DNSSEC and DANE are dead letters. After 25+ years of standardization effort, virtually no tech companies have adopted them. Its advocates cite bogus metrics like "number of signed zones" without disclosing that the overwhelming majority of those zones are signed automatically by registrars, which is security theater. No mainstream browser supports DANE, the key motivating feature for DNSSEC, and two browsers have introduced and then removed support for it. The major mail providers recently standardized MTA-STS specifically to avoid having to touch DNSSEC.

Stick a fork in DNSSEC.