Since nowdays by default LE keys are also renewed, besides certificates, there should realy be an automated function in ISPC for selfhosted DNS zones that updates the TLSA records on renewal of the certificate and key. If I'm not mistaking the next key is pre-made so the next TLSA record can be made in advance. When renewing the certificate and key delete the TLSA record for the old key and create a new record for the future key. That way there will always be 2 records, current and future. For multi-domain certificates (including www) use the master domain for TLSA records and CNAME records to that TLSA record for the other domains. That way there's less that needs updating on renewal (only the TLSA records). Also less records since other domains only need 1 CNAME record instead of 2 TLSA records. The port that is needed in the TLSA (or CNAME) record's name is known in ISPC. And build in a check to do so for selfhosted DNS zones only. For ISPC server certificates create TLSA records for every TLSA applicable service port (web, smtp, submit, pop, imap etc). Or create TLSA records for 1 of those services and CNAME records for the other ports (again less records and less that needs updating on renewal).
