So enabling DNSSEC was easier than I thought. All I had to do was transfer my domains to a new registrar! So i'm now registered with gandi.net — the transfer process was painless, and luckily I wasn't charged for the privilege. I think the most gruelling part was entering the IPS tag for my 10-year old domain, and having it disappear from the dashboard. The on-boarding process took ten minutes or less, but if felt like a lifetime.
In fairness, 123-reg have been mostly okay for the last 10 years. They never lost my domains or anything like that. Unfortunately they haven't evolved much in that time either. They still don't offer two factor authentication, which I dislike, but I've also previously tried and failed to get a DS record added by their support team. Gandi support both OTP and UTF devices, and there's a simple form to enter the DS public key. Oh and no security questions and answers!
I have hosted my DNS with cloudflare for a few years now, and all I had to do was copy-paste the public key. Behold!
> dig michaeloldroyd.co.uk +dnssec +multi ; <<>> DiG 9.10.3-P4-Debian <<>> michaeloldroyd.co.uk +dnssec +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28889 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;michaeloldroyd.co.uk. IN A ;; ANSWER SECTION: michaeloldroyd.co.uk. 299 IN A 22.214.171.124 michaeloldroyd.co.uk. 299 IN RRSIG A 13 3 300 ( 20180203225447 20180201205447 35273 michaeloldroyd.co.uk. 56Q8v9fn+7/I5dQ2PTbco22BubILf8bFlg2qaqkfzcR0 V53LT7G9K2LpYaWMjgQYwFrZYmBZG1wD5mB1Mgw+Dg== )
Now let's see if I lose all my domains, and I rue the day I transferred them in the name of shiny signed DNS records 🙄