DVL is effectively the Crash Test Dummy for Linux.

FTA: "subterranean nuclear blasts were used as much as 169 times in the Soviet Union to accomplish fairly mundane tasks like creating underground storage spaces for gas or building canals"

In Soviet Russia, they built stuff with nuclear explosions.

What products are submitting keys upstream on change?

It's a shame the market didn't go down the DNSCurve (http://dnscurve.org/) road before DNSSEC. DNSSEC as it is currently implemented presents a significant challenge for DNS admins as their job just got more complicated while the tools are still barely capable. BIND with DNSSEC enabled for signing zones and updating your upstream TLD isn't set-it-and-forget-it so I don't see widespread adoption until the implementations are solved with easy point-and-click, set-it-once solutions.

Signing yourdomain.com requires you and .com to perform a transaction (registrar will perform on behalf of .com) that must recur at some interval for KSK and ZSK updates.

Deploying DNSSEC in response to cache poisoning is a lot like deploying TSA to protect the airports. Taking your shoes off and putting toothpaste in a little plastic baggie are kludges.