Well we have a hell of a lot more transparency about where that key is, who generated and has access to it. There's a video of the entire ceremony online somewhere, at the moment I can only find [this summary](https://www.youtube.com/watch?v=b9j-sfP9GUU)

My critique goes more in the direction of DNSSEC being a centralized infrastructure. I didn't mean that it is easily subverted but its possible, especially for an US state actor. Its definitely more transparent as SSL CA's for sure. However, for my communications I'd like rather rely on an infrastructure which is independent from centralized resources.

DANE is an interesting concept for sure. Not 100% viable in the short-term but going forward we need to start thinking of a better solution. It would still be cert based and just add a layer of complexity. The cert model works it's just controlled by the wrong people and lacks regulation.

True, we need a better way to control it. The wrong companies are becoming authorities for the wrong reasons. We at least need more transparency on the verification process. I would also like to see a public list of cert requests that failed the approval process. It could be interesting data for incident responders.