[ For the record, not an invitation to a futile further debate, given your long-standing immutably-held views on DNSSEC. Since you'll probably say the same about my work to get DANE for SMTP up and running, we can stop here. All I can add is that those who say it can't be done should not get in the way of the people doing it... :-) ]
No, the major providers did not get together to do MTA-STS because DANE was bad. They did it because their existing DNS geo-balancing kit for e.g. google.com and yahoo.com does not offer an easy upgrade path to DNSSEC. Note that Microsoft has a dedicated domain (outlook.com) for email hosting, and can more easily do DNSSEC there without impacting their other "web properties". Note also that Google now MX-hosts many customer domains on "googlemail.com" rather than google.com.
So things are starting to change. Furthermore, there are now over 1 million DANE-enabled DNSSEC domains. MTA-STS is far behind, is not downgrade-resistant on first contact and uses weak CA-leap-of-faith DV authentication. It will probably be enabled at the biggest providers by the end of this year, but as you yourself said elsewhere, these providers are the threat, and if so, securing email delivery to the user surveillance empires is not necessarily that important. Mind you, they can play a useful role by enabling validation and helping to keep the TLSA records of receiving systems valid, and perhaps surveillance is not their business for paying customers...
The IETF draft itself says that the primary motivation for MTA-STS is to provide transport security when DNSSEC is "undesirable or impractical". You don't have to take my word for it.
There are a million DANE-enabled DNSSEC domains because there are registrars, particularly in Europe, that enable it automatically. Who cares? First of all, DNSSEC managed by your registrar is security theater, but, more importantly, the overwhelming majority of those domains do not matter. Who cares if some landing page in the Netherlands has TLSA records?
Meanwhile, the domains that really do matter --- the ones managed by the major mail providers --- are doing MTA-STS.
gmx.de, comcast.net, freenet.de, mailbox.org, posteo.de and tutanota.de come to mind as counter-examples as well as various universities, the German parliament, various Dutch government domains, and a couple of thousand self-hosted SOHO domains. But DNSSEC is axiomatically evil, so I must be wrong...
Versus Google Mail, Yahoo, and Microsoft? And Comcast is also an author of MTA-STS. So yeah, I'm pretty comfortable arguing that the verdict is in on this.
Recall: the argument you're responding to (you drew it up from downthread) is that DANE "definitely works for SMTP". Does it, now?
Yawn, would you also like to arm wrestle? I concede that smug superiority gets more karma points than doing the hard work to make a difference.
Yes, only ~9 to 10 million domains are presently signed, and most of the larger ones are not (but comcast.net and cloudflare.com are not tiny, and gmx.de has over 10 million email users). Changing this takes time and effort. Users still need better software tools that make deployment easier and there needs to be less KSK deployment and rollover friction at the registrars and registries (i.e. CDS support). Some DNS hosting providers with outdated software need to upgrade their stacks, ... this does not happen overnight. Let's compare notes in 2020 or 2021. Infrastructure upgrades happen slowly...
Cloudflare sells DNSSEC services. Comcast is actively participating in standards that moot the most (or second most) important modern application of DNSSEC. You keep talking about 9-10 million domains "presently signed", but, as I keep pointing out, those were signed at registrars and are overwhelmingly irrelevant zones. The point of the infographic is that zones people actually care about --- not coincidentally, zones with giant, smart security teams --- resolutely avoid DNSSEC.
No, the major providers did not get together to do MTA-STS because DANE was bad. They did it because their existing DNS geo-balancing kit for e.g. google.com and yahoo.com does not offer an easy upgrade path to DNSSEC. Note that Microsoft has a dedicated domain (outlook.com) for email hosting, and can more easily do DNSSEC there without impacting their other "web properties". Note also that Google now MX-hosts many customer domains on "googlemail.com" rather than google.com.
So things are starting to change. Furthermore, there are now over 1 million DANE-enabled DNSSEC domains. MTA-STS is far behind, is not downgrade-resistant on first contact and uses weak CA-leap-of-faith DV authentication. It will probably be enabled at the biggest providers by the end of this year, but as you yourself said elsewhere, these providers are the threat, and if so, securing email delivery to the user surveillance empires is not necessarily that important. Mind you, they can play a useful role by enabling validation and helping to keep the TLSA records of receiving systems valid, and perhaps surveillance is not their business for paying customers...