This is a big problem. I feel like the security world is trusting DNSSEC to close the unencrypted / unsigned DNS record shaped security hole. If its not something people actually want to implement because its a mess, what do we do? Do we need something better than DNSSEC? Is DoH good enough?