This isn't correct, because your domain name server may be insecure even while the one used by the CA is secure. Moreover, CT helps detect misissuance but does not detect incorrect responses by your resolver.

▲

ocdtrekkie 2 days ago | parent [-]

If someone can log into your domain registrar account or your web host, they can issue themselves a complete valid certificate. It won't matter if the CA resolver is secure, because the attacker can successfully validate domain control.

	▲	ekr____ 2 days ago \| parent [-]
		Yes, that's correct. The purpose of the WebPKI and TLS is not to protect against this form of attack but rather to protect against compromise of the network between the client and the server.