Just a thought that came up.
One method would probably be to just document on how to use rfc2136 aka dynamic updates.
For some more details on the dns provider side from lego:
This might enable:
- ability to enforce changing of the needed TXT record only (whitelist using IP, record, secret, name)
- secret/key per domain/webserver