You are right that the scheme I described is vulnerable. Even without MITM. Just fakeserver.com upon receiving request from client sends equal request to server.com, which creates the needed DNS record and thus real client is "convinced" that fakeserver.com controls DNS.

But that just a nuance that could be fixed. I elaborate little more on what I mean in https://news.ycombinator.com/item?id=43712754

Thx for pointing to DANE.