The point is not that DANE doesn't make things worse. The point is that it is not a solution. Originally, DANE was meant as a method to restrict rogue CA's from issuing certificates. The fact that state-actors can still do that after DANE makes DANE a bad solution.
The US Government is and should be the root of trust for US domains (certainly for .us, and de facto that's become the use of .com too). Since the US government can compel any US entity to follow secret orders, if you don't trust the US government you already couldn't use any US sites. DANE improves things compared to not, since it means you don't have to trust the US government if you're not using US sites, you don't have to trust the Chinese government if you're not using Chinese sites, you don't have to trust the government of Kazakhstan if you're not using Kazakh sites...
I am a dutch citizen and have a .nl domain.
Yet, that does not mean I am ok with the dutch government issuing invalid certificates for my website.
True, it's an improvement that only the dutch government can do this, and not the Hong Kong post office. On the other hand, it is a major downside that we are encoding the possibility of government dragnet surveillance.
In the end, certificate transparency logs will let me notice whenever anyone issues a certificate for my website.
> it is a major downside that we are encoding the possibility of government dragnet surveillance.
Quite the opposite; DANE makes it possible to have a TLD that opts out of giving national governments access to it. Most existing TLDs are controlled by governments, but that doesn't have to be how it is.
