…no? Or what are the other two records? If I can control example.com, I can use an http-01 challenge to obtain a cert for example.com.

I can't do a dns-01 challenge (that would require _acme-challenge records, although even then, I'm still up to 2, not 3, records), but I don't have to do a necessarily have to do a dns-01 just to get a cert…

If you can control example.com actually on the root NS you should get the cert for example.com! That's not spoofing, that's owning.

If you can control the record seen in one datacenter for example.com, you don't get the cert. They check the root NSs from three DCs.

To be fair these days you need to spoof it in at least two locations around the world - they will query you from at least two locations. But yeah, it is bootstrapping security out of seemingly nowhere.

Even in the dns-01 case you only need the one _acme-challenge record to *get* the cert. You only need more records to be able to do something meaningful with your cert, eg A/AAAA records that point to your malicious server and serve that cert.

Best practice is to use CAA records, which would help reduce the impact unless the CAA specifies letsencrypt.

It’s a terrible practice designed to build a moat for billion-dollar corporations feeling scared of free Let’s Encrypt certificates turning off the money printer.

My domain has a caa of letsencrypt, how is that a moat?

Please google "CAA DNS record"