Thanks for the help 
I actually forgot about the --account toggle. We did that once before during a major rate limit outtage, but it is definitely a hack; To manipulate underlying directory structure based on knowledge of implementation details appears to me a violation of the client-service contract between the certbot CLI API and the user. If I’m right about that, I really don’t want a production system, especially of our volume, operating on a potentially brittle hack that isn’t forward compatible as we upgrade certbot in the future.
Perhaps I can learn that the certbot dev team happily supports this style of usage, despite their not providing a CLI API for it.
We’re trying to come up with a long term solution that covers for the case that this network flakiness between LE and some problematic name servers goes unsolved long term, or even for it cropping up again with different/new name servers.