I haven’t seen any security teams recommend against implementing dnssec.

Interesting to see info about the failures, though. Thanks for pointing that out.

I’ve been running a ton of sites on domains with dnssec enabled and haven’t had any issues that I’m aware of.

The IETF has been trying to light a fire under organizations to deploy DNSSEC since 2008. You can take any list of popular domains --- last time I did this, I used the "Moz 500", whatever that is --- and write a simple shell loop around `host -t ds ${domain}" to see how many of those domains are signed. You'll see some! But they're overwhelmingly affiliated either with academia or with the US government, which, until 2017, mandated DNSSEC, but later rescinded the mandate.

DNSSEC has virtually no real-world commercial deployment. There have been years, I believe, when US deployment went down. It's dead. Let it lie.

I agree, we aren’t seeing as much implementation of dnssec, and a lot of other checks that when check the DNP Scores of domains.

I recently ran the DNP Scores of all domains of companies in the Fortune 500 and only about 8 percent had high scores, and we check for dnssec as part of the algorithm.

So less than 8 percent of the Fortune 500 have dnssec implemented.

(For transparency, I wrote the algo behind DNP Score.)

The numbers get even starker if you look at large tech companies, as opposed to companies across the entire F500. And large tech companies have the best security teams in the world. They've rejected DNSSEC. I'd remove it from your score; it's not a reflection of anything in the real world.