I know of at least 2 DNS resource record types that serve the purpose of enabling domain owners the ability to control approved/revoked certificates either self-signed or by CA's namely the CERT and TLSA RR. I'm not sure if there are other fields that basically do this, but why have both when just one will suffice?
DANE has 4 modes of operation indexed 0-3 with mode 3 i.e. Domain issued certificate allowing for self-signed certificates. Can this mode be used in a trustable manner? and if so does that mean that traditional Certificate Authorities and their chain of trust can be made obsolete/redundant?, however still relying on the chain of trust in DNSSEC.
My understanding is that it would as long as a domain owner can prove ownership of a public key to their domain registrar/domain hosting service, in which case the domain registrar/domain hosting service will allow for the domain owner to enable DANE in mode 3 by allowing for the TLSA RR to be modified with for example a hash of the public key that the domain registrar just validated ownership off by the domain owner.
However this assumes that the domain registrar/domain hosting service does authenticity/validity checks on DNS Resource Records(in this case particularly the TLSA RR) in much the same way a CA would validate ownership of a public key, is this the case or can a domain owners specify any data to populate their TLSA records regardless of ownership?