That is not what DANE is invented for. The TLSA records are to give extra security mainly to connect to transport endpoints (say, TCP ports) on named hosts, so that the certificates for host names can be independent of Certificate Authorities. With DNSSEC, this can be achieved in a cryptographically secure way.
Some people consider it a disadvantage, that someone controlling one level of domain names can control all names AND certificates present on those names. Actually the owners of the root domain (.) can securely fake any host name and with DANE, a secure certificate as well.
RFC6698 explains it this way:
DNS-Based Authentication of Named Entities (DANE) offers the option
to use the DNSSEC infrastructure to store and sign keys and
certificates that are used by TLS. DANE is envisioned as a
preferable basis for binding public keys to DNS names...
There is (at least one) related proposal of storing the location of user PGP keys in the DNS of their mail domains in TXT records, but it's main purpose is to make it easier to find such a key, not to actually verify it.
There IS a proposed standard RFC4398 to actually store the certificates, but as it was created before DNSSEC was widespread, it does recommend against storing whole certificates if they would cause the UDP response to be bigger than 512 bytes. It doesn't seem to me it's in wide use either.
Since all user verification occurs in server software requiring additional configuration, there's usually little need to expect official CA issued client certificates, and/or a standardized way of storing additional copies of the said certificates. You're actually free to implement any such verification in your program/site.
If you think the CA compromise may make the user certificates invalid, you it may be easier add each user certificate individually as a trusted certificate instead, for example.
