Well, we're nowhere close because neither browsers nor operating systems are currently doing DNSSEC validation by default.

This could change (figuratively speaking) tomorrow if vendors decided to do so (along with implementing DNS-over-HTTPS if they haven't already).

> In addition to fallback being one of the most famous rats nets of security vulnerabilities in all of practical cryptography, this situation dictates that browsers won't be able to eliminate X.509 with DANE;

I think you are failing to see a future where the vast majority of these obstacles have been solved and therefore websites could afford to disable support for the remaining tiny (but long) tail of WebPKI-only clients.

Even despite the fallback problem, I think a DANE-based PKI system would be much simpler than WebPKI currently is, by orders of magnitude. So I don't think we would be worse than where we are now, where we just keep adding layers upon layers of complexity without actually solving the real problem at the root.

> they'll merely be adding a new trust anchor to the root store. The worst of both worlds.

No, it's not merely adding a new trust anchor, because that implies the old anchors would still be accepted even though the new anchor is working.

The idea is that if the client can do DNSSEC validation then it can disable all the other anchors and just use DANE (if the website has already migrated).