[eldridgea]

I asked a cloudflare engineer this and the answer was a bit vague but amounted to the failure rate being something like 0.5% which was too high for the amount of TLS sessions being initiated all the time.

Although I always thought it would be a nice feature for security conscious folks to be able to ennable. Or go ahead and use it on more sensitive sites only, e.g. banks.

[quickthrower2]

Which leads us back to needing caching, which needs a signatory, and a list of trusted signatory, which gets us back to certificate authorities. Gotcha :-).

[stephenr]

Caching is something DNS already has in-hand.

[quickthrower2]

Using a distributed MITM system!

https://www.cloudflare.com/en-au/learning/dns/dns-cache-pois...

[stephenr]

Perhaps you're unaware, but that problem can be largely mitigated by DNSSEC, which is why it's considered a requirement to make DANE practical.

[CMCDragonkai]

What were the circumstances of the failures?