And [the union of CAs] not-so-silently controls TLS for the whole world. And if the transparency logs are the linchpin of trust for Web PKI, then I don't think it's too hard to imagine a system where you have a similar transparency system for zone-signing keys too.
It's in fact very difficult to imagine mandatory transparency logs in the DNS PKI. The story of how mandatory logs came to be for TLS involved Google and Mozilla putting a gun to the heads of the CA industry, after murdering several of them. Nobody can do that to the DNS, and just as importantly, governments don't want them to.
In a world where DANE catches on on the web, I don't see why Google and Mozilla couldn't do that again. I mean, presumably there'd need to be some evidence of malfeasance, like there was with Web PKI. I don't see why Mozilla alone couldn't start by putting the screws to a smaller CCTLD and some medium-sized DNS hosts for instance.
That said, I don't particularly see DANE growing on the web.
