Oh... that's fantastic! It specifically addresses my concerns about needing DNS credentials accessible to scripts.

The article says it is for those who

> prefer to keep DNS updates and sensitive credentials out of their issuance path.