The opposite thing is true. DANE is far weaker than the CA system; it is centralized and controlled by parties that aren't accountable for security (and, more importantly, haven't spent the last decade with Mozilla and Google's gun aimed at their head over security issues). DNSSEC's centralized governance can get away with that, because they are de jure owners of the DNS hierarchy, and nobody can make them accountable for anything. You can't revoke .COM. But Google and Mozilla revoked all of Verisign.

I trust Google and Mozilla more than I trust the world governments that control the DNS hierarchy, and I see the actual transparency mechanisms, like CT, that the WebPKI watchdogs have built; unlike with DNSSEC, they aren't simply a theoretical thing that could be built in the future, but rather operate today and have been responsible for numerous detections of misissuance.

Governments do not control DNS in any practical sense. Even if, in theory, the US Department of Commerce could revoke SIDN control over .nl, it would be totally impractical for any directed attack.

Control of Chrome or Google itself is a radically different matter. And with the CA system, there are a 140 other trust points to be attacked.

What is weaker will depend on your perspective and threat model, but if the measure is how easy it would be for the government to create an arbitrary fraudulent SSL certificate, it is objectively much easier than creating an arbitrary fraudulent DNSSEC record.

This argument, which is common, amounts to saying that if Google Mail doesn't like the way .COM is run, it can just leave .COM.

I can not see how that argument could possibly follow. For the record, I do not think that Google Mail neither easily could, nor should, switch their domain.

Even if the argument is, and I do not think that it is, that domain validated TLS certificates for the .com top domain are the only CA signatures worth considering, it is important to note that it is comparably more straightforward for the government department in question to seize those domain names if needed.

A domain registry PKI where domain ownership is cryptograhically asserted can never be less secure than the heterogenous global CA directory we have today, in any possible sense, not for domain validated certificates.

Sure it can. The domain registry PKI for Google Mail is literally controlled by the USG. They can compel different names to be given to different people, and there's no CT system to monitor it.

s/PKI// and the sentence still holds true. The argument for CT is good, we still need CT logs no matter which kind of PKI we would like to see. But surely the security of other domains outside of Department of Commerce control are of interest too?

Just substitute "US Government" out for whichever government controls the TLD you're thinking of. You'll be no better off; none of them are more trustworthy than Mozilla and Google are.

(I don't find Mozilla or Google to be especially trustworthy, of course; I simply have absolutely no faith in the reverence government agencies have for the sanctity of the DNS. Something about the way they publicly brag about manipulating it probably has a lot to do with it.)

I think the idea that we should vest more Internet trust into the DNS, the one bit of core Internet infrastructure governments have demonstrated any kind of deftness at manipulating, seems, respectfully, pretty nutty.

And 20 minutes into the future, when Google is the undisputed monopolist of web browsers? Do you trust Google to be our unimpeachable lord and master?

Do I trust an undisputed monopolist Google to run Internet public key infrastructure more than I trust the United States Government? Yes, I don't even have to think hard on that.