I've created a TLSA record manager that hooks into certbot internals to handle renewals. It successfully deals with rotating private keys so one doesn't need to pin (reuse) a private key — resulting in an improved OPSEC.
You have no way to control when certbot renew is going to be run, or what's going to run it: cron, systemd, something else? Also, what happens if you have more than one cert, and only use dane on some?
You might want to implement the changes as their own crontab line, or you might look up the at scheduling utility while using certbot's deploy hooks.
Not sure if you pin the end entity certificate or the intermediate, also.