I wasn't thinking about having named listen on a different port for outside queries. But for the RFC2136 zone update to work, the only parameters I can tweak are the IP address and the port that dns-rfc2136 plugin will use for performing the update.
I was thinking about using a different port for the delegated zone and tell dns-rfc2136 to use that port. But thinking some more about it, I'm not sure it's possible. I'm also not sure, yet, how dns-rfc2136 determines the FQDN it needs to update. That would need to match the domain of the delegated zone, but there's no parameter to tell it to update certs.penguinpee.nl instead of penguinpee.nl.
No worries.
Yes, that's basically what @Nummer378 suggested. But I'm still trying to find out if that's at all possible (see above).
Thank you both for your suggestions. I'll do some digging and report back tomorrow.