Then you don’t understand how DNS validation works. That record needs to be updated every time you renew.
Indeed, I don't understand why I need to prove domain ownership over and over again, is there some attack vector I may not aware of? Other services (like GSuite for example) who also rely on a TXT record for domain ownership proof also don't require that. If I don't have ownership of the domain anymore, the record would also be gone.
I'm not very keen on having the client access the Google DNS (or any other DNS server) as that can lead to a severe security issue (yes, I know could delegate it to some other tightly secured and/or minimal DNS server to make it more secure, but that just adds additional complexity which is more failure prone).
Only reason for this I could see is that the Letsencrypt servers don't need to keep the content of that record (i.e. a state), however, since there already is the account ID, a state is kept already anyway.
Would you explain why that is? Is that also the case for the web based validation?
@schoen
Thanks for the info, I'll look into the certonly option.