flyctl certs create "*.validate.run" and I got this:
You are creating a wildcard certificate for *.validate.run We are using lets_encrypt for this certificate. You can validate your ownership of *.validate.run by: 1: Adding an AAAA record to your DNS service which reads: AAAA @ 2a09:8280:1::3:484c OR 1: Adding an CNAME record to your DNS service which reads: CNAME _acme-challenge.validate.run => validate.run.9o0nx.flydns.net.
From what I understand, this means that the AAAA record is enough to validate ownership. I thought “well that’s probably some new thing, let’s just follow it”. Turns out it doesn’t work and I didn’t figure out what I need to do until I went to the GUI website and there the OR was gone. Suddenly the CNAME record is the only way to verify ownership (which makes sense)