I mean that applies to DNS authentication for non-IP certificates, too

> I mean that applies to DNS authentication for non-IP certificates, too

Right, but "show me you own foo.com" is a pretty reasonable bar to clear for issuing a certificate with a CN of "foo.com".

Show me you own `1.1.1.1` by manipulating the DNS for "foo.com" is ... not quite the same.

You seem to be misunderstanding. We're taking about https://en.m.wikipedia.org/wiki/Reverse_DNS_lookup. Either putting records directly on the in-addr.arpa. domain (what I originally had in mind), or if that's not possible, on the domain it points to (which seems a pretty watertight proof method).