DNSSEC basically has all the problems of SSL registrars with almost no user-facing of the benefits - it's still a centralized system that could be overridden by a registrar hack or state level strong-arming, and very few end user systems support actually doing anything when DNSSEC signed records don't verify.<p>If you think users are confused by SSL warnings now, how the heck would they understand similar errors at the DNS resolver level?<p>Also, there's no-in flight encryption, so it offers no privacy benefit. It also aggravates DNS amplification attacks.<p>The better technology to look into if you're concerned about individual user rights and privacy is DNSCurve: <a href="http://dnscurve.org" rel="nofollow">http://dnscurve.org</a><p>It's not comparable to DNSSEC other than "It uses crypto with DNS" - they have entirely different goals, but the goals it solves are much more relevant to end users (privacy, forgery, etc.).<p>Personally, I'd recommend people run both techs, as there's no technical reason that makes them incompatible.<p>I have no idea how to solve the UI problems. We've had 15+ years of SSL and there's been almost no progress on that.