If you add DANE in the mix, they can set any certificate as trusted for your domain (if clients don't require it to be also signed by a trusted CA). So they can't just redirect your domain somewhere else, they can also feed clients "trustworthy" certs for the new target.
Sure, but without DANE, they can get a domain validated certificate quickly from any number of CAs that your clients probably already trust.
(edit) I understand DANE puts explicit trust on the registry, registrar, and the DNS root; but given the common use of domain validated certificates, that trust is already there, and I think it is better to have it explicit. Also, there are fewer parties to watch out for, the Belgium Root CA can issue a cert for my domain, but Belgium is unlikely to compel my registry/registrar unless I've chosen to have a .be domain. (My applogies to Belgium Root, if they're not affiliated with the government of Belgium)
Also, I don't think cert issuance can scale without domain validation or a large expense.
Coincidentally, VeriSign (responsible for DNSSEC for the root zone and .com) also runs a major CA in the existing CA infrastructure. Even worse, it is such a major player that removing it from the certificate store would invalidate the certificates from a huge amount of sites and it would be impossible for a browser to remove them without breaking a significant part of the internet. Thus while the situation is horrible now, it won't get any worse with DANE.
Oh, I definitely do. I was just trying to say that Verisign could already do a similar attack even without DANE. As controllers of .com they could easily redirect example.com to an evil server, and as a root CA they could give the evil server an EV certificate for example.com.
If anything, I suppose that should be an argument against consolidating DNS and TLS powers into single entities, which is exactly what DNSSEC and DANE do.
