[perching_aix]

What prevents me from putting the hash of the public key of my public CA certificate into the TLSA record? Nothing. What prevents clients from checking both that the public CA based certificate I'm showing is valid and is present on CT, as well as that it's hashes to the same value I have placed into the TLSA record? Also nothing.

Am I grossly misunderstanding something here? Feels like I missed a meta.

[bawolff]

Nothing saying you can't, just when people talk about DANE that is usually not what they are proposing.

In terms of what you are saying, i think the main objection would be that HPKP feels a lot easier then putting it in DNS and we couldnt even get that to work. Otoh maybe dns could do a lot lower ttl which would counter some of the risks.

[Avamander]

What benefit would that provide? It's just one more thing that has to be constantly maintained and could break while providing very little additional security.