Because it's easy to grab that statistic and a lot more annoying to get the global one, especially because global deployment stats count "zones" and not delegations from TLDs. But there are almost twice as many signed domains in .COM (DNSSEC uptake: 1.6%) than there are in .NL, and the number of signed delegations drops rapidly after .NL (from 3.5MM to 1MM in .CH, to below 1MM in .BR; by the time we hit .UK, the graph is hard to read. My point being: adding up all the signed European names (which are signed automatically at registrars as security theater) isn't going to get you a more attractive uptake percentage.
It's possible that the reason I said "less than 4% of North American domains" is that I simply made a mistake, and should instead have said "less than 4% of all domains". Again: .COM has a 1.6% uptake. There are years in the last ~4 where DNSSEC uptake fell in .COM.
Not so much, no. Now, could you acknowledge the comment I just wrote? It's less than 4% of all domains. So: what were you trying to imply when you pointed out that I'd said "North American domains"? And, now that I've corrected the comment, would you still have said it?
I can’t find any good statistics either, so I did not comment on any specifics. I am simply wary of overly specific qualifications with no obvious reason for their specificity; most often, these sorts of arguments are made in order to mislead readers. I don’t know what the actual numbers are.
All I can say is that from personal experience when working at a registrar and DNS service provider, the number of people asking about and requesting DNSSEC is increasing all the time, and show no signs of decreasing. Also, all registries (i.e. TLDs) are also all pushing for registrars and DNS service providers to provide DNSSEC, so there is demand from both sides. Note: I do not have any financial incentive to push DNSSEC; in fact, strictly speaking, DNSSEC makes my job harder.
Also, as I have mentioned before, I have never seen anyone argue against DNSSEC with any persistence (in industry interest groups, at conferences, etc). Except you, here on HN. And you really seem to have it in for DNSSEC, even going so far as to keep making arguments against the crypto, not only while it was obvious that it could (and would) be fixed, but even making the same argument after it was actually fixed. You keep shifting your arguments, but keep arguing against DNSSEC with whatever you can find. This does not make you look credible. And your sole remaining argument, that DNSSEC has low usage, is not a very good one, if it is in fact the case that the usage is actually (on the whole) increasing.
> Further, this code implements a stub resolver
Fair enough, but…
> DNSSEC condenses down to a single bit in the header that the server uses to say "trust me, I did DNSSEC".
…they did not ask (in the query) for DNSSEC verification, nor did they check the bit in the response.