How would that work? Add another DNS record? It would have to be out of band as the server cannot be trusted (see HPKP), and DNS itself could just as easily be MITMed as an HTTPS request, often even moreso.
Ultimately I suppose it would have to involve some pre-shared key. It could be made tolerable with a browser addon holding entries for critical websites. But maybe the mentioned CAA has already solved this.