Thanks to this nice piece of research this topic can be talked about again: https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf
Would it be somehow possible to enforce certificates only to be issued when the domain is DNSSEC protected?
I was also thinking that it would be really nice if that status is also written into the certificate itself some day, I mean, we have CT status that’s embedded with
Expect-CT, why shouldn’t there be embedded DNSSEC status and
Expect-CDNSSEC? This would also mean that browsers don’t have to spend time validating DNSSEC but can enjoy the security benefits (to a certain extent).