Just discard DNSSEC and move along.
I think secure DNS, with its complexity, is hard to deploy and does not worth the deployment effot.
Some days ago I wrote http://ds9a.nl/secure-dns.html which may be relevant.
I mostly agree (of course).
But, note that it was intended to provide confidentiality by sharing an IPSEC session key with public keys of a host obtained from secure DNS, though it is not practical with reasons you mentioned.
Masataka Ohta
#---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
