I'm not certain exactly what type of DNS record would be required, but I believe it would be either an A or a CNAME record. For each hostname for which you're seeking a cert, the ACME server tries to connect to http://$HOSTNAME/.well-known/acme-challenge/$LONGSTRING and ensure that file contains the correct contents. $LONGSTRING and its contents both look random, but are in fact cryptographically generated somehow.