chore: update acme reference design with design by tom

infrastructure/acme.md

@@ -11,22 +11,26 @@ We agreed to use **ACME DNS-01 challenges** for issuing certificates for **both
 - Restrict write access to the challenge zone to the ACME automation only.
 
 ## Reference Design
-**Dedicated zone:**  
-`_acme.example.com`
+**Dedicated zone:**
+`_acme.digitalboard.ch`
 
-**For a service FQDN:**  
-Target certificate: `app1.example.com`
+**Dedicated zone for each managed school:**
+`gymkirchenfeld._acme.digitalboard.ch`
 
-**Publish in the primary zone:**  
+**For a service FQDN:**
+Target certificate: `app1.gymkirchenfeld.ch`, `app2.kinet.ch`
+
+**Publish in the primary zone:**
 ```dns
 ; Delegate the challenge to the dedicated zone
-_acme-challenge.app1.example.com.  CNAME  app1._acme-challenge._acme.example.com.
-```
+_acme-challenge.app1.gymkirchenfeld.ch.  IN  CNAME
+app1.gymkirchenfeld.ch.gymkirchenfeld._acme.digitalboard.ch.
 
-**Publish in the dedicated zone (managed by the ACME client/automation):**  
-```dns
-; ACME client writes the TXT token here
-app1._acme-challenge._acme.example.com.  TXT  "ACME_VALIDATION_TOKEN"
+_acme-challenge.app2.kinet.ch.           IN  CNAME
+app2.kinet.ch.gymkirchenfeld._acme.digitalboard.ch.
+
+_acme-challenge.app.example.com.        IN  CNAME
+app.example.com.school-a._acme.digitalboard.ch.
 ```
 
 > During validation, the CA will follow the CNAME from the primary zone to the dedicated zone and read the TXT record there.