I've now got ipv6 glue in the roots for pointless.net, and changed to secondary nameservers that are on ipv6, and also do dnssec.

The only thing thats missing is that the blockhosts script (and anti ssh scanner script) dosn't seem to do ipv6 properly, I'll fix it when i get a chance.

I can really recommend the Hurricane Electric tunnel service, it's really straight forward to get running and the certification is a great learning aid.

I've got native IPv6 at home thanks to a solos pci card, and set up a Hurricane Electric tunnel for this server.

Still need to sort out secondary DNS servers tho!

pointless.net zone is now signed, and the key is in the ISC DLV system.

If you use the DNSSEC Validator Firefox add-on you get a green key on the left of the address bar for domains that have valid, verified dnssec signatures, which is nice.

I'm not 100% sure that pointless.net will always work - the secondaries don't support dnssec signing records, even tho the zones they are serving are signed, I'll have to play around a bit more and if needed change secondaries or see if they can be upgraded.

I'm using the DLV system since afaict easyDNS doesn't yet support taking DS records from clients and publishing them to the tld, I've tried several times to find a registrar that does DNSSEC and lets you just give them the DS records and deal with it - most of the DNSSEC supporting registrars seem to only support DNSSEC when you use there nameservers, which i don't want to do.

Also useful to know is www.dnssec-failed.org it's deliberately broken so you can use it to check that zones with broken signatures do get detected. rhybar.cz and badsign-a.test.dnssec-tools.org are also deliberately broken.

For working domains try ietf.org and the page you are on now.