Crazy, I downloaded the PEM-File and used it for generating an new (!) TLSA-Key.
The key is identical to my previous one.
The old certificate I used for the first TLSA key was from the NS8 server [using this method].(Path to the certs? - #6 by capote)
And it was precisely this certificate that I used for the TLSA key. And it is precisely these keys that become obsolete when the certificate is changed.
I am confused…