[0xbadcafebee]

I think those two are examples of why it's not getting better. People point at these lame kludges and think "well maybe it's secure". But CT doesn't stop attacks and literally nobody looks at it anyway. And nobody uses CAA, and even if they did, it depends on the security of their name servers, the DNS protocol, BGP, and other things, all of which are insecure.

There is simply no way to secure a domain name without having asserted it cryptographically from the people who actually control the domain: the registrar. Only the registrar knows who owns the domain, and what that owner will allow to happen with the domain. A CSR must go through the registrar, and the registrar must pass the request to the human who owns the domain for validation. (This can be automated by the owner for automatic cert renewal.) This puts the power in the hands of the people who really control the domain, rather than a bunch of wonky insecure kludges to kinda-sorta-validate who might control a DNS record or some temporary IP space or an email address or some other nonsense.

It's friggin' 2022. If we land on Mars before we figure out how to control domain names securely, we are truly an incompetent industry.