Comment Re:Perhaps we need to validate the CAs? (Score 1) 144
Yes, this is one of the reasons why DNSSEC holds such promise. It doesn't even need new records or extensions. The CERT, IPSECKEY, and SSHFP (source) records have existed for years but haven't been used since they weren't really useful before DNS was secure. Those three can be used to secure nearly anything you might want, with CERT being the catch-all record that can store web, email, or any other certificate. Since DNS is the system that is charged with knowing who a name is, it makes a lot of sense to put the trust there in a single place, rather than the large number of certificate authorities that it seems are not always trustworthy.