There's an argument I've heard that DANE TLSA ties crypto closer to nation-state control than the CAs do, since the DNS is ultimately managed through a governmental framework.
This was presented to me as a showstopper, on the grounds of government = bogeyman. Personally I'm much more equivocal about the dangers. But I do see DANE as a useful alternative in many circumstances, particularly those where defending against a major government isn't considered a worthwhile aspiration.
Or even better as a trust multiplier or CA-issued certs.
Jurisdiction is a complex question, and one I can't answer, but people should think about the jurisdictional consequences of using ccTLDs in particular. You are at the mercy of whomever's higher in the DNS hierarchy - that's why the root control is such a big deal and needs to come out of the US into some sort of non-governmental or international treaty org.
However, certainly DANE 2 & 3 are way better than nothing, and DANE 0 & 1 let you limit the subset of "people who can spoof your site" from "people who have pwned any CA they want trusted by a major browser, including intermediates" (do we even know how many intermediates are out there? Answer: No, we don't!! It's an open research question to scan to try to find out: please save us, Certificate Transparency!) to "people who have pwned the correct CA, or the government with the most obvious jurisdiction over my site".
If that isn't enough for you, and I can understand why it may not, then you need to be considering using Tor or something similar to meet your threat model...
This was presented to me as a showstopper, on the grounds of government = bogeyman. Personally I'm much more equivocal about the dangers. But I do see DANE as a useful alternative in many circumstances, particularly those where defending against a major government isn't considered a worthwhile aspiration.
Or even better as a trust multiplier or CA-issued certs.