- I, as a user, have mean to circumvent or mitigate CA issues (using certificate patrol as one possibility, certificate pinning as another,...)
- There is no user work around for the DNSSEC vulnerabilities
Furthermore, I'd guess that the majority of CA attacks are nation-state attacks so that both boil down to the same. I don't know of any criminal attacks (such as attacks on online banking) on the CA's. Conclusion: I, as a user, don't gain anything from DNSSEC.
Of course DNSSEC is vulnerable to NSLs, but that is not relevant. What is relevant is:
- DNSSEC is vulnerable to nation-state attacks.
- The CA system is vulnerable to nation-state attacks.
- The CA system is vulnerable to attacks from any CA.