CeroWrt picked up the DNSSEC-enabled version of dnsmasq as soon as it was released, and it's been a huge hassle even among that small and technically capable userbase. Fedora has done more to try to make it usable (detecting captive portals, etc.), but there are simply too many broken networks and DNS servers out there for DNSSEC to be used to do anything more strict than putting a red flag in the browser's URL bar.
