Your key question is this:
How can I protect my web servers from a DDoS attack without giving my private keys to a third party?
But you already answer that yourself:
... or (worse) give them the ability to mint their own valid certificate for your domain (eg control of your DNS for ACME)
It's not clear why you think this is worse - it's much better to have separate certificates with their own private keys that are never transmitted anywhere, and which can be independently revoked, than a single certificate used in multiple places.
Possibly you're assuming that this will be a case of handing the service more passwords, which is unlikely to be the case.
In order to do anything with your traffic, a service needs to sit between the public internet and your servers. That means all your traffic is already flowing through their servers. This generally involves one of two things:
- Creating a CNAME for a specific sub-domain in your DNS that points to their servers.
- Using their name servers to host the DNS zone, so that they can use dynamic DNS resolution, and manage the apex record (which can't be a CNAME).
Once you have either of those in place, they do not need any further access to create a certificate for the domain. For instance CloudFlare's documentation says
There are several methods that are used to complete [the Domain Control Validation] process, the primary ones that Cloudflare works with are:
- HTTP Token
- CNAME DNS Record
- TXT DNS Record
The first of these is simplest: they intercept requests to a certain plain-text HTTP URL and serve the validation token requested by the Certificate Authority.
Ethically, they should not do this without your permission, but by pointing your DNS name at their servers, you are giving them complete control over what is served on that domain.