In a perfect world there would be a special DNS record type for this. The DNS server would store the full token value, but would return the hash when someone queries it. I think this would provide both maximum security and maximum privacy.

You could use your DNSSEC signing key to sign a validation message (offline, because that doesn't work over DNS).

As discussed elsewhere in this thread, domain validation needs to be frequently rechecked. Therefore, it's far more convenient to publish a DNS record than to manually sign messages out-of-band.

DNSSEC already provides attestation, why add another layer within the same system?

Because a DNSSEC attestation is usually public, except if you maybe use NSEC 3 and hide the RR behind some random name.