Here is an excellent talk by Matthäus Wander, introducing DNSSEC, DNSCurve and few other DNS extensions.
A few points of interest:
- stub resolvers need new API’s to report DNSSEC validation failures, then browsers can provides users with “TLS like” failure messages
- AD flag is useless as there is no validation, yet windows 7/8 still read it
- Comcast name servers support DNSSEC, though this hasn’t work out great for them
- Some ISP redirect NXDOMAIN responses, another reason to run your own DNS resolver or use a public one.
- The root server and big TLDs will not deploy DNSCurve
- DNSSEC cannot be used directly to validate the DNSCurve public key, stored in the domain name of the parent NS record, as DNSSEC does not sign the domain name.
Matthäus’s slides are online.