I don't fully understand #DNSSEC criticism yet: A major argument against it is that it's a “government-controlled PKI” and that, for example, “Gaddafi would have controlled bit.ly’s TLS keys if it had been deployed earlier”.
But isn't that a strawman? If a bad actor controls DNSSEC, they control all the other #DNS records too, i.e. the government can always point domains wherever they like and obtain valid #TLS certificates. The Taliban closed down queer.af completely without DNSSEC.
#DNSSEC and #DANE should not replace the established #TLS certificate authority system, because it would undermine end-to-end encryption between client and server, but I do believe that DNSSEC/DANE serve a legitimate role: preventing #DNS spoofing by third parties, i.e. proving that a DNS record really comes from the correct name server.
And in order to keep DNS requests private, DoH/DoT/DoQ should be the default.