This is true within all DNS systems : whomever runs the DNS, runs the show.
Nonetheless, there should be a lock and key system in place to ensure that only the keyholder gets certs issued to their domain.
So that anyone can use any available public DNS system and still feel safe about their domain certs.
How does that happen?
Do we need to develop a better (smarter) authentication system?