The problem with that 20MM number is that it's in large part the result of registrars auto-signing names (especially in Europe). There's 2 issues with that:

1. The overwhelming majority of those names are meaningless, just as it doesn't change anything about Internet security if I do or don't sign the "paulgra-ham.com" domain I bought on Hover years ago when I was drunk.

2. Registrar signatures are more or less security theater, because those customers aren't even controlling their own keys.

The total adoption of DNSSEC in commercial zones is between 1-4% right now, right?

DNSSEC has no shortage of problems, but this IMO isn’t really one of them:

> 2. Registrar signatures are more or less security theater, because those customers aren't even controlling their own keys.

It would be nifty if DNSSEC (or some superior technology) provided a degree of protection against a compromised registrar, but I don’t think that’s the primary benefit. Of course the registrar can change the DNS data.

DNSSEC purports to secure the transfer of data from the combination of the registrar and the domain owner to the resolver. For example, the combination of DNSSEC and CAA can, in principle, prevent even an arbitrarily privileged attacker on the network from getting a bogus certificate issued. Without DNSSEC, services like Let’s Encrypt rely on a degree or network voodoo to protect against MITM attack.

(Of course, a much simpler and more robust mechanism could accomplish the same goal. For example, there could be a standardized out of band mechanism by which a CA could securely ask a registry for the certificate policy for a domain. Something like this wouldn’t have the admin-screwed-up—and-the-whole-domain-is-down failure modes.)

edit: It looks like RDAP is moderately close to being able to do that out-of-band verification. I wonder if anyone is working on CAA integration with RDAP.

I don't know that I'd call the registrar auto-signing thing a "problem" so much as a "juked stat".

I know that, at least for .ch and .li, there was the plan that registrars have to pay extra for all domains that don’t have DNSSEC enabled starting some time next year. Some registrars just set up DNSSEC not because they believe it has value, but because they would have to explain a price increase to the customer.