X.509+DNSSEC+DANE+CAA

From The Hive

X.509 for SSL and TLS

The "certificates" that identify a website for "https" secure browsing.

Other tools exist to strengthen security and domain ownership beyond "commercial certs" offered by common vendors.

Domain Name System Security Extensions

https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

A system called DANE was proposed in RFC 6698 "as a way to authenticate TLS client and server entities without a certificate authority (CA)," but it was never widely deployed. An alternative known as CAA was developed, with the advantage that CAA does not require DNSSEC as an absolute dependency for deployment.

Certification Authority Authorization

https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization