Yet both the user and DV certificate issuers rely on the same DNS that you consider unreliable. So you seem to dismiss DV certificates altogether but your comment seems to imply that you only want to dismiss certificates as DNS records. There's something very inconsistent about your comment.
That inconsistency is that users are generally on much less trustworthy networks and DNS right now is rarely authenticated (DNSSEC is not wide spread and even then most clients don’t authenticate it)
While not perfect it’s generally quite true for the majority case.
Actually, a large number of hosts are behind a DNSSEC validating resolver. And that's because the use of Google's public resolvers is extremely wide spread.
I don't know if they document it somewhere, but it is essentially trivial for letsencrypt to use a DNSSEC validating resolver.
So that means that if you care about DV security, you enable DNSSEC.
DNSSEC doesn't protect the connection between a browser and Google's DNS server. Attackers can simply edit the responses generated by Google's DNS. Moreover, virtually nobody signs their domains with DNSSEC (why would they? It's all downside.) So CA's can't require DNSSEC, or depend on it being there. You can enable it, but it's pointless, because the attack against DV that DNSSEC is meant to prevent can be launched whether or not you enable it. DNSSEC has essentially no practical impact on DV.
Although CAs don't (not can't, neither the CAB rules nor any major trust store programme requires you allow names without) require DNSSEC they absolutely can insist on figuring out whether a name is protected by DNSSEC and enforce that if so, since the root is signed and DNSSEC has a closed world assumption (we can get a definitive signed answer which says "No" this domain isn't signed).
It's interesting, even though the $0 price isn't intended to be the main draw a large number of domains with broken DNS fixed it to get Let's Encrypt working rather than pay a CA that doesn't care...
But checking CAA with DNSSEC is mandatory (this caused much feather spitting)
So if you have DNSSEC you can deny all the CAs you don't trust. If a bad guy leaves the CAA record alone they can't get a cert. If they try to replace the CAA record or deny it exists they fail DNSSEC checks.
If your chosen CA agrees to only use a method that's actually secured you get an actual bona fide panacea, for the very affordable price of deploying DNSSEC and CAA, automating cert issuance and getting your DNS config right.
There's so much brokenness here that it's hard to know where to start rebutting this. I took an hour to game through this with some people who actually work on CA initial identity verification security; here's where I land:
* First, most CAs don't do DNSSEC today, or, if they do, do DNSSEC fail-open.
* Second, CA's can already do multi-perspective DNS lookup, which means that a practical attack to defeat CAA over standard DNS requires an on-path attacker. But if the attacker is on-path, most of the mechanisms CAs use to validate a domain fail, even if you use DNSSEC.
* Finally, there's already a replacement for all this stuff in progress: RDAP, a secure JSON API that allows data to be pulled directly from registrars. Every mainstream browser and every CA/B forum CA voted to add it to the BRs; it's going to be implemented. If you really believe that something like CAA is the future for DV certs, then it seems pretty obvious that RDAP is going to be the way that happens.
Whilst it's nice that RDAP is being worked on what you've got there is very much jam tomorrow. It takes a powerful imagination to see the CA/B vote to allow RDAP (when it becomes available, which may be never for many TLDs) and interpret it as a death blow to DNSSEC, but I admit you do have such an imagination.
Your first point argues from an alleged fact, not in evidence, that "most CAs" don't obey the Baseline Requirements in respect to their requirement to use DNSSEC to avoid an on-path attacker replacing or removing CAA records. Do you have such evidence? As I said, this requirement caused CAs to spit feathers, but that's also true of e.g. record keeping requirements and CAA checking itself. One of the unexpected side benefits of Let's Encrypt at scale is that arguments go like this:
Big CA: This requirement is crazy, we issue a vast number of Web PKI certs, and the requirement would cause us to do X for most of those certs, that's just not technically feasible, the requirement must be removed.
Let's Encrypt: We do X for every single cert we issue. Big CA the logs show you issuing only 4% as many certs as us, are there hundreds of times more than you don't log?
Big CA: Um, er, oh, we just realised our single-threaded PHP program might be a bottleneck, we're investigating upgrading to PHP4 to work around that.
But then your second point argues the reverse, that CAs "can" do multi-perspective, and so even though they mostly don't we should pretend they all do. Then it jumps from this backwards argument to claiming all of the Ten (well, nine now) Blessed Methods are vulnerable to an on-path attacker "even if you use DNSSEC", when in fact several are not.
Try it, write down the Ten Blessed Methods as they stand today (yes there are currently nine), then mark whether an on-path attacker succeeds against this method when DNSSEC is in place
3.2.2.4.3, 3.2.2.4.7 and 3.2.2.4.12 are unaffected by an on-path attacker. 3.2.2.4.3 is out-of-band, which I'm sure won't bother a nation state adversary like the NSA, but is otherwise pretty good, 3.2.2.4.7 is in DNS itself, and so protected by DNSSEC, and 3.2.2.4.12 is a simple database lookup, just one that's only possible if your CA is also your registry/ registrar.
I consider unreliable routers that deliver response from DNS to user, especially the last router. If that last router is controlled by attacker, he still can't break HTTPS.
I think he makes a fair point. Browser vendors may be trusting CAs to do more due diligence on their DNS lookups than they might expect browser users to even be able to provide.
I still think there's a better way, though. Surely it must be possible to do some consensus through WebRTC and end up with something that lets me run my own domain-specific CA, at least for DV certs.
Yet both the user and DV certificate issuers rely on the same DNS that you consider unreliable. So you seem to dismiss DV certificates altogether but your comment seems to imply that you only want to dismiss certificates as DNS records. There's something very inconsistent about your comment.