To mitigate the threat from an attacker who controls the network between the cert issuer and the DNS server, CAs will check the DNS records from multiple vantage points.

Let's Encrypt has been doing this for several years, and it's a requirement for all CAs as of 2024.

[1] https://cabforum.org/2024/08/05/ballot-sc067v3-require-domai...