A shorter-term and less complete solution would be to extend HTTP Strict Transport Security to say "ignore any certificates that aren't signed by this specific CA". That would also drastically reduce attack surface, and although in the long run it's probably inferior to DNSSEC, it would be much easier to deploy.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds