I'm playing with setting up DNSSEC on a test domain and running into a bug/rfe; I'm not sure which of two solutions is the correct approach, so haven't filed it yet. This is a multiserver setup, with 2 nameservers, one of which is a mirror of the other. When I enabled DNSSEC for a zone, the zone does get signed and things are mostly ok, but the issue is each nameserver has a different set of signing keys, so the same zone file (same serial number) will get different RRSIG depending on which server you ask. This may or may not be a problem. So zones are signed, now add DS records to the registrar, right? When I go in ISPConfig to the DNS Zone and check the DNSSEC DS-Data for registry I copy/pasted info to the registrar and hit save. At this point I had intermittent DNSSEC success because the DNSSEC DS-Data for registry field only shows the DS records for one of the two nameservers. In fact, that field changes, when you go back in there later you might find the DS records have been updated to the other server. Once adding both sets of DS records to the registrar, DNSSEC works reliably. So either both nameservers should be using the same signing keys, and hence the same DS records, or the DNSSEC DS-Data for registry field should display all DS records that need to be added. I'll file the bug report once I'm clear on where the bug is.
The current DNSSEC implementation is not multiserver-capable at the moment, the developer that made it took not in account that the key has to be generated on the master (like we do it with dnssec) and not on the slave as it is done at the moment. This is probably not so easy to fix so we might have to reimplement the function for 3.2.