Security team successfully cracks SSL using 200 PS3's and MD5

DNSSEC allows you to go from dns name -> CERT in a secure
  manner. The application then checks that the cert used to
  establish the ssl session is one from the CERT RRset.

  Basically when you pay your $70 or whatever for the CERT
  record you are asking the CA to assert that you have the
  right to use the domain name. It's expensive because they
  are not part of existing DNS trust relationship setup when
  the domain was delegated in the first place.

  The natural place to look for DNS trust is in the DNS.