What is your proposed alternative?

As others have pointed out, CAs are 100% superflous to the existing DNS registrar and delegation system. All CAs do is verify that you "own" a DNS domain, which is precisely what DNS registration sets up in the first place.

Registrars should be Root CAs handing out subordinate CA certificates with every domain they issue, scoped to that DNS domain.

This will never happen, because companies like Verisign have billion-dollar vested interests in it not happening.

Technically it makes perfect sense, but the leeches collecting rent on the Internet don't want to let go.

DNS registries already hand out signing certificates, just not for TLS certificates but for DNSSEC. DANE bridges the gap. It works today (*).

(*) In supporting clients, conditions may apply.

I'm not sure what kind of pull big cert has that could allow them to stall DANE adoption. Sure, VeriSign acts as both a CA and a registry for the big domains - but they don't own those domains.

TACK [1] or Convergence [2] are two proposed solutions, though convergence seems to be dead

[1] http://tack.io/

[2] https://en.wikipedia.org/wiki/Convergence_(SSL)

Both are basically dead. The draft for TACK was made in 2013[1] and their mailing list doesn't even work[2].

[1]: http://tack.io/draft.html [2]: https://lists.riseup.net/www/info/tack