> DANE is about distributing TLS keys through a channel you trust
Only to the extent that you and your visitors already have to trust your DNS provider, your domain registrar, the TLD registry, and the DNS root. Neither DANE nor DNSSEC intrinsically solve anything that hasn't already been solved for end users... particularly when you consider forwarders will have to accept unsigned zones for years to come.
Namecoin etc does go some way to "squaring Zooko's triangle" (as many good minds have discussed already) but proof-of-work chains have their own burdens, and are not any more immune to the lure of trading robustness and security for convenience than traditional DNS forwarders, online DNSSEC signing, or webmasters offering up their SSL certificates up to CDNs.
Only to the extent that you and your visitors already have to trust your DNS provider, your domain registrar, the TLD registry, and the DNS root. Neither DANE nor DNSSEC intrinsically solve anything that hasn't already been solved for end users... particularly when you consider forwarders will have to accept unsigned zones for years to come.
Namecoin etc does go some way to "squaring Zooko's triangle" (as many good minds have discussed already) but proof-of-work chains have their own burdens, and are not any more immune to the lure of trading robustness and security for convenience than traditional DNS forwarders, online DNSSEC signing, or webmasters offering up their SSL certificates up to CDNs.