As a further extension to the proposal, one could indicate the issuing Certificate Authority for their domain via DNS in a TXT record (akin to an SPF record). For example:
TXT = "v=ct1 root={public-signing-key or thumbprint}"
One could go a step further and include a thumbprint of their certificate(s) for the domain:
TXT = "v=ct1 root={public-signing-key or thumbprint} c={certificate-thumbprint}"
This would be a simple and fast DNS check and could be much more expediant than checking the database. If the CT1 TXT record is present, then it is observed. This raises the bar further as it potentially eliminates a window of time where a rogue certificate is used but before it is observed / witnessed as such.