That error comes from DNS Control:
```
$ grep -B1 'includes invalid char' pkg/normalize/validate.go
if strings.ContainsAny(target, `'" +,|!£$%&()=?^*ç°§;:<>[]()@`) {
return fmt.Errorf("target (%v) includes invalid char", target)
--
if !strings.HasSuffix(target, ".in-addr.arpa.") && strings.Contains(target, "/") {
return fmt.Errorf("target (%v) includes invalid char", target)
```
The short-term fix would be to maintain the record via the AWS web portal and include an IGNORE() to work around it.
```
IGNORE("*abc", CNAME),
or maybe
IGNORE("", CNAME, "**.acm-validations.aws"),
```
The long-term fix would be to add a way to disable this validation. Something like CNAME(foo, bar, { permit_scary_targets: true } ). The `func checkLabel()` has `skip_fqdn_check` but I guess we never added one for targets. If you'd like to submit a PR, I think the community would appreciate this feature. (Especially the AWS community, if this is a common thing.)
Best,
Tom