An important thing about layers, about defense in depth, is that you can’t even begin to attack one mechanism until you’ve defeated its predecessors. DANE + TLS doesn’t give you layers. If I can subvert your DNSSEC, I can endorse a fresh TLS key, and win. If I can subvert your TLS, I win.

This is defense in breadth, a strategy known mostly for its close association with defeat.

(Thanks to Joshua Guttman for the observations that gave rise to this post.)