If you'll notice, that's glue for ns0, ns1, and ns2. This information from the parent is just there to say "here's where to go to resolve information from the child".
It's not the actual IP addresses for all the child data, like www.wikimedia.org.
DJB's basically saying "how can you say .org is signed when not every child in .org is signed". No delegated solution could ever offer that feature. If DJBCurve doesn't support signed and unsigned children, it's a thoroughly irrelevant technology that should be laughed out of the room.
Bashing DNSSEC for supporting a basic reality of delegated trust is flat out unfair.
Here’s what I think DJB is saying: It’s the IP addresses for ns0, ns1, ns2, and it’s published by the .org servers. Why not sign that information, even if the Wikipedia folks haven’t implemented DNSSEC themselves? I don’t think he expects the .org servers to sign information not published by them.
It's not the actual IP addresses for all the child data, like www.wikimedia.org.
DJB's basically saying "how can you say .org is signed when not every child in .org is signed". No delegated solution could ever offer that feature. If DJBCurve doesn't support signed and unsigned children, it's a thoroughly irrelevant technology that should be laughed out of the room.
Bashing DNSSEC for supporting a basic reality of delegated trust is flat out unfair.