Doing it this way is also more secure, since it means you don't have to give your web server unrestricted write access to every DNS record under your domain.
BIND looks fantastic but I really like the restricted nature of acme-dns -- I don't know much about DNS and I don't want to inherit a huge amount of functionality that I don't know how to properly administer -- I really only want to manage a nameserver for acme challenges.
By "UPDATE ACL" I believe that you are referring to the DNS UPDATE RFC[0] -- it looks like cert-manager doesn't support generic UPDATEs yet[1].
acme-dns is specifically designed for this purpose: https://github.com/joohoi/acme-dns