[tptacek]

If you like, substitute "best practice" for "norm". The point I'm making is that almost nobody does DNSSEC, including but not limited to the startups with the best-regarded security teams. I'm wary of pointing the "security teams" part out because it leaves the impression that maybe companies without security teams do normally turn DNSSEC on, but that's not the case: almost nobody turns DNSSEC on. It doesn't solve real problems, and it creates a bunch of new problems.

Again, a good way to rebut this would be to present examples of established startups that have DNSSEC-signed their domains. For instance: you could take the top startups list from YC (it's on the front page, and you can pull the domains out easily in the Chrome console) and then check all of them to see if they're signed.

A bunch of them are! About 8%. But that's because a bunch of them are not in North America, and European registrars in particular automatically DNSSEC-sign new zones. But take a wild guess about Stripe (huge security team). Or Instacart. Or Cruise. Or Brex (banking!). Or Reddit. Or Gusto. Zapier. Segment. Vanta (the YC standard for SOC2, FWIW).

To the extent "no DNSSEC" is a norm, and not a best practice (it is both), that norm is unlikely to change; I think DNSSEC adoption is likely to decline (as it has in some previous years). It just doesn't work.