Does anyone know if the DNS challenge changes every renewal, or if I can leave it there forever and have renewals work?

ACME defines an authorization object, which is created for every FQDN on a certificate. Part of this object is a randomized token. A valid authz object (i.e. one for which you have solved a challenge by, say, creating a TXT record with the token) allows you to request (any number of) certificates for the FQDN until the expiration date of the object is reached (10 months in case of Let's Encrypt).

So basically you can get up to 13 months worth of certificates out of one token/solved challenge. That being said, none of the clients I'm aware of currently reuse authorizations - they create a new one during renewal, which would result in a new token.

Ah, thanks. So this is not really that useful, since I can't keep reusing the same object. I guess I'll have to stick with the webroot method, too bad.