No, if you can complete challenges for every DNS name in the certificate then the API lets you revoke it.

No, as the section I linked explains, you can also prove that you own the domain and then revoke the cert without having the private key. It's meant exactly for cases where some other party has obtained a cert for your domain for whatever reason (change of ownership, compromise, ...)