Yup, it’s definitely still the case that you need a A and AAAA record to get a cert for your apex domain by itself. For root domains. we use TLS-ALPN-01. A wildcard cert for an apex domain would use a DNS-01 challenge, though.
We have a fairly in-depth blog post covering our ACME setup and some of the design decisions that went into it, which you might find useful and/or interesting, too.