The trouble I see with this proposal is that the CAA is bound to the authorization domain name hierarchy, which is entirely unrelated to the hosting infrastructure on which the domain is hosted.
The vulnerability occurs per hosting infrastructure. It does not occur per domain to be validated. In other words, if this mechanism is allowed, a user could just add such a DNS record to his domain in order to allow the TLS-SNI validation, even if the domain is presently pointed to a vulnerable hosting infrastructure.
Generally speaking, a user will just do whatever they can to get back to working. In this case, that may mean ignoring the security risk.