If I want to use an SSL certificate on my website which is trusted by the majority of web browsers, I need to pay a commercial certificate authority for one. Generally all the CA does is verify that I’m the domain owner, and then sign my certificate with their trusted certificate.

If there were a standardised way of doing it, I could just generate my own certificate and stick a hash of it in my DNS zone. That would prove that the certificate came from somebody who controls the domain. DNS doesn’t use a secure delivery mechanism, but adding DNSSEC gives it one.

The good thing about doing it this way is that both systems can work alongside each other. Those who don’t want to pay a commercial CA for a trusted certificate can just configure up DNSSEC on their zone, and then add the certificate hash.