This will not work as any attacker that can MITM the client (likely scenario for end-users), can also MITM this "certificate issuing" setup and issue their own cert.

The reason an attacker can't MITM Let's Encrypt (or similar ACME issuers) is because they request the challenge-response from multiple locations, making sure a simple MITM against them doesn't work.

A fully DNS based "certificate setup" already exists: DANE, but that requires DNSSEC, which isn't wildly used.

You are right that the scheme I described is vulnerable. Even without MITM. Just fakeserver.com upon receiving request from client sends equal request to server.com, which creates the needed DNS record and thus real client is "convinced" that fakeserver.com controls DNS.

But that just a nuance that could be fixed. I elaborate little more on what I mean in https://news.ycombinator.com/item?id=43712754

Thx for pointing to DANE.