DNSSEC: Google need to watch .com and dnsroot.
Which one is better ?
(I am ratelimited so posting here rather than reply to the child post by tptacek https://news.ycombinator.com/item?id=18889809)
Of course they can. There is literally no legal or otherwise difference between Verisign and .com. Chrome can do whatever it want, cause its Google's browser not .com's.
In case when .xxx becomes dishonest, you can just move to your own gtld or .more-trustable tld. In current system, there is no concept of ditching a CA. If a CA decided to missmap a name and you are too small, you are fked.
> it’s actually 1, or 1 AND 2
No you can have DNSSEC without CAs. I have explained that already without changing much of the tls. Basically example.com DNSSEC key become CA for example.com. example.com then would create a tls cert in the usual way. No pain.
The operator of .com can use their control over it to get a valid TLS cert issued by any number of CAs.
So the situation is no different currently, trust in the DNS is essential.
But feel free to ask the relevant team at Google, who will give you the same answer.