Last time I checked, setting up DNSSEC is still a bit painful. Few
registrars, TMK, support DNSSEC directly. Maybe this has changed.
It's changed somewhat. Some large registrars like Godaddy, Gandi, and
Tucows support it, some like NetSol don't. I have about 300 zones on
my DNS server, all signed locally, but I've only been able to upload
the DS records for half of them.
For DANE, application software that supports TLSA and DNSSEC based TLS
verification is still pretty thin. Versions of opsnssl with DANE
support only became available within the past month.
Having said all that, it's still far from clear to me that something
other than DANE would work any better, particularly considering how
cruddy the CA world is turning out to be.
ietf-smtp mailing list