Oh I see what you mean. So the parent poster is saying that if some router gets compromised, then it can perform a MITM against its clients, faking the CAA record of some website which would trick the clients into believing the correct CA for that website is different from the real one.
Indeed, that would be a problem with the CAA approach, currently. To be immune against that attack, clients would either need to 1) use DNS-over-HTTPS, 2) use DNS-over-TLS or 3) perform DNSSEC validation of the CAA record.
Either 1, 2 or 3 would be enough to thwart the attack, but of course, it would be better if they did either (1 and 3) or (2 and 3).
Indeed, that would be a problem with the CAA approach, currently. To be immune against that attack, clients would either need to 1) use DNS-over-HTTPS, 2) use DNS-over-TLS or 3) perform DNSSEC validation of the CAA record.
Either 1, 2 or 3 would be enough to thwart the attack, but of course, it would be better if they did either (1 and 3) or (2 and 3).