Comment Re:Good. +1 for Google. (Score 1) 176
Who decides who "example.com" is? A collection of CAs or the person who gets the money for adding the NS entry for example.com? You may have existential angst over this, but at a practical level the registrar is going to be intimately involved in deciding who owns your domain and will have a de facto ability to spoof that, cut you off, or do other bad things. The question is whether they can do any of this stealthily. One nice thing about DANE is that you can actually monitor the records which are being provided to ensure that people are getting the correct records (doing this right would mean either having a number of test locations or hiring a third-party provider that does this as a service). This is in contrast to the CA model, in which you don't know that someone is presenting a bogus cert unless you're google and you get to instrument everybody's browser.
As for the price, you misunderstand. Paying more certainly doesn't guarantee quality, but not paying certainly guarantees that a provider won't implement expensive controls. If you need a highly secure domain in the DNSSEC scheme, then you want a registrar that will implement things like out of band verification of changes, multi-party controls on their end to prevent unauthorized changes, routine auditing, etc. That will cost more than getting a domain from a registrar that doesn't provide those services. You're probably going to be using a registrar that has a low enough volume that they can actually inspect changes to a degree impossible if you support automated bulk registrations (so the costs are spread over fewer customers).The neat thing is, you get to decide what you need--there's no good reason why my vanity domain needs the same level of security as microsoft.com. If you're on the really high end, I'd expect that you'd actually third-party audit the registrar to make sure that they're doing the things they say they are. (That also won't be free.) But at least there would be economic incentives to do all of these things, unlike the current regime where there's no effective difference between a $100k verisign EV cert and a free startssl cert.