Nice opinion piece, but I disagree with the core idea that dnssec’s biggest problem is visibility (also, there hasn’t been any padlock icon in years in browsers). IMHO we have 3 main drivers that made https a success, and dnnsec (and smtps) not:

• enforced by browsers: while you could file it under “visibility”, the difference to me is that browsers refuse to load your site without https. If they had resorted to a mere red address bar, https would never really have taken off.
• ”atomic”: a site with failed https is only 1 failed site. Other sites, APIs, mail servers etc under the same domain will still work.
• DNSSEC is HARD. Yes, your dns./website provider makes it look easy but really, this stuff is seriously hard to do right now, and there is little tooling to help you with it; the same reason smtps (and maybe ipv6) failed so hard, I think.

It breaks DNS64