[Promarged]

> put my own domain-specific CA Cert in DNS directly.

Remember that this allows any of your government or people controlling the zone to transparently put the cert there too. (For potential problems see [0]).

With the CA system (that I personally also don't like) at least the certs are logged in Certificate Transparency logs so you see any potential attacks.

[0]: https://www.theguardian.com/technology/2010/oct/08/bitly-lib...

[Arnt]

Can you elaborate?

AFAICT, anyone who controls .com can add or replace a cert for ycombinator.com, but only visibly. If they do it, they show the change to the entire world at once, because .com is signed with dnssec. Right?

[tialaramex]

Your parent mentioned Certificate Transparency. Under CT all the public CAs log certificates they issue, and everybody can see the logs, programmatically (with cryptographic security) or via a log monitor like crt.sh

So yes, bad guys operating a TLD can trick a CA into issuing for a domain under theirs, but the CT logs would preserve evidence of this cert existing, and the CA is required to keep records of why it was confident to issue. Monitors would know about the cert in 24 hours (usually much less)

[tptacek]

The idea behind the attack they're talking about is that the USG has de jure control over .COM's DNSSEC keys, and so they can in fact edit .COM transparently.