[mtucker502]

How would clients receive the trusted CA data from the registrar? DNS?

This would very easily be susceptible to MITM attacks. Any DNS security to prevent MITM attacks is going to have the same CA issue we currently have.

[account42]

DNSSEC is a thing you know. And not it doesn't allow a random Chinese agency sign records for my .de domain.

[tptacek]

You mean until major DNS providers turn DNSSEC off for .DE to work around misconfigurations, which literally just happened.

[account42]

Operators making reckless choices like that, especially when DNSSEC is barely being used, does not invalidate the technology. And it would also not have impacted DNSSEC used for DANE as the client would be verifying the DNSSEC chain in that case and not just the recursive resolver. But don't let that stop your eternal butthurt about DNSSEC. Whatever issues DNSSEC might have, at least its not broken by design like the current web PKI where we have hundreds single point of failures.

[tptacek]

The "operators" you're referring to are the .DE TLD operators, right?