Sweet next year letsencrypt will support a persisting DNS record so these tools don’t need access to DNS for renewal
RFC here https://datatracker.ietf.org/doc/draft-sheurich-acme-dns-persist/
