Last time I checked, setting up DNSSEC is still a bit painful. Few
registrars, TMK, support DNSSEC directly. Maybe this has changed.
It's changed somewhat. Some large registrars like Godaddy, Gandi,
Tucows support it, some like NetSol don't. I have about 300 zones on
my DNS server, all signed locally, but I've only been able to upload
the DS records for half of them.
For DANE, application software that supports TLSA and DNSSEC based
verification is still pretty thin. Versions of opsnssl with DANE
support only became available within the past month.
Having said all that, it's still far from clear to me that something
other than DANE would work any better, particularly considering how
cruddy the CA world is turning out to be.
As with IPv6 it considerably varies per country/region/TLD. Statistics for the
ccTLD .nl can be found here:
It appears some 43.9 percent of the 5.5 million domainnames under .nl are
signed (2.4 million domainnames). The page shows also some information about
DANE queries. This however doesn't say anything about the registrars...
ietf-smtp mailing list