Comment Re:What should DNS server administrators do? (Score 1) 94
Configuration is relatively easy if all you've got is a couple of zones. Maintenance is what takes work. You don't just turn a switch on and let things go on their own.
Keys expire and need to be rolled over. Signatures expire even more often and need to be refreshed. Your TLD registrar needs to have a robust mechanism for establishing and maintaining the trust chain. And it can all go to hell in an instant if someone's behind a router that is filtering EDNS, or TCP DNS queries, or truncating DNS packets, or doing anything else that speaks of assuming that anything DNS-related that isn't less than 576 bytes over 53/UDP is Evil And Must Be Destroyed.
There are plenty of tools out there for doing this all relatively painlessly, but it takes diligence and a higher level of meticulousness than most sysadmin tasks. On the other hand, for small setups, it's no worse than keeping an eye on your logs for interesting activity.
(For the record, I built my workplace's DNSSEC implementation in about 3 weeks, and got it 90% right before I had to go help my wife give birth. But we have dozens of zones, with subdomains, and multiple field offices running their own masters, so we had to deal with TSIG-signed zone transfers with external entities in addition to our primary master. And now that we've got it turned on, we get at least one report a week of someone having issues getting to one of our sites because of said upstream routers that are messing with DNSSEC queries.)