So if you can fake packets to the nameservers coming from the IP in question, intercept the response and break it into pieces and modify the second piece, and then forward that on as if you were the original nameserver WITHOUT (or presumably BEFORE) the original nameserver packet returns... and you do this all while someone is trying to verify their domain (or else you're generating an awful lot of emails from CAs to the victim in question which will raise their suspicion), then you could get a fake cert with their name on?
Seems to me that there's a lot easier ways to cause damage in that situation, not least just proxying / intercepting / modifying / falsifying every little packet in question including - EMAILS coming into their mailservers, which you could use to activate a domain.
An attack, yes. One solved by DNSSEC already, no need for some fancy fix. One that hinges on what we've always known was the primary assumption - that DNS is authoritative (if these guys can proxy between you and the root and modify DNS with IP-spoofing, nobody who connects to your secure site is safe anyway). One fixed by fixing that assumption not making up ever-more-complex rules. Things like... the ACME protocols used by LetsEncrypt, for instance.