Mandatory example: $ dig yp.to ns

I think it's sad that the trend is towards DNSSEC which provides not confidentiality, only authentication. As we've seen since last summer, the extra protection is very much needed.

Even if you started work on a superiour alternative today, expect to keep working on it for the better part of a decade before you see any real world uptake.

Not even IP itself did conquer the world overnight.

Which is funny because the US Congress passed a law mandating DNSSEC for .gov domains. Not to mention the many outages, plus non-deployments, where domains CNAME to a non-DNSSEC CDN.

34% of .NL domains

That's because it's common for .nl domain owners to essentially be paid to run DNSSEC. That's how bad it is.

I note that you don't run DNSSEC yourself.

http://dnsviz.net/d/danyork.com/dnssec/

Actually, I do run DNSSEC on most of my domains, but for that particular one, danyork.com, I unfortunately lost DNSSEC support when I needed to switch the name servers to CloudFlare to be able to essentially have a CNAME at the apex (using what CloudFlare calls their "flattening" service).

Longer story... but the good news (for me) is that CloudFlare has publicly said they will be providing DNSSEC signing for their CDN by the end of 2014... so in theory I should be back to having that domain signed within the next few months.

FYI, CloudFlare's slides from the ICANN presentation where they talked about this are at: http://t.co/34sAH1FVLB