Until the CA system is completely abolished, this appears to works great with LE -- free certificates and a guarantee that no other CA can impersonate you.
The ACME protocol could conceivably be extended to update SRV records along with the certificate for some DNS providers.
1. DNSSEC uses a lot of 1024-bit RSA signatures (those are relatively weak)
2. You can't monitor the certificates that CA's issue because anyone issue their own certificates.
The first issue seems valid, but fixable. The second is a weird thing to complain about because it is the entire point of DANE!
Fixable but very unlikely to be fixed anytime sone. Plus the tons of technical issues that make it even more of a problem to use and maintain. To make it viable it would probably have to start over.
Remedial question, for the unfamiliar folks: how do I establish a bootstrap trust w/DNSSEC? Does it require backwards-incompatible changes at the root?
https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...
Until the CA system is completely abolished, this appears to works great with LE -- free certificates and a guarantee that no other CA can impersonate you.
The ACME protocol could conceivably be extended to update SRV records along with the certificate for some DNS providers.