@feld I believe LE currently does DNS checks from multiple AWS regions + from their own servers. So they likely would have gotten inconsistent answers and bailed out at that point. I don't know about ZeroSSL.
The attackers likely had to try issuing multiple times to get lucky and have all the lookups hit the "bad" server.
No guarantees here, but I would much, much rather have had CAA account pinning in place than not during this attack.