Integrating certbot DNS validation into complicated systems seems clumsy and brittle.
For example, one installation involves a custom docker container plus four bash scripts plus crontab...per host, across dozens of hosts in multiple colos.
The cumulative delays, required for DNS record propagation to caching resolvers, is ridiculous when spanning hundreds or even just dozens of domains, plus the likely multiple hosts. Adding to the ridiculous is the necessary dozens or hundreds of per-domain service reload/restarts, most done remotely via ssh cli and/or message queue. The delays and complexity are not caused by certbot, but they are definitely greatly compounded.
--manual-auth-hook script logic is confounded by multiple iterations per-domain. For example, this precludes using "sed" deletion where it would otherwise be most appropriate and necessitates another 'shell' script just to handle global deletions of "_acme-challenge" lines from DNS zone files.
It would help if certbot provided api-style verbs that are single-function specific, in this case, "gen_validation". Does it? Is there a tool that does? A second verb needed would be "check_validation".
Everything else is already necessarily being done by local scripts; all that's needed is for certbot to generate its validation codes (one or more per domain ok, but one or more returned from one call, per-domain) and then check those codes, as an independently callable process.