Delete comment from: Google Online Security Blog
That's why we should finally switch to TLSA RRs, which only make sense with DNSSEC.
If you, fellow readers, administrate a DNS service at your company, get DNSSEC set up. TLSA or CAA afterwards is trivial. Chrome already verifies it, Mozilla has plans to do so (also a nice introduction): https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Embedding_Certificate_Information_in_DNS
Jan 3, 2013, 2:39:26 PM
Posted to Enhancing digital certificate security