Sure, certbot renew --reuse-key sounds much simpler. When I first started this thread almost 3 years ago, certbot was very new, and the only option at the time for keeping the same key seemed to be --csr. Sorry I’ve not kept up with more recent changes…
You should still manually rekey every year or so, with infrequent manual rekeying it should not be difficult to do the DNS TLSA record dance correctly. But see also the ICANN61 slides for additional options.
3 Likes