> -----Original Message-----
> The story that I keep on hearing is that even the most experienced engineers
> have issues with understanding the configuration of the KSK and Zone signing
> keys and the key rollover, inconsistencies in documentation and therefore
> lack of adoption, because in case of a mistake this might seriously impact the
> production environment.
I can confirm (from the RIPE meeting where they have a DNS WG) that these concerns are widespread. DNSSEC is brittle and key rollover is a very complicated.
One thing I heard (do not know this deeply) is that a lot about DNSSEC key management depends on the registrar and every registrar does it differently.