DNSSEC is a disaster. Avoid it.
The only thing DNSSEC has given us is widespread DDoS amplification.
The author states "For something as harebrained as the CA system, remarkably few criminal breaches trace back to it -- There have been many false CAs, and certificates issues. We have no idea what they've been used for (http://arstechnica.com/security/2015/03/google-warns-of-unau...). In addition to this, there exist many CAs whose primary purpose is to perform MITM-style attacks
The author's points about DNSSec being expensive - somewhat, but more an more providers are offering DNSSec at the same price as normal DNS. Fedora is even enabling it on all their end hosts.
As far as the "Government controlled PKI":
1. What's better? Some security, or no security?
2. If the government wanted to crack DNSSec, there still exists the fact that we can share KSKs out of band for verification.
DNSSec is capable of providing better security than the current system. It does have some implementation gaps, but what do you propose alternatively?