The big problem with DNSSEC, if widely used, is that it prevents forgery of DNS responses. ISPs and internet cafes will not like this, since that means they can no longer forget DNS replies to missing domains or to force people through registration pages. I can see a *LOT* of push-back from having end-users using DNSSEC.

DNSCurve does not require you to pay any third parties, it is like DNSSEC where you publish your own information. Both technologies are (or in the case of DNSCurve, will be) free.

DNSSEC has many years of actual deployment, not as wide spread as it needs to be, but it has been out there and tested.

Can you point me to a single implementation of DNSCurve? Can you even point me to a specification of what exactly it is? I've looked, and the best that I can tell, there aren't any. More over, it doesn't appear that DJB's website has been updated since he proposed DNSCurve last year.

DNSCurve is interesting technology, but it has many problems, not the least of which is that it is mostly hype right now. It does not really replace DNSSEC in functionality, but rather, it is closer to TSIG. That is, instead of securing the actual DNS records, it secures the communication between name servers and resolvers. With DNSSEC, you can get your DNS records for a totally untrustworthy server, and yet be able to prove if they are valid or not, but there isn't any form of encryption so there isn't any privacy. DNSCurve encrypts the transactions, but you can often figure out what is there anyway by watching which name servers you are contacting and monitoring other things to figure out what you were looking up. I like DNSCurve, I hope it goes some where, but I also hope that DNSSEC takes off soon.

To the contrary, DNSSEC could possibly kill the goldmine that is the SSL cert racket. That is, unless having your DNS entry signed somehow becomes a "value added" service you need to pay for extra. I'm a layman here, but glancing at how DNSSEC works, I see no obvious way selectively signing some but not the rest of entries could work. This means, DNSSEC would provide a more secure way to give the public key to a viewer.

You may be a layman, but you appear to have far more clue about this stuff than most. Yes, once DNSSEC is deployed, anyone with a domain name can publish CERT records and have about the same security as a paid-for CERT. Granted the cert authorities right now require you to give your name and address and such, which publishing CERT records in the DNS won't require so they aren't exactly the same, but close enough considering how little checking the cert authorities do on such information