[gzread]

You requested:

> real world compromises of major sites that don't use DNSSEC?

Without any other changes to this infrastructure DNSSEC by itself wouldn't have prevented this, but it could have been combined with something else like a CAA record.

[akerl_]

Sure. I guess by that logic this attack also could have been prevented by flossing, as long as you combined flossing with setting a CAA record.

[gzread]

Without DNSSEC, your CAA record could be spoofed.

[akerl_]

Given the large amount of sites, including popular sites, that do not have DNSSEC today, I'd expect that if this was a real risk we'd see a decent number of instances where it occurred.

And yet I see zero. Is it possible that given other mitigations (like multi-perspective validation) and given other attack vectors (like account takeover), this isn't actually a problem?