> Doesn't it seem just sort of plainly obvious that we should drop a flag on the broken protocol we're looking at now and re-do it properly with modern cryptography?
What makes you think that people will support this hypothetical new protocol faster than adding support for good crypto types in DNSSEC?
I mean, is that really what you are suggesting as the proper course of action? Throw away DNSSEC and have nothing replacing it until a new protocol is standardized and implemented as widely?
Because alternative approaches have been deployed far faster than DNSSEC. The obvious example to point to would be DoH.
Yes: we should throw away DNSSEC and have nothing replace it until something better is available. Nobody relies on DNSSEC today! I feel like that point just isn't sinking in with you. Take some time and consider its impact. 25+ years after the work started: nobody relies on DNSSEC at all. DNSSEC simply does not matter right now. That's not hyperbole; it's a statement of fact.
What makes you think that people will support this hypothetical new protocol faster than adding support for good crypto types in DNSSEC?
I mean, is that really what you are suggesting as the proper course of action? Throw away DNSSEC and have nothing replacing it until a new protocol is standardized and implemented as widely?