It's not enough for everyone involved to have CAA enabled. They need to have CAA enabled and to select a certificate authority that does effective domain ownership validation, which - as the article suggests - means (at minimum) multiple-origin checking of network-based challenge protocols like HTTP-01.
Personally, I think anyone who has a heightened attack risk ought to contemplate a CA that does some form of more thorough validation.
Personally, I think anyone who has a heightened attack risk ought to contemplate a CA that does some form of more thorough validation.