> How is a registrar holding your keys in any aspect better than WebPKI right now?
You can use both DNSSEC and HTTPS. And actually, if your registrar and hosting provider are the same (e.g. Cloudflare, AWS), they might hold your keys anyway.
> And actually, if your registrar and hosting provider are the same (e.g. Cloudflare, AWS), they might hold your keys anyway.
Sure, but you have the ability to choose if they're the same or not. Although an untrustworthy registrar right now would be quite bad, it wouldn't trivially compromise the security of your WebPKI TLS connections. One would not be able to say the same if we would have had deployed and built everything on top of DNSSEC+DANE.
You can use both DNSSEC and HTTPS. And actually, if your registrar and hosting provider are the same (e.g. Cloudflare, AWS), they might hold your keys anyway.