DNSSEC is notorious for breaking things [1]. I use it on most of my domains, but I would not just 'enable' it on a domain that I cared about and that had real users without a lot of thought and planning. Nor should you.
I figured it would work since there were no problems for the handful of my domains using DNSSEC with the previous registrar. Maybe the button should come with a warning label. I'll certainly be a bit cautious from now on.
> Just culture is a concept related to systems thinking which emphasizes that mistakes are generally a product of faulty organizational cultures, rather than solely brought about by the person or persons directly involved. In a just culture, after an incident, the question asked is, "What went wrong?" rather than "Who caused the problem?".
Prominent (and very effective) example: Aviation safety.
So when organizations hire people that do not understand the DNS or PKC to maintain their DNS then it is the organization's fault (rather than the person who made the change). I accept that and agree.
But if a bunch of large, well-staffed, engineering-focused, otherwise competent organizations manage to fuck it up regularly, the problem's probably above the individual organizations. Potentially with the spec itself.
I've seen far more failed certificate renewal failures than DNSSEC failures from the same teams you appear to be suggesting are perfect and the standard is flawed.
The consequences of a failed certificate renewal are much smaller than the consequences of a DNSSEC failure: if you screw up DNSSEC, your site falls off the Internet, as if it never existed.
There's no property of DNSSEC that makes it prone to breaking (and really any real problem on your link applies just as well to HTTPS). It just breaks because those large entities don't care about fixing it or care a big deal about breaking it on purpose.
[1] - https://ianix.com/pub/dnssec-outages.html