DANE can work perfectly fine with the existing CA system to provide another way of verifying that the correct TLS certificate (or CA) is being used. Or... it can be used with a completely different trust anchor or TLS certificate that you control. Your choice.
But you and I will just have to disagree on this topic. Your dislike of DNSSEC is well-known, as is my support for it.
The USG controls .com, .net, and .org. The government of Libya controls .ly. DNSSEC puts cryptographic key material under the influence of the DNS. "No it doesn't" isn't a rebuttal to that.
But Thomas ... I still don't understand the attack that you say can be made against DNSSEC-signed domains. Here's what I see, if I have a .COM domain:
1. I sign my domains and generate a DS record.
2. I upload the DS record to my registrar who passes the DS record up to the .COM registry.
Now, when someone does DNSSEC validation on my DNS records, they wind up doing this process:
1. Going through the DNS process to get my DNS records as well as the DNSKEY and RRSIGs.
2. Following the chain of DS records up to the .COM registry and on up to the root of DNS... being able to validate along the way the integrity of the records.
Where do world governments get to interfere here?
If a govt were able to manipulate the TLD registry the best they could do would be to point my domain to some other name servers that weren't mine... is THAT the attack you see? I seriously would like to understand.
Your "1. Going through the DNS process" starts with records the USG controls! Yes, "the best they could do" would be to defeat the entire system. What do you think happens in a TLS MITM? They USG isn't trying to sign your keys and publish your addresses!
This is not, of course, the only problem with DNSSEC. It's also an archaic 1990s cryptosystem built around 1024-bit PKCS1v15 RSA, which by default makes every DNS record in the system public, trivially dramatically amplifies DNS traffic, and does all this without actually securing DNS lookups from browsers, which still run the old insecure DNS protocol to talk to DNSSEC-enabled caches.
It's a silly system, has been since the USG paid TIS to design it in the 1990s, is nearing two decades delayed, and isn't going to happen. Look at what Chris Palmer from Google has to say about it. Whatever the opposite of "betting on it" is, that's what Chromium is doing with DNSSEC. We should get to work designing a modern alternative.
> In a filing with the European Union, French authorities declared in an emergency procedure its intentions to block "at domain level" access to sites the French government deems to be in breach of its law.