[belorn]

If the issue is the lack of certificate transparency, then add that as a new standard to dnssec.

Certificate Transparency came into the picture around 2013, by which time https was fairly old. Public resolvers like google, quad 9, and cloudflare could create Certificate Transparency for dnssec today if there was a demand for it.

[tptacek]

I've explained several times on this thread already why DNSSEC won't ever get transparency logging.

[belorn]

You said that registrars won't implement transparency logging, but certificate transparency was not created by certificate authoritative. Google added it to chrome, and they could just as easy add it to their own public resolver.

[tptacek]

And then what happens? Google stops resolving .COM names? I don't think you've thought this through all the way.

[belorn]

"If Comodo knowingly misissues a Google Mail certificate, Google will nuke them from orbit" - tptacek

If Verisign knowingly missuses .com root certificate, Google could nuke them from orbit by making it public. That is the whole purpose of certificate logs. Verisign operate on trust and they are also certificate authority.

The damage to Verisign if they lost their status as certificate authority and as a trusted company would create so much fallout I am doubtful that ICANN and DNS would be left without major scars.

I don't think you've thought this through all the way.

[tptacek]

That's not at all what "nuke from orbit" means. Google broke Thawte and Verisign. They didn't simply "make it public". Thank you for clarifying this; I could have been clearer. I think the distinction between what's possible in CT and DANE is much more obvious now.