With DNSSEC, the DNS is spoofable. The two most common spoofing modalities in practice are LAN-style spoofing (airport and coffee shop wireless) and registrar ATO, both of which DNSSEC doesn't touch. Ironically, the former spoofing modality is directly addressed by DoH (or DoT, if you trust your network operator) and doesn't require coordinated or universal deployment.
There's a reason fewer than 2% of all .COM domains are signed; it's because DNSSEC is moribund.
2 comments
[ 3.0 ms ] story [ 14.6 ms ] threadFurther DNSSEC rollout to non-TLD DNS servers is also incomplete. DNS spoofing is still possible in 2020.
[PDF, 2008] https://www.iana.org/about/presentations/davies-viareggio-en...
There's a reason fewer than 2% of all .COM domains are signed; it's because DNSSEC is moribund.