The IETF draft itself says that the primary motivation for MTA-STS is to provide transport security when DNSSEC is "undesirable or impractical". You don't have to take my word for it.
There are a million DANE-enabled DNSSEC domains because there are registrars, particularly in Europe, that enable it automatically. Who cares? First of all, DNSSEC managed by your registrar is security theater, but, more importantly, the overwhelming majority of those domains do not matter. Who cares if some landing page in the Netherlands has TLSA records?
Meanwhile, the domains that really do matter --- the ones managed by the major mail providers --- are doing MTA-STS.
gmx.de, comcast.net, freenet.de, mailbox.org, posteo.de and tutanota.de come to mind as counter-examples as well as various universities, the German parliament, various Dutch government domains, and a couple of thousand self-hosted SOHO domains. But DNSSEC is axiomatically evil, so I must be wrong...
Versus Google Mail, Yahoo, and Microsoft? And Comcast is also an author of MTA-STS. So yeah, I'm pretty comfortable arguing that the verdict is in on this.
Recall: the argument you're responding to (you drew it up from downthread) is that DANE "definitely works for SMTP". Does it, now?
Yawn, would you also like to arm wrestle? I concede that smug superiority gets more karma points than doing the hard work to make a difference.
Yes, only ~9 to 10 million domains are presently signed, and most of the larger ones are not (but comcast.net and cloudflare.com are not tiny, and gmx.de has over 10 million email users). Changing this takes time and effort. Users still need better software tools that make deployment easier and there needs to be less KSK deployment and rollover friction at the registrars and registries (i.e. CDS support). Some DNS hosting providers with outdated software need to upgrade their stacks, ... this does not happen overnight. Let's compare notes in 2020 or 2021. Infrastructure upgrades happen slowly...
Cloudflare sells DNSSEC services. Comcast is actively participating in standards that moot the most (or second most) important modern application of DNSSEC. You keep talking about 9-10 million domains "presently signed", but, as I keep pointing out, those were signed at registrars and are overwhelmingly irrelevant zones. The point of the infographic is that zones people actually care about --- not coincidentally, zones with giant, smart security teams --- resolutely avoid DNSSEC.
There are a million DANE-enabled DNSSEC domains because there are registrars, particularly in Europe, that enable it automatically. Who cares? First of all, DNSSEC managed by your registrar is security theater, but, more importantly, the overwhelming majority of those domains do not matter. Who cares if some landing page in the Netherlands has TLSA records?
Meanwhile, the domains that really do matter --- the ones managed by the major mail providers --- are doing MTA-STS.
SMTP is not a success case for DNSSEC.