[nly]

The allure over other DV CAs is that it's gratis, and, soon, that it'll be deployable at the push of a button.

DANE-TA or DANE-EE still would have been better than any and all of this DV public CA nonsense. A DV cert from a public CA proves that someone on the other end of the connection momentarily controlled either the DNS records for your domain, or your web server, at some point in the near past. That's it.

DV is an extremely weak proof of identity, and provides no authentication at all (as in, proof that the issue was actually authorised by the domain owner).

[Jasper_]

Doesn't LetsEncrypt require that you have DNSSEC enabled on your domain, as a first step? DV is a valid proof of identity, assuming DNSSEC, right?

[nly]

No, DNSSEC isn't required. LetsEncrypt supports a bunch of DV methods right now[0], but the bottom line is that if someone can control either your DNS server or your web server (any web server on an IP at which your domain points) then they can always get a certificate for your domain. This applies to all DV cert issuance from most CAs afaik.

Full DNSSEC verification by the issuing CA (LetsEncrypt) still wouldn't mitigate attacks against the "Simple HTTP" method.

[0]https://letsencrypt.github.io/acme-spec/#rfc.section.7