Seems like there are two possible solutions to this:
- Since the TLSA record is tied to the public key, not the certificate, instruct whichever ACME client you’re using to reuse the keys. For
acme.sh, that’s the default behavior; forcertbot, you’d use the--reuse-keyflag. If the public key doesn’t change, the TLSA record doesn’t need to change. - If your DNS host supports automation (and if it doesn’t, consider changing to one that does–I continue to like and recommend Cloudflare), automate the update to the DNS record. This script (and its comments) should point you in the right direction for Cloudflare: A bash script to update a Cloudflare DNS A record with the external IP of the source machine · GitHub
- Edit: a possible third. In the day of HPKP, it was recommended to pin a CA cert, not the leaf cert. If TLSA also allows (or recommends) this, do so.
Not to say this wouldn’t be a nice feature to automate into Neth’s hypothetical built-in authoritative DNS server, but I think it can be handled now with less difficulty than what you’re doing.