbnwpMDixaju94A=
+github.com/caddyserver/certmagic v0.25.3/go.mod h1:YVs43D5+H/Dckt4bTga1KSO/xYfFBfVZainGDywYPAA=
+github.com/caddyserver/zerossl v0.1.5 h1:dkvOjBAEEtY6LIGAHei7sw2UgqSD6TrWweXpV7lvEvE=
+github.com/caddyserver/zerossl v0.1.5/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -100,6 +102,10 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/letsencrypt/boulder v0.20260420.0 h1:PMFy37+tQAfNe2Qks7NhTrKbULzhVmj19LbaZIaz0SE=
 github.com/letsencrypt/boulder v0.20260420.0/go.mod h1:ZisB912eU757QUU0PTH+zq2JScaegVjPVKtPn2K1U3w=
+github.com/letsencrypt/challtestsrv v1.4.2 h1:0ON3ldMhZyWlfVNYYpFuWRTmZNnyfiL9Hh5YzC3JVwU=
+github.com/letsencrypt/challtestsrv v1.4.2/go.mod h1:GhqMqcSoeGpYd5zX5TgwA6er/1MbWzx/o7yuuVya+Wk=
+github.com/letsencrypt/pebble/v2 v2.10.0 h1:Wq6gYXlsY6ubqI3hhxsTzdyotvfdjFBxuwYqCLCnj/U=
+github.com/letsencrypt/pebble/v2 v2.10.0/go.mod h1:Sk8cmUIPcIdv2nINo+9PB4L+ZBhzY+F9A1a/h/xmWiQ=
 github.com/letsencrypt/pkcs11key/v4 v4.0.1 h1:XIXFxOnQJS5QYBlMnHhnlOBVcfylh7m3fjOJmVcEV88=
 github.com/letsencrypt/pkcs11key/v4 v4.0.1/go.mod h1:6KfGBMkPEL6OAIRFSZ0VTj3e9G0Yv9G17W5oQ2x1/UQ=
 github.com/letsencrypt/validator/v10 v10.0.0-20230215210743-a0c7dfc17158 h1:HGFsIltYMUiB5eoFSowFzSoXkocM2k9ctmJ57QMGjys=
@@ -108,10 +114,10 @@ github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
 github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/libdns/route53 v1.6.2 h1:unPlpgC2InQ/xrql5NOwCmFS9vZrRx8lH1WUo8/rjk8=
 github.com/libdns/route53 v1.6.2/go.mod h1:7QGcw/2J0VxcVwHsPYpuo1I6IJLHy77bbOvi1BVK3eE=
-github.com/mholt/acmez/v3 v3.1.4 h1:DyzZe/RnAzT3rpZj/2Ii5xZpiEvvYk3cQEN/RmqxwFQ=
-github.com/mholt/acmez/v3 v3.1.4/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
-github.com/miekg/dns v1.1.70 h1:DZ4u2AV35VJxdD9Fo9fIWm119BsQL5cZU1cQ9s0LkqA=
-github.com/miekg/dns v1.1.70/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
+github.com/mholt/acmez/v3 v3.1.6 h1:eGVQNObP0pBN4sxqrXeg7MYqTOWyoiYpQqITVWlrevk=
+github.com/mholt/acmez/v3 v3.1.6/go.mod h1:5nTPosTGosLxF3+LU4ygbgMRFDhbAVpqMI4+a4aHLBY=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/miekg/pkcs11 v1.1.2 h1:/VxmeAX5qU6Q3EwafypogwWbYryHFmF2RpkJmw3m4MQ=
 github.com/miekg/pkcs11 v1.1.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
@@ -176,22 +182,22 @@ go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
 go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
-golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 google.golang.org/genproto v0.0.0-20250122153221-138b5a5a4fd4 h1:Pw6WnI9W/LIdRxqK7T6XGugGbHIRl5Q7q3BssH6xk4s=
 google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
 google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=