That article kicks off with a politically motivated "issue" which seems pointed at the US Govt (USG) before dealing with perceived architectural issues.
The thing about trust anchors is that they are trust anchors and not a back door. DNSSEC goes well out of its way too, to not screw up things as far as possible if something is missing. OK, client implementations do that (I haven't gone into the RFCs in too much detail).
The architectural issues alluded to seem pretty handwavy too. I deployed a slack handful of PowerDNS boxes and adding DNSSEC is basically two CLI invocations per domain and passing on the DS records to upstream. The second invocation is to add an adjustment to deal with NXDOMAIN better (can't remember the exact thing at the moment)
If it doesn't work for you then fine - don't use it!
I find it useful and thanks to a decent implementation (so far) it is trivial to implement. However, I'm going to need to get my thinking cap on for some split-horizon domains.
It doesn't work for most sites, which is why so few organizations use it. It's awfully hard to make an argument about how straightforward DNSSEC is to use after DNSSEC had to be disabled by Cloudflare and Quad9 for all of Germany because of a misconfiguration. And it's more or less impossible to take seriously as a security boundary after that. Real security protocols fail closed.
A fuck up or two doesn't invalidate DNSSEC. IT related security is hard, really hard as you well know, but not impossible nor likely perfect and always a moving target.
Putting security on top of DNS is really, really hard because DNS was invented rather a long time ago when information wanted to be free and not fettered and I wore short trousers at school and in the distant future would run an IBM System /36!
When you confidently insist on "most sites" you appear to want to rudely trample on my experience of "it works for me and my 20 at the moment DNS domains and increasing as I migrate them over". I'm taking my time - I have quite a few more to do and each one needs adding to monitoring etc.
I don't run .de and I do feel for the lads n lasses that do that buggered up a KSK roll over or whatever it was that was screwed. I think that holding up a screw up is an extremely crass and facile argument against ... anything, let alone a rather esoteric engineering function.
I don't agree with your assertion about "Real security protocols fail closed." That sounds like striving for perfection and you know as well as I do that perfect is the enemy of good.
DNSSEC for better or worse is what we have and I don't think it is too bad. It does give some guarantees within certain parameters. Any decent engineer will look at the risks/rewards and decide on effectiveness and design their solutions to a requirement ... accordingly.
I came to this thread with data. Your 20-at-the-moment DNS domains versus the current signing statistics of the Tranco Top 1000.
At the point where we're arguing about fail-open versus fail-closed, our premises are too far apart to get anywhere. We can part company here: I'm speaking, in part, for the people who believe that any viable security protocol must fail closed.
Plenty of security protocols have ultimately failed in the marketplace and been abandoned. DNSSEC is simply another one of them.
1. Browsers briefly tried adopting DANE and gave up on it.
2. DNS is the wrong level of networking abstraction to do this kind of policy enforcement at, because DNS isn't plumbed for warnings and error reporting; when DNSSEC fails, whole zones simply fall of the Internet (for people who validate) as if they weren't there at all. It's the worst possible failure mode.
3. The thing you say you want can't be had with DNSSEC. You don't get "the whole chain from ICANN to your server". Any of the parent zone operators above you can decide to defect, for your zone specifically, and (particularly for state-level adversaries) for particular targets resolving your zones, without you ever knowing about it.
If any of the parent zones defects, they can trivially misissue a certificate. Having separate CAs that ddo whatever DNS says doesn't improve anything.
The thing about trust anchors is that they are trust anchors and not a back door. DNSSEC goes well out of its way too, to not screw up things as far as possible if something is missing. OK, client implementations do that (I haven't gone into the RFCs in too much detail).
The architectural issues alluded to seem pretty handwavy too. I deployed a slack handful of PowerDNS boxes and adding DNSSEC is basically two CLI invocations per domain and passing on the DS records to upstream. The second invocation is to add an adjustment to deal with NXDOMAIN better (can't remember the exact thing at the moment)
If it doesn't work for you then fine - don't use it!
I find it useful and thanks to a decent implementation (so far) it is trivial to implement. However, I'm going to need to get my thinking cap on for some split-horizon domains.