DNSSEC is a mechanism where clients can verify the authenticity of the answers they receive from servers. There are two sides here. The server must supply signed answers, and the client must verify the signatures on those answers. The validation/verification side is widely implemented, but there are very few signed zones.

2012-01-10 – Comcast announces that over 17 million customers are using their dnssec validating resolvers.

2013-05-06 – Google announces that they have enabled validation by default on their public resolvers - 130 billion queries per day from 70 million unique client ip addresses.

However, if no one signs their zones, those validating resolvers don't have many signatures to check. The full details are at http://www.five-ten-sg.com/mapper/blog/dnssec, but the view on this front is beyond dismal.

Alexa.com has a list of the top 25 global web sites and not a single one of those domains is signed. The Federal Financial Institutions Examination Council has a list of large US financial institutions holding over $10 billion in assets. There are 104 domains on that list and exactly one is signed. The Federal Procurement Data System has a list of the top US defense contractors. There are 103 domains on that list and not a single one is signed. Ddosattackprotection.org has a list of computer security blogs and resources. There are 126 domains on that list and only 5 are signed. ICANN has a list of accredited registrars. There are 1289 unique domains on that list and only 16 are signed.

Is this a chicken-and-egg situation, where everyone is waiting for some event before they will consider signing their zones? I don't think so, since the recursive validators are already in place. So, what can be done to improve the situation?

Regarding the financial institutions, apparently the 2009 cache-poisoning attack on a Brazilian bank was not enough for them to start securing their DNS answers. In 2011 an employee of a Brazilian ISP was arrested for "changing" the DNS cache to redirect customers to phishing websites. Pressure from government financial regulators could cause the banks to start signing their zones, but I doubt that the financial regulators themselves have any understanding of this topic.

Regarding the defense contractors, it is possible that US DoD might start requiring contractor company zones to be signed; at least the parts that DoD employees might need to access.

Regarding the computer security sites, I have no idea what it would take to get them to sign their zones. Publicity might work.

Regarding the accredited registrars, ICANN has many requirements (at least on paper) for registrars. They could add a DNSSEC requirement when those registrar agreements come up for renewal.