I use https://github.com/go-acme/lego and DNS validation. I'm not sure what DNS provider you're using, but a ton of them have robust APIs. In my case, I'm using Route53 which is notable in that I can generate API credentials that can only update the specific record needed for a particular name's ACME validation record.

Here's a list of supported providers: https://go-acme.github.io/lego/dns/

And in case you're curious, the API perms dance to do specific-record updates: https://github.com/armorfret/terraform-aws-r53-certbot/blob/...