Re: Still waiting for DANE
It's worse than that, one of the strongest perceived threats to crypto security is state actors (well, it's not perceived, it's a fact) - and state actors in most cases will have far more ability to screw with DNS than anything else.
There's a moral hazard here though - securing PKI this way calls PKI's existence into question. If a domain owner can specify keys for sites it operates and DNS is cryptographically secured in terms of data content (records signed by domain controller, as opposed to the DNS provider) then PKI providers will probably face questions about the necessity of them continuing to exist. Security of DNS record would be the prime concern of domain registrars and DNS providers but when DNS is secured properly and you can specify any key and it's equally secure as PKI infrastructure would otherwise be (and arguably more so) then they're going to have an issue. That's why expect never to actually see a secure DNS system; because it's not in the cert authorities best interest to secure it.
Biting the hand that feeds IT
