Yes, that looks OK to me. This assumes that you can receive inbound connections from the Internet on port 443 and that nothing is currently using that port on the server.
We need to improve the documentation here, but for Certbot it's currently handled by manual:
https://certbot.eff.org/docs/using.html#manual
The bash clients (like acme.sh, getssl, and dehydrated) are famous for having more extensive and convenient support for DNS authentication, including, for example, support for a whole lot of DNS provider APIs in acme.sh.