To be clear, the failure here is not that DigiCert issued for .arpa, which is not forbidden, but that they gave the reporter, Cynthia Revström, the ability to issue for all of in-addr.arpa even though she had only demonstrated control over 5.168.110.79.in-addr.arpa. This vulnerability could have applied to regular non-arpa domains too; e.g. someone with control over example.github.io might have been able to get a certificate for any github.io domain.
However, since issuing for .arpa is weird (and maybe should be forbidden), the discussion got sidetracked talking about .arpa issuance.
DigiCert's analysis of the vulnerability can be found here: https://groups.google.com/d/msg/mozilla.dev.security.policy/...