That article is incredibly misleading in what it leaves out: by using same logic, our existing CA system is equally a “backdoor”.
We have certificate transparency to help address that, and were DANE to be in actual use similar systems would quickly appear, for example using the RIPE Atlas.
DANE is not a backdoor. To exercise it as one would require replacing operator-controlled keys with government (or other) keys. This would be no less visible than doing the same with an existing certificate authority.
https://sockpuppet.org/blog/2016/10/27/14-dns-nerds-dont-con...
Edit: If any other links fail here is the original https://news.ycombinator.com/item?id=22684048