It’s also possible, to CNAME the _acme-challenge-record to another zone.
_acme-challenge.www.example.com CNAME xyz.acme.example.com.
Only zone acme.example.com needs to offer api-updates for Let’s Encrypt, and can be hosted by different DNS-provider.