Eh, I didn't read it...so my thoughts. From experience the prob with DNSSEC is latency in verifying PKI of the record. Usually what happens is the timeout per resolver has to be greater than 15 seconds under no load in a private network which is very inconvenient in comparsion to plain DNS that has a default of 5 seconds.