One available option for cert renewal is to use a nsupdate/RFC2136 call to the DNS server which updates the requested token in the TXT record. Since I am using Sonic for my DNS records, I am hoping that there is a way to programmatically update the TXT record (i.e. Sonic enables RFC2136/nsupdate API). After some digging, I understand that Sonic uses PowerDNS to serve the DNS queries and it turns out that PowerDNS has a method to enable RFC 2136 support (https://doc.powerdns.com/authoritative/dnsupdate.html).
What will it take for Sonic to enable this support for anyone that hosts their DNS records at Sonic and would like to programmatically update TXT (or other type) records? It's no more or less secure than logging into the member tools to change the info manually.
18+ yr Sonic customer