Ok, I will check this lib out again. Changing DNS would not be the problem in general but I prefer http01. Why? Because all clusters have reverse proxies in front of them, where the acme-challenges are passed to ACME nodes (which is best practice as per LE docs).
While I can perfectly control which files and folders are cached for HTTP, it is much more limited for DNS. I use PowerDNS Auth für all zones with dnsdist (same vendor) to load-balance between endpoints and masters.
In my opinion, the DNS challenges do not provide additional security. Commercial CAs just check CAA if set as well as the reachability of one of the Whois's emails.
I built this CMDB myself on top of Django. It can solve everything I want it to 
After browsing more docs, I realized, I can generate lot's of "configs" (cli?) and feed them to certbot.
It also works perfectly when adding or removing domains from the file (renewal auto-detect).
Seems like I need to use subprocess again until I can switch to my own client on top of the raw ACME lib.
Thanks for your ideas!