This isn't about the cert issuance servers, but DNS servers. If you compromise DNS then just about any CA in the world will happily issue you a cert for the compromised ___domain, and nobody would even be able to blame them for that because they'd just be following the DNS validation process prescribed in the BRs.