I believe the change is only in the file v-generate-ssl-cert

Whenever the certificate is renewed, the key is also being renewed and I need to update the dns.

For dane to work, the key must be kept and the CSR must be done using the same key. example:
openssl req -new -key example.key -out example.csr -sha512

the key must be created only the first time when it does not exist. If it exists, it must be used to renew the certificates

if it is possible to insert the dane record in the dns automatically it would be good but renewing the certificate with the same key already solves the problem.

DANE tlsa is the latest in security and as of May 2022 all hosted Exchange Online domains have been enabled by default

https://m365admin.handsontek.net/upcoming-release-outbound-smtp-dane-and-dnssec-in-microsoft-365-exchange-online/

thank you so much