DANE has 4 modes of operation indexed 0-3 with mode 3 i.e. Domain issued certificate allowing for self-signed certificates. Can this mode be used in a trustable manner? and if so does that mean that traditional Certificate Authorities and their chain of trust can be made obsolete/redundant?, however still relying on the chain of trust in DNSSEC.
My understanding is that it would as long as a domain owner can prove ownership of a public key to their domain registrar/domain hosting service, in which case the domain registrar/domain hosting service will allow for the domain owner to enable DANE in mode 3 by allowing for the TLSA RR to be modified with for example a hash of the public key that the domain registrar just validated ownership off by the domain owner.
However this assumes that the domain registrar/domain hosting service does authenticity/validity checks on DNS Resource Records(in this case particularly the TLSA RR) in much the same way a CA would validate ownership of a public key, is this the case or can a domain owners specify any data to populate their TLSA records regardless of ownership?
