unless you require all DANE-obtained TLS certificates to be in Certificate Transparency logs just like CA-issued TLS certificates

In theory, one could require all DNSSEC signatures to be logged that way. Revocation remains a concern. At least there's some inherent limitation of scope, whereas most public Certificate Authorities can issue for any domain.

If a TLD had its DNSSEC environment completely compromised, does anyone think it would be removed from global DNS, the way DigiNotar was removed from global trust? … One of the reasons that Certificate Authorities can be distrusted is that what they do is limited and you can replace one with another. This isn't true for DNS and TLDs.

I think we have "too large to fail" situations either way. For example, it'll be less disruptive to remove the .io domain entirely than to distrust Let's Encrypt. (People aren't gonna go back to paying for certificates, and while there are other free providers, there are reports of "shady" behavior from some—such as charging for revocation or renewal.)

Anyway, if a domain registry gets compromised, there are going to be a lot of seemingly legitimate certificates issued in error, from many CAs. Do we have any practical mechanism for a mass revocation under such circumstances?

The current CA/Browser Forum baseline requirements require free revocation (by requiring CAs to promptly revoke compromised certificates that they're notified about, and I expect browsers would be extremely unimpressed if a CA refused to accept notifications; there may even be a CAB requirement for it). Let's Encrypt and other parties are working on things that would be necessary for mass revocation, such as the ability for clients to proactively check if the CA wants them to renew right now.

Ah, well, that's all very good news then. Perhaps that requirement was a response to exactly what I mentioned. I still feel like revoking Let's Encrypt would be technically and socially impractical; site operators wouldn't know who to switch to, or how, and stuff would just fall apart. The DigiNotar thing wasn't entirely smooth, and they were not nearly as ubiquitous.

Historically, people have believed that the Certificate Revocation List mechanism would just fall apart if they grew to millions of entries. I know browser vendors were working on some "minimized" version, with sharding and such, but I don't know whether we're there yet.

I'm curious in what way you would expect discovery of mailservers for a domain to be different if it were designed today.

My first thought went to SRV records or perhaps /.well-known HTTP endpoints, but I'm curious if you had something else in mind.

My off the cuff version of mail discovery is that it would be one of two things:

• something like SRV records in DNS, but then you'd have to require that the target mail servers be able to present a TLS server certificate for the original mail domain when you asked (with SNI). So there would be a mail SRV for 'example.org' and when you contacted one of those hosts for SMTP delivery, it would have to present an example.org TLS certificate to you before you'd deliver email.

• a /.well-known endpoint that you queried over HTTPS (not HTTP) at the email domain, so https://example.org/.well-known/... would tell you what host to deliver email to, and then you'd require that host to have a valid TLS certificate in its own name.

  (This endpoint could give you a TTL/valid-to value in its response so you could cache it.)

My security goal for both of these is to make it so that inserting or altering the DNS data your mail sending machine sees is not enough for an attacker to divert your email to me to their mail server; it either goes to mine or it fails TLS certificate checks somewhere.

I think that the second version would be more popular because it means that you don't need to have a high-value 'example.org' TLS certificate in so many places. You can leave it only on your website and then have specific TLS certificates on your receiving hosts.