wfe/ra/va/pa: Add support for draft-ietf-acme-dns-persist-00

[beautifulentropy]

Warning

This PR depends on: eggsampler/acme#31. Once it has been merged we'll need to update go.mod and re-vendor.

Implement the dns-persist-01 ACME challenge type as specified in draft-ietf-acme-dns-persist-00. This challenge proves domain control via a persistent DNS TXT record at _validation-persist.<domain> containing the CA's issuer domain name and the subscriber's account URI.

The following optional features are deliberately not implemented:

• Just-in-Time Validation (section 4.2): Would require the RA to perform validation at order creation time, adding latency and complexity to NewOrder with no current operational need.
• Subdomain validation via policy=wildcard (sections 5 and 6): as implemented, the policy tag gates wildcard certificate issuance but does not enable TXT records further up the domain hierarchy to satisfy subdomain authorizations. The draft has no mechanism for the subscriber to indicate which Authorization Domain Name (ADN) they want to validate at, so the server would have to walk up the domain tree. We've proposed that clients include an ADN field in their challenge POST payload to solve this. We'll wait to see if the draft adopts some form of ADN negotiation before implementing this functionality.
• Authorization reuse (section 7.8): The spec caps reuse to the TXT record's TTL, and the BRs (section 3.2.2.4.22) caps it at 10 days. Since typical TTLs are seconds to minutes, re-validating on every order is simpler and avoids the need to plumb through and enforce TTL values.

Fixes #8527

[github-actions]

@beautifulentropy, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

[github-actions]

@beautifulentropy, this PR adds one or more new feature flags: DNSPersist01Enabled. As such, this PR must be accompanied by a review of the Let's Encrypt CP/CPS to ensure that our behavior both before and after this flag is flipped is compliant with that document.

Please conduct such a review, then add your findings to the PR description in a paragraph beginning with "CPS Compliance Review:".

[aarongable]

A few comments, mostly small. One big comment on the structure of validateDNSPersist01 itself, so I haven't done a detailed review of its corresponding unit tests yet. Will do that review when they're broken out into helper-level tests.