[tptacek]

The bigger problem is that none of the browsers support it, or intend to support it. DoH could change that (ironically, the DNSSEC crowd opposes the one DNS change that could offer any chance of viability for DNSSEC), but it's unlikely to.

[_-___________-_]

Well, if the system resolver is doing DNSSEC validation, the browser doesn't need to support it. That's how I've had my system set up for years. Unfortunately, macOS and Windows (other than Server) still don't have any DNSSEC support as far as I'm aware. Support is built in to systemd-resolved now though, which I believe is the default resolver on various Linuxes, and unbound is of course available in all major distros.

[tptacek]

If the goal is to have DNSSEC replace the CAs, then you need DANE, and for DANE to work, browsers have to support it.

[_-___________-_]

That can indeed be a goal, but DNSSEC is useful even without DANE.

[tptacek]

(a) No it can't be, and (b) that's not what this thread was about.