The principle of least privilege should be at play at every level. That can mean different things in in different technical contexts, but it’s universally applicable.
> Just because virtually none of the best-regarded security teams haven’t implemented yet doesn’t mean that you shouldn’t implement it
Unclear how it makes sense to do something allegedly security related that best-regarded security teams recommend against. Sounds like security theater.
The IETF has been trying to light a fire under organizations to deploy DNSSEC since 2008. You can take any list of popular domains --- last time I did this, I used the "Moz 500", whatever that is --- and write a simple shell loop around `host -t ds ${domain}" to see how many of those domains are signed. You'll see some! But they're overwhelmingly affiliated either with academia or with the US government, which, until 2017, mandated DNSSEC, but later rescinded the mandate.
DNSSEC has virtually no real-world commercial deployment. There have been years, I believe, when US deployment went down. It's dead. Let it lie.
I agree, we aren’t seeing as much implementation of dnssec, and a lot of other checks that when check the DNP Scores of domains.
I recently ran the DNP Scores of all domains of companies in the Fortune 500 and only about 8 percent had high scores, and we check for dnssec as part of the algorithm.
So less than 8 percent of the Fortune 500 have dnssec implemented.
(For transparency, I wrote the algo behind DNP Score.)
The numbers get even starker if you look at large tech companies, as opposed to companies across the entire F500. And large tech companies have the best security teams in the world. They've rejected DNSSEC. I'd remove it from your score; it's not a reflection of anything in the real world.