My first thought on this: How do you distinguish a "real" CAA
query/response from one produced by the CA? In other words, what's to
stop a CA or whoever compromised the CA from faking it?
For the vast majority of domains - namely everyone not using DNSSEC - I
see no practical way to verify that the response was actually produced
by the relevant name servers.
For domains with DNSSEC, you could verify that the response was signed
by the relevant key, but what's to stop the CA from claiming that the
key wasn't the one that was active at the time of issuance? I don't
think DNSSEC has a mechanism that gives you a verifiable view of the DS
record of a domain at some point in time in the past.
Ultimately, you're back to a claim that can't be easily verified by a
third-party and you'd have to rely on some kind of forensics (much as
you'd have to now.) I'll accept that showing forensic proof of such an
event would be easier with DNSSEC in place, but that's a high price to
pay in terms of complexity/implementation cost for a relatively small
number of domains.