There's so much brokenness here that it's hard to know where to start rebutting this. I took an hour to game through this with some people who actually work on CA initial identity verification security; here's where I land:
* First, most CAs don't do DNSSEC today, or, if they do, do DNSSEC fail-open.
* Second, CA's can already do multi-perspective DNS lookup, which means that a practical attack to defeat CAA over standard DNS requires an on-path attacker. But if the attacker is on-path, most of the mechanisms CAs use to validate a domain fail, even if you use DNSSEC.
* Finally, there's already a replacement for all this stuff in progress: RDAP, a secure JSON API that allows data to be pulled directly from registrars. Every mainstream browser and every CA/B forum CA voted to add it to the BRs; it's going to be implemented. If you really believe that something like CAA is the future for DV certs, then it seems pretty obvious that RDAP is going to be the way that happens.
Whilst it's nice that RDAP is being worked on what you've got there is very much jam tomorrow. It takes a powerful imagination to see the CA/B vote to allow RDAP (when it becomes available, which may be never for many TLDs) and interpret it as a death blow to DNSSEC, but I admit you do have such an imagination.
Your first point argues from an alleged fact, not in evidence, that "most CAs" don't obey the Baseline Requirements in respect to their requirement to use DNSSEC to avoid an on-path attacker replacing or removing CAA records. Do you have such evidence? As I said, this requirement caused CAs to spit feathers, but that's also true of e.g. record keeping requirements and CAA checking itself. One of the unexpected side benefits of Let's Encrypt at scale is that arguments go like this:
Big CA: This requirement is crazy, we issue a vast number of Web PKI certs, and the requirement would cause us to do X for most of those certs, that's just not technically feasible, the requirement must be removed.
Let's Encrypt: We do X for every single cert we issue. Big CA the logs show you issuing only 4% as many certs as us, are there hundreds of times more than you don't log?
Big CA: Um, er, oh, we just realised our single-threaded PHP program might be a bottleneck, we're investigating upgrading to PHP4 to work around that.
But then your second point argues the reverse, that CAs "can" do multi-perspective, and so even though they mostly don't we should pretend they all do. Then it jumps from this backwards argument to claiming all of the Ten (well, nine now) Blessed Methods are vulnerable to an on-path attacker "even if you use DNSSEC", when in fact several are not.
Try it, write down the Ten Blessed Methods as they stand today (yes there are currently nine), then mark whether an on-path attacker succeeds against this method when DNSSEC is in place
3.2.2.4.3, 3.2.2.4.7 and 3.2.2.4.12 are unaffected by an on-path attacker. 3.2.2.4.3 is out-of-band, which I'm sure won't bother a nation state adversary like the NSA, but is otherwise pretty good, 3.2.2.4.7 is in DNS itself, and so protected by DNSSEC, and 3.2.2.4.12 is a simple database lookup, just one that's only possible if your CA is also your registry/ registrar.
* First, most CAs don't do DNSSEC today, or, if they do, do DNSSEC fail-open.
* Second, CA's can already do multi-perspective DNS lookup, which means that a practical attack to defeat CAA over standard DNS requires an on-path attacker. But if the attacker is on-path, most of the mechanisms CAs use to validate a domain fail, even if you use DNSSEC.
* Finally, there's already a replacement for all this stuff in progress: RDAP, a secure JSON API that allows data to be pulled directly from registrars. Every mainstream browser and every CA/B forum CA voted to add it to the BRs; it's going to be implemented. If you really believe that something like CAA is the future for DV certs, then it seems pretty obvious that RDAP is going to be the way that happens.
DNSSEC is a dead letter.