A counter-argument would be that DNSSEC is like PKI with name constraints done properly, and with most domains being children of TLDs, there's really only two entities that can MITM them: the root and the TLD registrars.
Therefore the risk of dishonest "CAs" is lower for DNSSEC than it is for PKI. I've seen skepticism about CT along the lines of "who will pay?" and "it's just another tax". I don't think that should be dismissed out of hand. But I do think that in the long run we should do anything that we can do and that is economical (very important, that) to make it easier to at least catch misbehaving CAs/registrars/... the jury is still out as to whether CT be economical, right? Nico -- _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
