It looks like the suggested internal redirect to a delegated subdomain using a CNAME record doesn't work or I couldn't figure out a way to set this up.
Here is what I did and the results I got:
First attempt
I added _acme-challenge as a CNAME to my domain pointing it to certs.penguinpee.nl. I set up certs.penguinpee.nl as a delegated subdomain with its own SOA and a single NS entry pointing to the IP addresses (IPv4 and IPv6) where my local DNS server can be queried.
In BIND I configured allow-updates for certs.penguinpee.nl with the key assigned to certbots. When I run certbots I can observe the following queries in the log file:
query: _acme-challenge.penguinpee.nl IN SOA -T
query: penguinpee.nl IN SOA -T
Then it tries to update 'penguinpee.nl/IN', which is denied since the key is allowd only for certs.penguinpee.nl.
When I query for _acme-challenge.penguinpee.nl in either TXT or SOA the server returns the CNAME record pointing to certs.penguinpee.nl.
Second attempt
Same as above, except I changed the CNAME to point to _acme-challenge.certs.penguinpee.nl, hoping this would tell dns-rfc2136 what record to add and where. It didn't. Results where the same.
Third attempt
Since dns-rfc2136's first query is for a SOA record of _acme-challenge.penguinpee.nl I also tried changing certs.penguinpee.nl to _acme-challenge.penguinpee.nl as the name of the delegated zone. However, since _ is not an allowed character in hostnames (anything that resolves to an IP address), named threw multiple errors and warnings when checking the configuration.
Looks like I'm out of options using dns-rfc2136 other than setting --dns-rfc2136-propagation-seconds to 3600. 