For example, when you're explaining about how DNSSEC isn't relevant to the Domain Validation problem, you could mention that er, it's checked by the CA which issued your certificate, and closes literally the only otherwise insecure link in the chain for that CA.
Sound implementations of 3.2.2.4.7 (including those by your own chosen CA) are protected by DNSSEC. No DNSSEC? No protection.
Further down you're going to want to cover how the thing you were so sure it was essential to protect (secret hostnames) is actually gone now in the very architecture you told everybody they should prefer over DNSSEC (the Web PKI). If you're polite you'd explain how this happened, all the trust breaches and security problems in your better option that meant we had no other choice.
Or you know, just keep linking to the 2015 version and acting as though nothing changed. Put it on your Friendster maybe?
QUANTUM INSERT doesn't do anything an ordinary attacker couldn't do; the only difference is that NSA can effectively deploy the attack anywhere on the Internet, and an independent attacker has to fight their way to any particular vantage point. But that's a distinction that doesn't make much of a difference in protocol design.
Importantly: if NSA is part of your threat model, the hoped-for alternative that STS supersedes --- DNSSEC --- is no help. NSA controls the DNSSEC roots.
Is this any more true than saying "NSA controls the web CA roots" i.e. the NSA could infiltrate one of the hundreds of certificate authorities that browsers trust and issue a malicious certificate?
If so, and if NSA is part of your threat model, then I would say that STS doesn't help very much either.
What's more interesting is the issue of transparency. Are STS clients going to be requiring that the certificates for the HTTPS resources they access are present in a certificate transparency log? CAs are allowed to issue certificates that aren't logged, for privacy reasons I suppose, but there would be no such excuse for a "DNS transparency" log of DNSSEC keys for top level domains. Logging all of these keys would be orders of magnitude simpler than logging all CA issued certificates on the web.
