Re: DNSSEC
DNSSEC + DANE does seem the best route, but DNSSEC rollout is basically nonexistant (none of the major banks even use it), and DANE isn't supported by any browser - it was added to Chrome then pulled.. they cynic in me says verisign is pushing out a lot of brown envelopes to keep it that way.