When a CA has an incident, such as learning that one of their domain validation methods is flawed, they need to be able revoke all certificates impacted by the incident. Without a reliable database of certificates, there's no guarantee they'll find all of the impacted certificates. OCSP could fail closed in this situation. CRLs always fail open.
Aside: it was in fact envisioned that OCSP could be used to detect CA compromises, and the BRs used to say "The CA SHOULD monitor the OCSP responder for requests for 'unused' serial numbers as part of its security response procedures." I'm not sure how many CAs actually implemented that, and in any case I don't think it ever detected any compromises.
This central authority for certificate validation seems like extra infrastructure without which the internet fails.
Once upon a time, internet communication was between two computers. Now there is a third computer to verify that the communication between two computers is legitimate.
Is there another communication design that works without the need for a third computer?
Edit: I don't think so. Identity validation of a public computer should be done by another well-trusted computer.
Between two distrusting parties, a third mediating party is needed. But that party does not need to be centralized. Indeed, there are many TLS certificate registrars.
So many reasons, but the simplest is that those lookups will constantly fail because middleboxes makes variegated inane decisions about 53/udp and 53/tcp, which means you need to have a fallback mechanism, which will inevitably be exploitable. DANE is a dead letter.
Though sometimes the CA needs to know more than just the validation method to determine if a certificate should be revoked, and it's not practical to stuff it all in an extension (e.g. this recent GoDaddy issue which required examining past CAA queries: https://bugzilla.mozilla.org/show_bug.cgi?id=1904748).
Aside: it was in fact envisioned that OCSP could be used to detect CA compromises, and the BRs used to say "The CA SHOULD monitor the OCSP responder for requests for 'unused' serial numbers as part of its security response procedures." I'm not sure how many CAs actually implemented that, and in any case I don't think it ever detected any compromises.