These are both things that exist now, which can help prevent (CAA) and detect (Certificate Transparency) certificate issuances that the domain owner didn't intend.
It's important to realize that domain validation is only validating that the owner of a certificate's private key is the same entity that "controls" a name, where "controls" only means that they currently can update DNS or can update a web server at the IP pointed to by DNS. So entities that can control where DNS points or what servers IPs point to (like Internet providers and governments) can fulfill domain validation.
Though even with these tools, a MITM attack against DNS can still succeed if the domain isn't DNSSEC-signed, and it may even be that a particularly resourced or government attacker could manage to convince a registrar to remove DNSSEC from a domain (or otherwise take ownership of a domain from someone else).