- You must actively maintain the extra DNSSEC data, including securing the DNSSEC private key data used to sign zones.
- If the key information is compromised, you must take immediate action to rollover (replace) the key.
- You may have to educate your customers on how to make their software DNSSEC-aware.
- There have been a few reported cases of bugs in network gear, such as routers, switches, and wireless access points that require end-users to upgrade their network gear in order to resolve signed domain names.