No, DNSSEC has nothing to do with CAs. Each DNS authority defines its own keys used to sign its records.
> They were just renamed to "Trust Anchors".
You are thinking about DANE [1], which is what the a protocol on top of DNSSEC. Using DANE you authorize X.509 certificates and/or CAs for certain domains. This allows you to restrict your domain to a specific well-known CA (such as Verisign), but it also allows you to authorize your own CA or even a specific certificate directly. It even works per-service, so you do not need to use the same CA/certificates for all your services.
If you were suggesting that DANE does not solve the traditional CA issue you are wrong.
You're interpreting "CA" too literally. DNSSEC doesn't rely on X509 certificate authorities but in effect it relies on an equivalent, in that Verisign is a central authority certifying ownership of all .com domains.
A single trusted root is better than the hundreds of roots in the CA system. I don't trust Verisign very far, but I certainly trust them more than Verisign AND Diginotar AND honest achmed's used cars and certificates AND ...
And shouldn't it be possible to implement certificate pinning for whole tlds? Then we'd only have to trust root for unknown tlds.
First, you don't get "a single trusted root". If DNSSEC/DANE had been deployed 3 years ago, Qhadaffi's Libyan government would have effectively been the CA for BIT.LY.
Second, and more importantly: the smaller number of trust anchors you end up with in DNSSEC are controlled by world governments.
It seems absurd to me that the Internet's response to the "global passive adversary" of NSA would be to hand the entire PKI system over to the USG formally. That's what DNSSEC does.
> ...Qhadaffi's Libyan government would have effectively been the CA for BIT.LY.
They already are, in practice. Many reputable CAs will issue certificates to anyone who can forge an MX record for a domain. With or without DNSSEC, TLD operators are capable of forging those records.
>It seems absurd to me that the Internet's response to the "global passive adversary" of NSA would be to hand the entire PKI system over to the USG formally. That's what DNSSEC does.
No, DNSSEC builds authentication into a system that is and has always been centrally controlled. And just like with the X.509 CA system, you can use pinning or Convergence or anything else you want to supplement that.
> No, DNSSEC has nothing to do with CAs. Each DNS authority defines its own keys used to sign its records.
which in turn must be signed by the zone operator (e.g.: Verisign for .com) who publishes them in DNS. So we still have Central Authorities - in the sense that there is still some overlord controlling everything.
They only have to admin the DNSSEC stuff (publish your domain name keys along with your nameservers, as you set them up through your regular domain provider).
The DANE part needs no further support than you being able to use DNSSEC for your domain's DNS. Obviously there is always some entity controling each TLD, and that entity can screw up your domain if it acts improperly.
You're not following. DNSSEC is secured by a chain of keys leading to a root; the entity that controls the root controls the chain. If you use DNSSEC to authenticate your certificate, you're giving control over your certificate to whoever runs the roots.
If you're using a resolver which supports DNSSEC, and you're using Firefox with the DNSSEC-Validator addon from https://www.dnssec-validator.cz/ (which supports DANE) and you visit https://grepular.com/, you will see a nice little green icon in the address bar to show you that DNSSEC was used, and another green icon to show you that the SSL cert was validated using DANE.
That's interesting. I hope it sees more widespread adoption by browser vendors and the recent security disclosures will hopefully help to tip implementation in that direction.