People say this all the time, but of course the WebPKI has Certificate Transparency, requiring every issuer to register every certificate issued in a globally monitored tamper-proof log, and DNSSEC doesn't. Moreover, the WebPKI got CT because the browser root programs were able to force the CAs to join it. They have no such influence over DNS registrars, many of which are de jure controlled by world governments and will never consent to transparency logging. This very much includes the US, which actively manipulates the DNS for policy ends.
If Comodo knowingly misissues a Google Mail certificate, Google will nuke them from orbit, as it has done in the past with other major CAs. Google can't do anything about .COM mis-signatures.
If the issue is the lack of certificate transparency, then add that as a new standard to dnssec.
Certificate Transparency came into the picture around 2013, by which time https was fairly old. Public resolvers like google, quad 9, and cloudflare could create Certificate Transparency for dnssec today if there was a demand for it.
You said that registrars won't implement transparency logging, but certificate transparency was not created by certificate authoritative. Google added it to chrome, and they could just as easy add it to their own public resolver.
"If Comodo knowingly misissues a Google Mail certificate, Google will nuke them from orbit" - tptacek
If Verisign knowingly missuses .com root certificate, Google could nuke them from orbit by making it public. That is the whole purpose of certificate logs. Verisign operate on trust and they are also certificate authority.
The damage to Verisign if they lost their status as certificate authority and as a trusted company would create so much fallout I am doubtful that ICANN and DNS would be left without major scars.
I don't think you've thought this through all the way.
That's not at all what "nuke from orbit" means. Google broke Thawte and Verisign. They didn't simply "make it public". Thank you for clarifying this; I could have been clearer. I think the distinction between what's possible in CT and DANE is much more obvious now.
I am 100% not arguing with any of your points, you and I agree absolutely on DNSSEC. However...Comodo don't issue anything anymore - it's Sectigo now. Nitpicky, I know!
If Comodo knowingly misissues a Google Mail certificate, Google will nuke them from orbit, as it has done in the past with other major CAs. Google can't do anything about .COM mis-signatures.
Thankfully, practically none of .COM is signed.