Actually, I might have come up with a workaround myself. Technically, I only need it for the forward and reverse DNS entries:

----- s n i p -----
# designate record-list domain.tld. | grep rabbit | sort -k8
| ae65b08a-d825-4cc1-b796-ac42262ddc0a | A    | service-rabbitmq-swarm.domain.tld. | 10.104.0.10
| 0f63067b-c27f-4ef3-a274-39a845a21a51 | A    | service-rabbitmq-swarm.domain.tld. | 10.104.0.11
| 4ca83b80-d9dc-4f4b-84a8-145390746d09 | A    | service-rabbitmq-swarm.domain.tld. | 10.104.0.12
| c5391582-825f-4fb9-b8cf-bcb5327a0d8b | A    | service-rabbitmq-swarm.domain.tld. | 10.104.0.13
| 49b6b335-3e2e-4878-bb75-e095ea20149b | A    | service-rabbitmq-swarm.domain.tld. | 10.104.0.14
# designate record-list 0.104.10.in-addr.arpa. | grep rabbit | sort -k5
| f26d3844-6de9-405a-9352-76fe3d3e37dd | PTR  | 10.0.104.10.in-addr.arpa. | service-rabbitmq-swarm.domain.tld.
| 376a1724-f3c7-42e4-872a-3d36c13655a5 | PTR  | 11.0.104.10.in-addr.arpa. | service-rabbitmq-swarm.domain.tld.
| e103df81-34f3-4df4-8cd0-c267d3889c61 | PTR  | 12.0.104.10.in-addr.arpa. | service-rabbitmq-swarm.domain.tld.
| 2a4a92b2-28d4-4e44-9655-40e79806637a | PTR  | 13.0.104.10.in-addr.arpa. | service-rabbitmq-swarm.domain.tld.
| 645a37be-a128-400a-89e1-f5fdf648202e | PTR  | 14.0.104.10.in-addr.arpa. | service-rabbitmq-swarm.domain.tld.
----- s n i p -----

This messes up puppet (because all the hosts have the same hostname, so the cert is only allotted to the _first_ host that connects, so all the other will get a cert/hostname mismatch).

But my workaround looks something like this:

instance stack:
  1. Create port.
  2. Create instance, bind 'port' to instance.
  3. Create DNS record:
     https://gist.github.com/FransUrbo/dbe19ffac8260f849b8fa31c017c42d3
  4. Create reverse DNS record:
     https://gist.github.com/FransUrbo/d3498882b751363a9e9035e6aee20f64

Ugly as S**t, but it gets prettier once put into separate sub-stacks etc.


Final result. Both the forward and the reverse DNS is unique, which was _my_ goal:

----- s n i p -----
# designate record-list domain.tld. | grep rabbit | sort -k8
| 4a48d632-18bc-4eca-941a-9ed0c0a35e19 | A    | service-rabbitmq-swarm-16.domain.tld. | 10.104.0.16
| 86bed374-6ada-4ae3-831d-bfc1f4276329 | A    | service-rabbitmq-swarm-17.domain.tld. | 10.104.0.17
| 15147bb9-a8db-4d2c-a88d-bf25b013e728 | A    | service-rabbitmq-swarm-18.domain.tld. | 10.104.0.18
| d6e5a1dd-68fa-4d45-b7d5-6f6f87a3226c | A    | service-rabbitmq-swarm-19.domain.tld. | 10.104.0.19
| eb419e11-06f5-450f-8d92-7b9794cc186f | A    | service-rabbitmq-swarm-20.domain.tld. | 10.104.0.20
# designate record-list 0.104.10.in-addr.arpa. | grep rabbit | sort -k5
| aa247eb7-abe7-437b-a1b0-9d6096f050e7 | PTR  | 16.0.104.10.in-addr.arpa. | service-rabbitmq-swarm-16.domain.tld.
| 3f888754-abbe-4cba-8c29-9f02698afe35 | PTR  | 17.0.104.10.in-addr.arpa. | service-rabbitmq-swarm-17.domain.tld.
| cafaedf2-45b1-401a-ade5-175ae93fb487 | PTR  | 18.0.104.10.in-addr.arpa. | service-rabbitmq-swarm-18.domain.tld.
| 32b44c68-385f-418b-810f-b99a740e4f7b | PTR  | 19.0.104.10.in-addr.arpa. | service-rabbitmq-swarm-19.domain.tld.
| c9c1cbf1-cc96-494f-8091-049812c85d2c | PTR  | 20.0.104.10.in-addr.arpa. | service-rabbitmq-swarm-20.domain.tld.
----- s n i p -----