If the owner does not find out that someone got control of their DNS server, the attacker can do anything with the domain anyhow. Including issuing certs.
Yes, but once that access is revoked, that is enough to be certain that the attacker can no longer issue certs. With your proposal, I would then have to audit my TXT records and delete only attacker-created records.
(Which in general would be a good practise anyway, because many services do use domain validation processes similar to what you propose)
(Which in general would be a good practise anyway, because many services do use domain validation processes similar to what you propose)