The thesis here is in fact that we should not secure DNS in any way, just like we don't secure raw IP and won't for the foreseeable future secure BGP4. We instead do what we've done for 20+ years: assume the network is untrustworthy (because it is, with or without DNSSEC) and build security on top.
Thanks for clarifying! I have followed many of the discussions in which you participated talking about this issue, but this is the most concise way this has been put.
If I may suggest something, the article talks a lot about the implementation flaws in DNSSEC, giving the impression that if only it was designed better, or even redesigned, that we could actually have a secure DNS.
