1. 7

  2. 2

    I rolled this out for my domains recently. I use Gandi.net for domain registration (not an affiliate link, but they give a discount to FreeBSD developers) and they now make it very easy to enable DNSSEC for domains where they do the DNS hosting (they’re in the TCB anyway, as the people who control the SOA records, so this doesn’t bother me, but your threat model may vary). There’s a nice too that uses their API to generate the glue records and install them, which is easy to integrate with scripted DNS deployment.