Google has invested heavily in IT security, and, I think has done a decent job of it. All services are TLS by default, identity and authorisation is well dealt with.
So I was somewhat surprised this am to see that Google’s own .com (and .ca) are not DNSSEC setup. I wonder why, there must be a reason.
DNSSEC helps to avoid domain spoofing, which in turn can be used to cheat and get TLS certifications. I’m sure this was a conscious decision. Their 188.8.131.52 server does DNSSEC validation. Its an option in their managed Google Domains. Their Cloud DNS supports it. Just not inbound to their corporate domain.