Am I missing something here?
The authenticator service is already using a dns A record to verify the IP for ownership. How much extra programming is required to check a SRV record?
If someone else has access to my dns setup, I would guess that they also would have no problem adding false A records.