[jcgl]

And [the union of CAs] not-so-silently controls TLS for the whole world. And if the transparency logs are the linchpin of trust for Web PKI, then I don't think it's too hard to imagine a system where you have a similar transparency system for zone-signing keys too.

[tptacek]

It's in fact very difficult to imagine mandatory transparency logs in the DNS PKI. The story of how mandatory logs came to be for TLS involved Google and Mozilla putting a gun to the heads of the CA industry, after murdering several of them. Nobody can do that to the DNS, and just as importantly, governments don't want them to.

[jcgl]

In a world where DANE catches on on the web, I don't see why Google and Mozilla couldn't do that again. I mean, presumably there'd need to be some evidence of malfeasance, like there was with Web PKI. I don't see why Mozilla alone couldn't start by putting the screws to a smaller CCTLD and some medium-sized DNS hosts for instance.

That said, I don't particularly see DANE growing on the web.

[tptacek]

Google and Mozilla can't "dis-trust" .COM. They're stuck with it.