Mis-Issued Certificates for 1.1.1.1 DNS Service Pose a Threat to the Internet

I would caution against generalizing from the actions of a CA that only Microsoft is willing to trust. This incident says way more about Microsoft's mismanagement of their root store than it does about the WebPKI security model.

Also, DNSSEC tampering is no more obvious than WebPKI tampering (how would anyone know if Verisign served a rogue DS record for someone's .com domain to certain resolvers?). Just as with WebPKI, you need a transparency system if you want to make tampering discoverable. (Such a transparency system has been proposed for DNSSEC but went nowhere.)

It does sometimes feel like lack of secure chain DNS, however exactly implemented, is one of the original sins of the modern internet that has caused a lot of headaches and layers upon layers of bandaids ever since. Doesn't mean it'll ever be solved of course, the legacy support issue at this point is pretty brutal. But DNS has already effectively ended up as the root of trust for a lot of auth anyway, if an attacker somehow gets access to someone's registrar account they can from there trivially bootstrap. Rather than so many root CAs that can also issue certs for any domain, seems like it'd be pretty nice if we could just depend on DNS and then have an "authorizedCA" record or whatever and stick any public certs(s) in their the domain owner desired. Could be a 3rd party, could be their own CA, but the only CAs that could issue a cert for that domain would be the one's the domain owner wanted which is how it's supposed to be anyway right?

Ah well.