The best is the one which works best in your environment. Since, as @bruncsak observed, DNS round robin almost certainly precludes a single point for TLS termination, the second best choice is to use your configuration and/or content management system to distribute the certificates to the web servers. This may be something as sophisticated as Ansible playbooks, or simple as shared storage containing the files*.
How best to request and update the certificates will depend on your configuration and/or content management system infrastructure, but an ACME client on a suitable host and DNS-01 challenge should make this fairly simple and robust.
*[In this case be careful to separate configuration from content at each layer.]