It appears that Tom Ivar Helbekkmo via NANOG <tih@hamartun.priv.no> said:
Jeroen Massar via NANOG <nanog@nanog.org> writes:
No, not even kidding. For many organisations DNSSEC is 'scary' and a burden as it feels 'fragile' for them.
Unfortunately, yes. And those of us who use it know that this is a myth. With modern software, DNSSEC is quick and easy to set up, and works just fine, with no reason for any problems. ...
I wish that were true. I have signed all 300 zones on my DNS servers, but only about half of them have working DNSSEC because there is no practical way to install the DS records. For names that are registered through my registrar reseller account, it's easy since my registrar (Tucows) has an API. But for the rest of them that my users have registered somewhere else, either I have to try and walk them through the process of uploading the DS data themselves, or they have to give me their account passwords, neither of which is workable if you have 100 domains, much less thousands. I know about CDS, and have tried publishing CDS, but none of my unsigned domains are at the handful of registries that do CDS bootstrapping. I've been grousing about this at the IETF and ICANN for years, people say yes, that's a problem, and nothing happens.