They're not just doing two queries. Anybody on HN with a strong opinion about DNS and CAs and a bare minimum of programming ability could rig up a fairly sophisticated DNS validation service in under a week. Just think about how you would do it, given a pretty reasonable budget.
I'm not thinking about a sophisticated service. I'm thinking about the weakest link in the chain that I could possibly exploit to generate fake certs. Pick the least secure CA with the least secure validation method and you now have valid fake certs.
Even if DNS by itself was secure enough to validate, this is a single factor and there are many ways to exploit a single factor. Why a secondary mechanism/factor isn't required for critical infrastructure makes no sense.
