The dnssec-validator.cz team released an updated version of their plugin with added support for validating TLSA records, you can get it here for Firefox, Chrome and Internet explorer across multiple platforms and 32 & 64 bit architectures.
You can find the slides here
I noticed a few days ago that Postfix had TLSA support added.
I also noticed that there's now another TLSA plugin for firefox, DANE Patrol, unfortunately it doesn't seem to work very well :(
I've now got ipv6 glue in the roots for pointless.net, and changed to secondary nameservers that are on ipv6, and also do dnssec.
The only thing thats missing is that the blockhosts script (and anti ssh scanner script) dosn't seem to do ipv6 properly, I'll fix it when i get a chance.
I can really recommend the Hurricane Electric tunnel service, it's really straight forward to get running and the certification is a great learning aid.
It's running but the lack of secure secondaries is definitely a problem.
There's a more advanced Firefox dnssec validator add-on here, it has a mechanism based on the DANE drafts to stash an ssl cert fingerprint into dns. I've put the records in the pointless.net zone, but not tried the validator, it's for Firefox 4 only.
Chrome has something similar but it appears to be the opposite way round - you store the dnssec chain of trust in your sites ssl cert and chrome can verify it, i'm not sure if that possible with the CACert certificate I'm using.
If you use the DNSSEC Validator Firefox add-on you get a green key on the left of the address bar for domains that have valid, verified dnssec signatures, which is nice.
I'm not 100% sure that pointless.net will always work - the secondaries don't support dnssec signing records, even tho the zones they are serving are signed, I'll have to play around a bit more and if needed change secondaries or see if they can be upgraded.
I'm using the DLV system since afaict easyDNS doesn't yet support taking DS records from clients and publishing them to the tld, I've tried several times to find a registrar that does DNSSEC and lets you just give them the DS records and deal with it - most of the DNSSEC supporting registrars seem to only support DNSSEC when you use there nameservers, which i don't want to do.
Also useful to know is www.dnssec-failed.org it's deliberately broken so you can use it to check that zones with broken signatures do get detected. rhybar.cz and badsign-a.test.dnssec-tools.org are also deliberately broken.
For working domains try ietf.org and the page you are on now.