I reviewed the Certbot repository and open issues last night because I was trying to set up a domain to use a CNAME alias for DNS verification. I would prefer to use the RFC 2136 plugin to automatically update a delegated zone and keep my root zone isolated.
It appears that this feature was added to Certbot some time ago and more recently removed due to a bug. Am I reading the status of this feature correctly or does the current version support this kind of setup again? There appear to be several issues related to this. Several closed and at least one open.
I realize that acme.sh and some other clients do support this feature but I would prefer to use Certbot unless it will not support my use case. I realize this may seem a bit arbitrary but I prefer to use official clients when possible and I also have an interest in Python as a programming language.
Don’t forget that whether or not the RFC2136 plugin follows CNAMEs (it doesn’t look like it to me right now, but I’m not 100% sure), you can always perform the same task with a simple Certbot authentication hook.