I dislike a lot of what has happened with DNSSEC too and try to focus on other things since this seems to be a lost battle. I'm not sure I'm convinced it makes the Internet worse, but I'm certainly skeptical.
That said, one thing I believe you're wrong on is gethostbyname() which does have an error channel via h_errno. It's not pretty and more things need to be defined to correctly handle DNSSEC issues, but there is something there. I agree though, that we're unlikely to find a good transparent way to have this work right with old applications and that's a killer.
I don't share your enthusiasm about SSL/TLS fixing this problem. SSL/TLS has its own issues...
Also, look at how subtle the code needs to be to handle failures with h_errno --- you have to call gethostbyname, check h_errno regardless of what it returns, and then read the hostent; and, unlike certificate checks, this has to happen in every single place you ever use a domain name.
Also, what do you do when h_errno says something is tainted? First, you need to distinguish between transient and permanent failures. Now you need UI for both. Which means you've added another state machine hop in your program in every place you look up names (note that most network programs, even when they're async, don't bother to design host lookup asynchronously) --- what was one function call is now three functions, everywhere you look up names.
Anyone who uses curl to do stuff on the web probably knows the flag to turn cert checking off. Curl and wget are somewhat unique in needing to care about validation. Observe that now every single program that does anything with the network, from "ping" through "ftp", now needs a flag and a sensible default for how to handle broken names.
There used to be herror() but it appears to have been deprecated. An central error checking function in the standard library wouldn't be a terrible addition. Handling GUI stuff sensibly is going to be an even larger nightmare, but at least frameworks like Cocoa and Qt should be able to help do this right. There's a large bridge right now for GUI error reporting that should be handled more gracefully in a lot of cases, not just for DNSSEC, frameworks need a graphical perror() in general.
In any case, DNSSEC certainly makes this all a bit more trouble.
That said, one thing I believe you're wrong on is gethostbyname() which does have an error channel via h_errno. It's not pretty and more things need to be defined to correctly handle DNSSEC issues, but there is something there. I agree though, that we're unlikely to find a good transparent way to have this work right with old applications and that's a killer.
I don't share your enthusiasm about SSL/TLS fixing this problem. SSL/TLS has its own issues...