This makes absolutely no sense to me. DNSSEC is a forklift upgrade of a key piece of the architecture of the Internet. We should incur that cost so that all of the most popular sites on the Internet will end up with the USG as their CA? And that's "orders of magnitude" better than what we have now?
Today, for a .com, there are a large number of CAs (let's call it 100?) that can sign a cert. Additionally the registrar or the registry (VeriSign) can change NS and DS records due to a US court order (or otherwise) and the new destination could get a domain control validated certificate.
If DANE were adopted and the current CA system abolished, then the registrar or the registry could still change the NS and DS records to takeover a domain, but that takes us from 100+ parties capable of signing a cert to 2 parties that are already part of the system.
It is. The trifecta of three letter agencies can expropirate and generate valid certificates for .com domains today. But they can't do this for most of the other TLDs.
No cryptography in the world can protect you from a fully legal domain trasfer. So, who better to be your CA than the registrar who have this power anyway?
