Yes, that’s one option. Then you only have to distribute the certificates and keys.
Or you allow remote access to that DNS server (Bind has a secure protocol for this), do the challenge requests and cert generation on some other machine. Depends on what is more convenient for you (the latter is better if you have lots of machines/certs).
Worst case if someone compromises that DNS server they can only generate certificates but not change your actual valuable records because these are not delegated there.
It generates code and then you can use a call to some runtime execution API to run that code, completely separate from the neural network.