[kazen44]

its a shame DANE never took off. If we actually got around to running a trusted DNSSEC based DNS system and allowed clients to create certificates thanks to DANE, we would be in a far more resilient setup compared to what we are now.

But DNSSEC was hard according to some, and now we are running a massive SPOF in terms of TLS certificates.

[tptacek]

It didn't "not take off" --- it didn't work. You couldn't run it on the actual Internet with actual users, at least not without having a fallback path that attackers could trigger that meant DANE was really just yet another CA, only this one you can't detect misbehavior or kill it when it does misbehave.

[akerl_]

I'll bite: DNSSEC isn't a massive SPOF but TLS certificates are?