I remember around the time of the diginotar horrors looking at DANE and DNSSEC. As I understand it, DANE still isn't supported by browsers, and DNSSEC is still in a pitiful state.
DANE is even worse than the CAs in this regard. Nobody trusts the CAs, so they all have to record all their issuances in a transparency log. If a CA misissues, the browsers will kill it (as has happened with some of the largest CAs). There's no way to revoke a misissued DNSSEC signature and there's no transparency log for DNSSEC, nor will there ever be, because the browsers can't force DNS registries to implement it the way they could force CAs.
DANE is a great idea in theory, botched by a bad practical implementation and low deployment (how much of that is related to the influence of the CA mafia is left as an exercise to the reader). There is some hope for the future:
https://www.sidn.nl/en/news-and-blogs/new-opportunity-for-da...