From the described mistakes two come from lack of understanding how exactly DNS works. But I agree it's in fact hard, see [1]).<p>1. "This strict DNS spec enforcement will reject a CNAME record at the apex of a zone (as per RFC-2181), including the APEX of a sub-delegated subdomain. This was the reason that customers using VPN providers were disproportionately"
- This is non intuitive and maay people are surprised by that. You cannot create any subdomain (even www.domain.tld) if you created "domain.tld CNAME something...". Looks like not every server/resolver enforces that restriction.<p>2. "based on expert advice, our understanding at the time was that DS records at the .com zone were never cached, so pulling it from the registrar would cause resolvers to immediately stop performing DNSSEC validation." - like any other record, they can be cached. DNS has also negative caching (caching of "not found responses". Moreover there are resolvers that allow configuring minimum TTL that can be higher that what your NS servers returns (like unbound - "cache-min-ttl" option) or can be configured to serve stale responses in case of resolution failures after the cached data expires [2]. That means returning TTL of "1s" will not work as you expect.<p>[1] <a href="https://blog.powerdns.com/2020/11/27/goodbye-dns-goodbye-powerdns/" rel="nofollow">https://blog.powerdns.com/2020/11/27/goodbye-dns-goodbye-pow...</a>
[2] <a href="https://www.isc.org/blogs/2020-serve-stale/" rel="nofollow">https://www.isc.org/blogs/2020-serve-stale/</a>