As for solutions: better education, more improvements to the tools & making it easier. CDS records already help a lot. But we might also need to improve recovery mechanisms, as f-ups are made, and you don't want to be off this Internet thing for too long.

• Enable DNSSEC on your resolvers. Does not require you to sign your zones. Does not require you to read up on what it takes to sign and maintain your zones. Does not require you to worry and test for the next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.:

             dnssec-enable yes;
             dnssec-validation auto;

        Done! Two lines (BIND, in this case), and off you go.

• Step 2 - take your time cluing up on getting your zone signed, and being part of the solution toward a more secure Internet. No pressure, at your pace.

Mark.