[chflags]

I agree with the distinction you make between targeted and non-targeted. But I think being able to easily accomplish targeted attacks on SSL/TLS is a cause for concern -- and indeed that's what I'm thinking of. My thought is that it should not be possible for users to place such trust in something that is so easily subverted. As for DNS, I see no reason why one cannot encrypt DNS packets to prevent tampering. If users ignorantly want to use third party caches (which opens up more problems than just the one you mentioned), even when it's so easy to run a local cache, then we see arguments for another "trust model", e.g., DNSSEC, etc. Same problems.