[bluejekyll]

You're correct DNSSEC and DNS-over-TLS/DoH (DNS-over-HTTPS) both provide different, and necessary, aspects of securing records in DNS.

DNSSEC == authentication of records. DNS-over-TLS/DoH == privacy, and authenticity of the server/client.

Both are independently useful and enforce different things for us. The biggest issue with DNSSEC is that since it's not been widely adopted, what should you do with records that either are not signed, or are incorrectly signed? Most software doesn't really have a great way of raising DNS issues to the application in a way that users or something else could provide a security exception.