IMHO, the only DNS checker that’s going to make sense for Let’s Encrypt is going to be one that’s maintained by Let’s Encrypt, or by someone who is in close consultation with Let’s Encrypt and able to change in sync with changes Let’s Encrypt makes. Subtle nuances in how Let’s Encrypt handles DNS lookups can clearly have outsized impacts on the results; expecting a third-party checker that doesn’t take into account Let’s Encrypt’s specific circumstances to provide reliable results in the long term seems doomed to failure to me.
For example, let’s look at how CAA has been rolled out. Up to a week ago, CAA SERVFAILs were no big thing – they were ignored. If a DNS checker said “WHOOP! WHOOP! Your CAA records are failing!”, that would have confused people because their certificates were being issued Just Fine. So a Let’s Encrypt-“compatible” DNS checker should have been, at most, mildly dissuading of a CAA SERVFAIL. Then, a week ago, the situation changed, and the reverse is now true – a Let’s Encrypt-“compatible” DNS checker should have been waving the red flag about the same situation. Unless this Let’s Encrypt-“compatible” DNS checker was aware of (and cared enough about) these changes in Let’s Encrypt, they wouldn’t have made the appropriate change at the appropriate moment, and they’d be giving bad advice. This is why I say that any Let’s Encrypt-recommended DNS checker really needs to be built and maintained in very close collaboration with the Let’s Encrypt engineering team, preferably with heads-up of any changes which could conceivably have an impact on DNS.
I’m not sure that a motivated third-party with an inside line on upcoming changes is even enough, though. Take this PowerDNS bug that’s causing a bit of heartburn – it only appears because LE is using a fairly obscure security-oriented configuration option (so-called “0x20 bit”). I’m sure there are a bunch of other things that Let’s Encrypt are doing behind the scenes, for all manner of very good reasons, that nobody outside knows about, and I’d say it’s unlikely that a third-party DNS checker is going to get all of the knobs in exactly the right places without being told exactly how Let’s Encrypt does DNS checking – a level of detail which I doubt is achievable by anything other than access to the infrastructure, or at least the complete configuration management system data to build it. Maybe a third-party could be trusted with all that, but I don’t think there’s too many people who are both (a) sufficiently trustworthy to be given that level of access, and (b) have enough spare time to be able to reverse-engineer the Let’s Encrypt resolution environment and build and maintain such a system – and I can’t imagine such a service gaining enough revenue or donations to be able to pay someone to do all that.
Thus, at the end of the day, I think that if Let’s Encrypt wants a DNS checker that’s anything more than either “one of these seven services might give you a hint” or “this thing over here works sometimes, but gives false (positives|negatives) in this list of cases”, Let’s Encrypt is going to have to build it – or at least fund it (which amounts to essentially the same thing).