We would prefer not to have to trust the DNS hierarchy, but, it is convenient for most users and alternative systems at the moment did not solve the problem in a satisfactory manner.
Our zones are secured using DNSSEC. Tenants' zones will be signed when handling the KSK rollover with the parent zone is smooth enough (and fully automated, WIP).
Nowadays it is no more viable to operate a self-signed CAs as all softwares and providers rejects them. Moreover, it is quite inconvenient to setup a custom CA for non-technical users and it makes our life difficult to communicate and exchange with external entities through our infrastructure. That is why we decided to trust Let's Encrypt to generate certificates. The root of the problem is not solved but at least the validation process is sound and open. It is also automated, using Free Softwares, so we can handle certificate management by ourselves. We keep using our CA for internal services but public-facing ones now use Let's encrypt (#676).
To counteract the loss in security we use another system (DANE, see below); it requires trusting the DNS hierarchy, but there are less players involved and it has proved more reliable. Unfortunately DANE adoption is quite slow; nevertheless we decided to implement it.
Initially we only used our own CA and published TLSA records for all services. Since we now use Let's Encrypt, TLSA publication has been reworked to play nice together. It is fully automated (compared to renewal with our own CA) but currently not deployed for all services yet (#675).