alt Hacker NewsCAA checking is mandatory, so you can always restrict to a given CA.
To get complete control with DNSSEC, you also need the accounturi and validationmethod extensions (which you need to guarantee only your account can issue, and only with the DNS validation type).
Those aren't yet mandatory, but you can restrict to a CA today which implements them, like Let's Encrypt.
DNSSEC is the weakest link here.
It is too fragile (multiple point of failure). It is high volume (=it need be cacheable).
Puting authentication cert in dns sounds good in theory, but we have never get that reliability