I'd have hoped in 2026 that anyone publishing this type of report would understand that DNSSEC isn't helping anything, and is generally considered to be actively harmful to enable. I'd suggest doing a bit more research and dropping the DNSSEC stuff, or reversing it entirely.