Support certificate validation using DANE (RFC 6698)
DNS-based Authentication of Named Entities (DANE) complements and sometimes replace the current trust model for certificates. Since it is based on the hierachical DNSSEC system, it doesn't have the flaw of having numerous (and sometimes a bit untrustworthy) certificate authorities all able to issue certificates for any domain. By making CAs unnecessay for domain-only certificates, it would shift their market to providing more reliable validation of additional information, such as who is the owner of the domain.
Alice Wonder commented
Please PLEASE support DANE. There is already partial support in FireFox via an add-on, though it is not developed by Mozilla.
For me, I use DANE as a form of two-factor authentication for my TLS certificates. All my DNS servers use DNSSEC and all my TLS certificates do have TLSA records in DNS but I do not see DANE as replacing certificate authorities, as a user I like two forms of authentication from websites. The trusted CA is one form, the fingerprint in a DNSSEC signed TLSA record is the second form.
DANE is better than HPKP for this because HPKP records are not signed, making them Trust On First Use. I prefer Validate On Every Use which is what DANE does for me.
Thank you for your time.