> Idea for a researcher with some time and budget: try to find out how > many CA use a validating DNS resolver (my guess is: > zero). Let's Encrypt uses a validating DNS resolver. I have tested this in the past and I call to remember that this is written down somewhere. Daniel