A central issued certificate is using trusted private keys from an organisation like:
https://letsencrypt.org/
A self signed certificate is like your NOSTR set of keys, completely secure encryption, but you're trusting an unknown signer.
N.B. On NOSTR, you are using your keys to sign your posts. But nobody knows who you are on a website SSL certificate.
As for DNS, apart from the idea of using DNS servers NOT supplied (and therefore monitored) by your ISP. There are two security layers available:
1. Encrypted DNS, just under 50% of DNS traffic is encrypted
2. DNSSEC, or signed DNS, meaning the information provided has been signed by the DNS authority to be valid, meaning it can't be spoofed by a man in the middle attack.
This has a very low adoption rate, as you can see below at less than 5%, as reported by my NextDNS control panel.
https://letsencrypt.org/
A self signed certificate is like your NOSTR set of keys, completely secure encryption, but you're trusting an unknown signer.
N.B. On NOSTR, you are using your keys to sign your posts. But nobody knows who you are on a website SSL certificate.
As for DNS, apart from the idea of using DNS servers NOT supplied (and therefore monitored) by your ISP. There are two security layers available:
1. Encrypted DNS, just under 50% of DNS traffic is encrypted
2. DNSSEC, or signed DNS, meaning the information provided has been signed by the DNS authority to be valid, meaning it can't be spoofed by a man in the middle attack.
This has a very low adoption rate, as you can see below at less than 5%, as reported by my NextDNS control panel.