DoT and DoH seem like better alternatives, these days. At least for the “authenticated delivery of DNS records” bit.
My understanding is that if DNSSEC were to break nothing would really happen to the public Internet, indicating that it’s not really a load-bearing component.
That TLS MITM attack was government-initiated, and governments control the DNSSEC roots. But either way: you can't say your system is load bearing because if it was actually deployed it would bear load. It has to actually bear the load, not just in theory but in practice. The root DNSSEC keys could land on Pastebin tonight and almost nobody would need to be paged.
Authenticated DANE or CAA would have prevented it.
FWIW, there is absolutely no reason that authentication for CAA requests needs to have high bandwidth or low latency or even that it would need to be part of the DNS protocol itself or of any sort of query that ordinary clients do. And the web could tolerate a day-long CAA outage with the only obvious side effect being an inability to issue new certificates.
Heck, a signed CAA attestation valid for 24 hours that was generated, for each domain that uses it, at most once per day, would allow quite a bit of ability to ride through an outage.
My understanding is that if DNSSEC were to break nothing would really happen to the public Internet, indicating that it’s not really a load-bearing component.