I just deployed DNSSEC at val-id.com and getvalid.com
Since DNSSEC is a requirement of DANE, and I have a CA-based certificate, can I show my support for DANE-based deployments by publishing my CA-based cert into DNS?
My concern is consistency in the client. If there is an attack on DNS vs a compromised root, how will each client respond?
Well, DANE can, in conjunction with Public Key Pinning' (HPKP), protect your current users from malicious use (even if the DANE record changed, the browsers will still remember the HPKP headers and fail to connect). This does not protect new connections. But since HPKP has a life of at least 1 month it adds reasonably safety to your 'stack'.
Since DNSSec is a requirement of DANE, and I have a CA-based certificate, can I show my support for DANE-based deployments by publishing my CA-based cert into DNS?
Of course! A DANE record for your certificate can be used to indicate the correct certificate, to prevent a MiTM attack from succeeding.
If there is an attack on DNS vs a compromised root, how will each client respond?
I'm going to assume that by compromised root you mean the server and certificate for the root DNS server becoming compromised. Unfortunately, in this case, there is no solution. DNSSEC won't help, but it won't hinder your site either. Fortunately, this scenario is extremely unlikely.
