Yes. If a CA egregiously misbehaves today, Google can kneecap it with an update to Chrome, and end-users can remove it from their configuration entirely (this should be easier to do, by the way, and there's no technical reason it can't be).

If the signers for .LY or .COM misbehave, nobody has any solid recourse. .COM's role in the post-DANE certificate hierarchy is baked into the fabric of the Internet.

DNSSEC represents a massive move towards centralization of Internet trust, which is a baffling thing to get behind in 2015.

Isn't the signer for .com the same as the owner of .com, so if they misbehave then your DNS resolution could be broken regardless of DNSSEC?

If you add DANE in the mix, they can set any certificate as trusted for your domain (if clients don't require it to be also signed by a trusted CA). So they can't just redirect your domain somewhere else, they can also feed clients "trustworthy" certs for the new target.

Sure, but without DANE, they can get a domain validated certificate quickly from any number of CAs that your clients probably already trust.

(edit) I understand DANE puts explicit trust on the registry, registrar, and the DNS root; but given the common use of domain validated certificates, that trust is already there, and I think it is better to have it explicit. Also, there are fewer parties to watch out for, the Belgium Root CA can issue a cert for my domain, but Belgium is unlikely to compel my registry/registrar unless I've chosen to have a .be domain. (My applogies to Belgium Root, if they're not affiliated with the government of Belgium)

Also, I don't think cert issuance can scale without domain validation or a large expense.

Coincidentally, VeriSign (responsible for DNSSEC for the root zone and .com) also runs a major CA in the existing CA infrastructure. Even worse, it is such a major player that removing it from the certificate store would invalidate the certificates from a huge amount of sites and it would be impossible for a browser to remove them without breaking a significant part of the internet. Thus while the situation is horrible now, it won't get any worse with DANE.

Verisign controls .com and is on pretty much every root CA list, so they can do what you describe today, no DANE required.

Do you not see a problem with a massive deployment of new crypto infrastructure that leaves Verisign in cryptographic control of any site in .COM?

Oh, I definitely do. I was just trying to say that Verisign could already do a similar attack even without DANE. As controllers of .com they could easily redirect example.com to an evil server, and as a root CA they could give the evil server an EV certificate for example.com.

If anything, I suppose that should be an argument against consolidating DNS and TLS powers into single entities, which is exactly what DNSSEC and DANE do.

Relying on Google to mitigate problems sounds a lot like centralization to me.

There are in fact organizations that scrupulously audit the certificates in all browsers/cert stores in their organization. One I know of is etsy.

Here is a reference well worth reading about how they approach security: http://www.slideshare.net/zanelackey/attackdriven-defense

Wow. That’s hardcore.