I'd have hoped in 2026 that anyone publishing this type of report would understand that DNSSEC isn't helping anything, and is generally considered to be actively harmful to enable. I'd suggest doing a bit more research and dropping the DNSSEC stuff, or reversing it entirely.
DNSSEC is more likely to self-DoS yourself than protect against an attack, unfortunately.
as exemplified by the recent .de outage https://www.theregister.com/networks/2026/05/06/denic-sorry-...