Misissuance from direct DNS spoofing basically never happens. When the DNS is used to misissue a certificate, what has normally happened is a registrar account has been phished. Direct DNS spoofing is an exotic attack. Further: DNSSEC has only a partial fix for it, and the WebPKI has non-DNS-dependent mitigations (most obviously CT, but also multi-perspective DNS lookup, which is apparently going to be a BR next year).

Generally speaking, setting up DNSSEC is probably a bad move for most sites.