The most common way to verify ownership of a hostname to receive a TLS certificate is the HTTP-01 challenge on port 80, but DNS challenges not only allows you to get wildcard certificates, they can also be used on systems with no incoming internet access, with no manual intervention required on renewals.