Well, I could temporarily set up a public IP for the name during certificate (re-)validation and use one of the HTTP based challenge methods, but that would be way more complicated.
So, yes, doings it with a DNS based challenge is the only sensible way.