tzs parent
If someone can tamper with your DNS TXT records now they can get a certificate for your domain.
Not tamper with the record directly, but MitM it on the way to a target.
That should be prevented by dnssec no?
Depends on who your adversary is. If it's your ISP: no, DNSSEC doesn't prevent that (in every mainstream deployment scenario, your upstream DNS recursive server is the only thing really doing DNSSEC validation).
That's what DNSSEC is for.
Yes, but that's just PKI again, which is what the OP was trying to avoid.
That's already the case with dns-01 verification, no?
Besides, if someone has access to your TXT records then chances are they can also change A records, and you've lost already.