I hear this a lot too and it blows my mind. How is it a nice thing about DNSSEC that your choice of domain names will have a major impact on your security? That seems like a straightforwardly bad thing.
That's a good thing. Because the same applies to just about anything else. Where your servers are, who announces your IP space. Or outside the internet, where you are living, where your company is registered, where you do business.
The current CA system is the odd one out. Any CA in any country can create a cert for your domain that is recognized everywhere.
The current CA system is the odd one out. Any CA in any country can create a cert for your domain that is recognized everywhere.