Hello @BrendenDigital,
Why you need to wait for propagation to caching resolvers?, you only need new records being propagated to your authoritative DNS servers. Let's Encrypt doesn't ask to any resolver, it asks to your authoritative DNS servers directly.
Sorry but I didn't understand above problem.
You can do that inside your auth hook script. Since certbot 1.4.0 two new variables are passed to the auth and cleanup hook scripts:
CERTBOT_REMAINING_CHALLENGEScontains the number of challenges that remain after the current one (so it equals to 0 when the script is called for the last challenge)CERTBOT_ALL_DOMAINScontains a comma-separated list of all domains concerned by a challenge for the current certificate
So you can add the dns records for the domains in your cert in every call and check them only when CERTBOT_REMAINING_CHALLENGES is 0, or you can save all the domains and tokens and add the DNS records and perform the checks only when the last domain is presented, etc.
And you can do the same for cleanup hook script.
Cheers,
sahsanu