The pain of DNSSEC

dnssec
Just kidding. But there are indeed a few obstacles when you try to introduce DNSSEC with your domain.
- First check that the domain-provider you're with, allows you to put your Keys into the nic database of your country through some webinterface or other automated process. I started off with my default provider telling me: "Ah, thats so rare at the moment, you have to open a support ticket for each change you like. And, you know, if its too much, we'll bill you for the extra service if we please... Anyway, it's not in the webinterface".
Now I'm using http://www.schlundtech.de/ for my DNSSEC secured domains. With them you at least only have to tell them once to enable the DNSSEC-features for your customer id in the interface and you're done.
- The other thing is: You have to administer two DNS servers of and on your own! Make "bind" your friend here.
After passing that hurdle just go with any popular HOWTO available on that topic. I found that one quite good.
After rolling your DNS zone out, of course do some testing. I found two utilities comfotable to use. For your <major browser> to show you if a domain is DNSSEC secured and has the appropriate TLSA record in it, check out DNSSEC validator plugin. For basic zone checking I use the verisign debugger.