I'm playing with setting up DNSSEC on a test domain and running into a bug/rfe; I'm not sure which of two solutions is the correct approach, so haven't filed it yet. This is a multiserver setup, with 2 nameservers, one of which is a mirror of the other. When I enabled DNSSEC for a zone, the zone does get signed and things are mostly ok, but the issue is each nameserver has a different set of signing keys, so the same zone file (same serial number) will get different RRSIG depending on which server you ask. This may or may not be a problem. So zones are signed, now add DS records to the registrar, right? When I go in ISPConfig to the DNS Zone and check the DNSSEC DS-Data for registry I copy/pasted info to the registrar and hit save. At this point I had intermittent DNSSEC success because the DNSSEC DS-Data for registry field only shows the DS records for one of the two nameservers. In fact, that field changes, when you go back in there later you might find the DS records have been updated to the other server. Once adding both sets of DS records to the registrar, DNSSEC works reliably. So either both nameservers should be using the same signing keys, and hence the same DS records, or the DNSSEC DS-Data for registry field should display all DS records that need to be added. I'll file the bug report once I'm clear on where the bug is.