DNSSEC is great in theory, but after three years I still haven't deployed a live instance.

It is cumbersome to implement and maintain, requiring co-operation of registrars and frequent key regeneration.

It is also very, very chatty and imposes a considerable processing burden on the first-hop DNS resolver.

We need a signed DNS solution that isn't DNSSEC.

I was going to mention it, but I haven't found anyone using it or a usable implementation.