[tptacek]

Right, which leaves open the question of what the point is.

A more pointed critique implied by the thread you're replying to is: if virtually nothing on the Internet is signed, what's the point?

The ATHENE team's Black Hat talk from last year surveyed the "Tranco Top 500k", whatever that is, but I'll just say that 500k is more hosts than the 500 top hosts I use from the Moz500 for the same stat, and found that (wait for it) less than 5% of hosts in that dataset worldwide were signed, and a substantial number of those hosts are just signed by their registrars.

If you were going to make a case for an ordinary Internet user, like, the modal American user, to enable DNSSEC --- what would it be? What benefit would they get?

[lmm]

Not so long ago less than 5% of hosts were using HTTPS. But we're now in a world where being HTTP-only (or being HTTPS but not having a valid chain of trust signing your certificate) is unusual and suspicious, and presumably we believe that while that was something that had to be pushed out by browser makers etc., it ultimately benefits users. I would hope DNS will eventually go the same way for the same reasons.

[tptacek]

The adoption curve, in addition to being a decade and a half back from DNSSEC at that point, was also the inverse of DNSSEC's: the most popular sites on the Internet generally used HTTPS, and the least popular sites on the Internet dominate DNSSEC, with only 4.5% of the Tranco Top 500k being signed. And DNSSEC is the older protocol! Respectfully, the comparison is risible.