Can't agree more. We got to a point where state actors control the public names that we use to refer to locations on the Internet. That's fine, and the logical conclusion of divvying up natural monopolies. When you have a namespace, someone needs to be the central authority for it. On a global system, you need to at least have as many namespaces as countries (plus whatever extra corporate fiefdoms you want to spin up, which I assume was what gTLDs were trying to do).
Ensuring you are communicating with the resource that you intended is a feature that does not need to be centralised, so it shouldn't be. Requiring a random third party on top of your central entity seemed like a bad idea when DANE was proposed, as CAs seemed like a rent-seeking middleman that offered nothing. In fact, it's actually a feature as you said. Because there are multiple, free and crucially, interchangeable third parties that can do this, the browsers are free to kick any misbehaving party out AND keep raising the bar of admission, like imposing CT requirements.
Right now, I don't have to place any trust on the state entity behind the hypothetical .xy domain when talking to a .xy website. They can return whatever DNS records they want to any user at any time, but assuming a TLS connection on top of WebPKI, they cannot silently perform a MitM on their own – while they have the power to fool a CA to give them a domain-validated certificate for any domain they control, doing that would be visible in CT logs for that well-behaved CA, meaning they would get caught. The incentive to do that is much less than if you were both the source of truth for the name system and the PKI infrastructure.
Ensuring you are communicating with the resource that you intended is a feature that does not need to be centralised, so it shouldn't be. Requiring a random third party on top of your central entity seemed like a bad idea when DANE was proposed, as CAs seemed like a rent-seeking middleman that offered nothing. In fact, it's actually a feature as you said. Because there are multiple, free and crucially, interchangeable third parties that can do this, the browsers are free to kick any misbehaving party out AND keep raising the bar of admission, like imposing CT requirements.
Right now, I don't have to place any trust on the state entity behind the hypothetical .xy domain when talking to a .xy website. They can return whatever DNS records they want to any user at any time, but assuming a TLS connection on top of WebPKI, they cannot silently perform a MitM on their own – while they have the power to fool a CA to give them a domain-validated certificate for any domain they control, doing that would be visible in CT logs for that well-behaved CA, meaning they would get caught. The incentive to do that is much less than if you were both the source of truth for the name system and the PKI infrastructure.