Thanks! Yes, the risk is acceptable because the appliance can’t generate a key pair by itself. All machines involved (including the DNS server) are on the same LAN and physically under my control.

Took me a while to figure out that Lego indeed supports BIND (via the RFC2136 DNS provider).