My understanding of what happened and what you're talking about is that the antidote to this problem was yet another continuity mechanism, like pinning and HSTS; it doesn't protect first connections, and is a contraption.
To a first approximation, DANE is essentially a browser protocol. Obviously, things besides browsers speak TLS, but browsers are the overwhelming primary audience. If the browsers don't want to do DANE, that's a very strong signal.
Sorry, I have more to say about this.
I feel like there's a general attitude among some IETF people and DANE bystanders (especially people from the European DNS community) that feel like browsers are arbitrary, capricious gatekeepers of how TLS works; that we could have working DANE everywhere but for lazy browser people who don't want to work through the deployment drama, maybe?
But that overlooks the fact that the Web PKI is a partnership between the browsers (the root programs in particular) and the PKI providers. Neither side is working entirely on its own, both sides are sort of intensely engaged with each other. We have the Web PKI we have now, with free automated issuance, transparency, and toothy CA revocation, because of a real (if fraught) partnership.
Nothing like that appears to exist in the DNS community? Tell me I'm wrong. Why should I believe any of this would work?
To a first approximation, DANE is essentially a browser protocol. Obviously, things besides browsers speak TLS, but browsers are the overwhelming primary audience. If the browsers don't want to do DANE, that's a very strong signal.
Sorry, I have more to say about this.
I feel like there's a general attitude among some IETF people and DANE bystanders (especially people from the European DNS community) that feel like browsers are arbitrary, capricious gatekeepers of how TLS works; that we could have working DANE everywhere but for lazy browser people who don't want to work through the deployment drama, maybe?
But that overlooks the fact that the Web PKI is a partnership between the browsers (the root programs in particular) and the PKI providers. Neither side is working entirely on its own, both sides are sort of intensely engaged with each other. We have the Web PKI we have now, with free automated issuance, transparency, and toothy CA revocation, because of a real (if fraught) partnership.
Nothing like that appears to exist in the DNS community? Tell me I'm wrong. Why should I believe any of this would work?