Re Viktor mentioning earlier on the Postfix mailing list that "there's a need for an example complete config file":
https://letsdns.org/example.html shows a complete and functioning example, in which I have only changed the domain name to example.com.
Dehydrated stores newly issued (i.e. queued) Let's Encrypt certificates in /var/lib/dehydrated/certs/example.com and calls LetsDNS from a hook function. LD generates DNS records for both the queued and the active certificate (found in /etc/postfix/tls). Two days later the queued cert is copied over the active one.
This ensures a non-breaking certificate roll-over, further backed by the TLSA records LetsDNS generates for the CA certificate. Also, as is mentioned in the docs, LetsDNS deduplicates TLSA records automatically to avoid superfluous entries if possible.
I hope this sheds a bit more light on what is happening.
-Ralph