It would be good if we actually had CA hierarchy, I wouldn't call the current CA system a hierarchy[]: any Root CA can issue a valid certificate for any domain, all Root CAs are equal in power, a compromise of any* of them allows valid certificates to be issued for anything. Sure there are protections like certificate pinning, etc. but still the more Root CAs you have, the higher the risks.
I think that reducing the amount of organizations controlling your particular branch of DNS is good.
You may trust the US CA issue cert for US sites, those are more or less under their control anyway, but you probably don't want to trust them for .eu sites. Or why should I trust the Chinese CA for anything but chinese sites?
And more to the point: why should a CA be allowed to issue a cert for a site that already has a cert issues by another CA.
DNSSEC is hierarchic, there is one key for example.com. in the parent zone com., if someone else wants to put a key for example.com. into com. they'll have to replace it.
Presumable the owner of example.com. would monitor its own record in com. and notice tampering. You can't easily have random CA issuing certs for your sites without being detected.
Of course having only a single entity is not good again, because then you introduce a single point of failure.
[*] well of course at the X509 level you have subordinate CAs, and a hierarchy, but it is in no way tied to DNS.
I think that reducing the amount of organizations controlling your particular branch of DNS is good. You may trust the US CA issue cert for US sites, those are more or less under their control anyway, but you probably don't want to trust them for .eu sites. Or why should I trust the Chinese CA for anything but chinese sites?
And more to the point: why should a CA be allowed to issue a cert for a site that already has a cert issues by another CA.
DNSSEC is hierarchic, there is one key for example.com. in the parent zone com., if someone else wants to put a key for example.com. into com. they'll have to replace it. Presumable the owner of example.com. would monitor its own record in com. and notice tampering. You can't easily have random CA issuing certs for your sites without being detected.
Of course having only a single entity is not good again, because then you introduce a single point of failure.
[*] well of course at the X509 level you have subordinate CAs, and a hierarchy, but it is in no way tied to DNS.