Every service you onboard wants proof you control your domain. Most want your DNS credentials to automate that proof. There’s a better approach: CNAME delegation lets you authorize a service once without handing over the keys to your entire zone.
A new ACME validation standard coming in 2026 lets you authorize a CA once and never touch DNS again for renewals. The security model is defensible, but even its supporters admit the optics are questionable.
HTTPS went from 40% to over 90% of web traffic in a decade and the ACME protocol made that possible. But ACME solved certificate issuance, not certificate operations. Getting a cert is easy now. Getting it onto all your servers is still your job.