[rocqua]

Most of these issues aren't there with DNS based validation (presuming DNS-sec).

Though, that just shifts the potential problem towards anyone in the DNS-sec chain of trust. Most notably, the controller of the TLD (most often a government) and the registrar.

Thing is, those are also an issue with normal (http based) DV. After all, they could also change the A record for the domain they want a cert for.

I believe the current solution to all this is focused on detection rather than prevention (through certificate transparency and similar proposals). The idea being that any organization that isn't trustworthy will only get to pull of this hack once, in a short time frame before having their trust revoked.