Move Certbot challenges to DNS

Uni firewall changes are restricting port 80 access to some machines (despite our previous request). As there's little need for direct port 80 access (we just redirect to HTTPS), consider moving to dns-01 challenges for Let's Encrypt instead of HTTP

We would need to configure BIND on Silver to accept updates, and then generate and store update keys on the relevant machines. The BIND configuration on Silver can restrict each machine to only permit updates for it's specific challenge key.

Docs reference: https://certbot-dns-rfc2136.readthedocs.io/en/stable/