That only works for high profile domains, a CA can just issue a cert, log it to CT and if asked claim they got some DNS response from the authoritative server. Then it's a he said she said problem.

Or is DNSSEC required for DV issuance? If it is, then we already rely on a trustworthy TLD.

I'm not saying there isn't some benefit in the implicit key mgmt oversight of CAs, but as an alternative to DV certs, just putting a pubkey in dnssec seems like a low effort win.

It's been a long time since I've done much of this though, so take my gut feeling with a grain of salt.

▲

tptacek 3 months ago | parent [-]

DNSSEC isn't required by anything, because almost nobody uses it.

▲

ryao 2 months ago | parent [-]

I deploy DNSSEC on all domains I administer.

▲

tptacek 2 months ago | parent [-]

This isn't a contest of two vibes, one pro-DNSSEC and one anti-. You can just download the Tranco list and run a for loop over it checking for DS records. DNSSEC adoption in North America has actually fallen sharply in North America since 2023 (though it's starting to tick back up again) and every chart you'll find shows a pronounced plateauing effect, across all TLDs --- damning because the point at which the plateau flattens is such a low percentage.

▲

ryao 2 months ago | parent [-]

Is that because people are uninformed or just do not care?

	▲	tptacek 2 months ago \| parent [-]
		How about option 3: they care deeply and are making a considered choice.