1. Relying on just ICANN instead of ICANN+CA Forum would be an improvement. I assume, at least? Thinking about it though, the CA Forum setup with transparency logs and such does provide some safeguards against CA operator abuse. Those are safeguards that wouldn't be available in a DANE-only world where nameserver operators could surreptitiously inject malicious TLSA records at their whim. That could be safeguarded by DNSSEC where the domain owner does their own signing and then the nameserver operator simply serves those pre-signed records. However, that's a lot of complication. Gonna have to think about this...
2. Tbh I am not convinced of the virtues of decentralized DNS. If people use different roots in practice, then we lose the utility of a single view of names. At its most extreme, you then would not be able to reliably do things like publish a URL. However, maybe you're suggesting that DNS shouldn't be centralized with the root, but rather have a constellation of TLDs as roots? Obviously that would require shipping resolvers with hardcoded roots and wouldn't be robust when new TLDs are brought online. But maybe there'd be value in that...I'm not convinced yet though.
And [the union of CAs] not-so-silently controls TLS for the whole world. And if the transparency logs are the linchpin of trust for Web PKI, then I don't think it's too hard to imagine a system where you have a similar transparency system for zone-signing keys too.
It's in fact very difficult to imagine mandatory transparency logs in the DNS PKI. The story of how mandatory logs came to be for TLS involved Google and Mozilla putting a gun to the heads of the CA industry, after murdering several of them. Nobody can do that to the DNS, and just as importantly, governments don't want them to.
In a world where DANE catches on on the web, I don't see why Google and Mozilla couldn't do that again. I mean, presumably there'd need to be some evidence of malfeasance, like there was with Web PKI. I don't see why Mozilla alone couldn't start by putting the screws to a smaller CCTLD and some medium-sized DNS hosts for instance.
That said, I don't particularly see DANE growing on the web.
1. Relying on just ICANN instead of ICANN+CA Forum would be an improvement. I assume, at least? Thinking about it though, the CA Forum setup with transparency logs and such does provide some safeguards against CA operator abuse. Those are safeguards that wouldn't be available in a DANE-only world where nameserver operators could surreptitiously inject malicious TLSA records at their whim. That could be safeguarded by DNSSEC where the domain owner does their own signing and then the nameserver operator simply serves those pre-signed records. However, that's a lot of complication. Gonna have to think about this...
2. Tbh I am not convinced of the virtues of decentralized DNS. If people use different roots in practice, then we lose the utility of a single view of names. At its most extreme, you then would not be able to reliably do things like publish a URL. However, maybe you're suggesting that DNS shouldn't be centralized with the root, but rather have a constellation of TLDs as roots? Obviously that would require shipping resolvers with hardcoded roots and wouldn't be robust when new TLDs are brought online. But maybe there'd be value in that...I'm not convinced yet though.