That only works for high profile domains, a CA can just issue a cert, log it to CT and if asked claim they got some DNS response from the authoritative server. Then it's a he said she said problem.

Or is DNSSEC required for DV issuance? If it is, then we already rely on a trustworthy TLD.

I'm not saying there isn't some benefit in the implicit key mgmt oversight of CAs, but as an alternative to DV certs, just putting a pubkey in dnssec seems like a low effort win.

It's been a long time since I've done much of this though, so take my gut feeling with a grain of salt.