1. DNSSEC uses a lot of 1024-bit RSA signatures (those are relatively weak)
2. You can't monitor the certificates that CA's issue because anyone issue their own certificates.
The first issue seems valid, but fixable. The second is a weird thing to complain about because it is the entire point of DANE!
Fixable but very unlikely to be fixed anytime sone. Plus the tons of technical issues that make it even more of a problem to use and maintain. To make it viable it would probably have to start over.
1. DNSSEC uses a lot of 1024-bit RSA signatures (those are relatively weak) 2. You can't monitor the certificates that CA's issue because anyone issue their own certificates.
The first issue seems valid, but fixable. The second is a weird thing to complain about because it is the entire point of DANE!