> Fair enough but are network clients actually meant to use DNSSEC?

I dream of an alternate reality where DNSSEC and DANE had become more ubiquitous, and we didn't have need for CAs to sign TLS certificates[1]. But that requires DNSSEC (or some other cryptographic verification) on the client.

[1]: Or something like that. In that mythical world maybe DNSSEC was also better designed...