Comment by gzread
5 hours ago
Solves part of it. They still control your HTTP and can make LE issue a certificate for you. So actually solves nothing.
Unless you had a CAA record saying only LE certs from your account are valid. And maybe you want that record to be authenticated.
Agreed. But I meant that in the world without LE but with DNSSEC+DANE this wouldn't be an issue.