Now up: part III of my series on DNS Security, covering DANE (TLS certificates rooted in the DNS).
Conversation
There are validationmethods / accounturi extensions to CAA and Let's Encrypt has an implementation of them for their staging service already. It allows you to force them to use only specific validation methods and by pinning the account URI you can make HTTP(S) validation secure.
I don't know they why they're taking so long to deploy it to production. It even got standardized:
datatracker.ietf.org/doc/html/rfc86
It addresses the issue of not having a secure way to validate domain control. Still, other CAs are all still trusted and not required to verify DNSSEC.
1
I think Let's Encrypt would deploy it to production pretty quickly if there was more chatter about it. It's not a widely known feature so there's very little push for them to finish deployment. It's odd for something to be stuck in staging for so long. Can test it already though.