In reply to a post by Thaumaturge:

I can see that implementing DNSSEC could be a significant overhead for net admins

For most people, enabling DNSSEC is as easy as ticking "enable" in their domain registrar's control panel.

But even for someone like myself who operates their own authoritative nameservers, it's really easy: https://bind9.readthedocs.io/en/v9.18.14/dnssec-guid...

Basically add two lines to the Bind 9 zone config and upload the dnskey to the parent nameservers (via the registrar). Bind 9 handles the rest automatically, including the zone signing key rollovers.

If it's a no-brainer like you say these days - it's been a long time since I did any serious domain admin, so I take your word for it - why doesn't everybody just do it?

It's a good question, and I wonder the same myself.