The idea is to allow any certificate, but utilise DNSSEC to verify that it is legitimate. If the necessary records are missing, or DNSSEC isn't set up, self-signed certs would not be accepted - as per now.

http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Nam...