Haller.ws is now DNSSEC signed with DLV from dlv.isc.org. With a validating recursor, you can see the authenticated "ad" bit; and the zone now has crypto line noise in it.

$ dig +dnssec haller.ws @::1 | grep -E '(ad;|RRSIG)'
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 11
haller.ws.              161     IN      RRSIG   A 5 2 300 20130429113349 20130330113349 18528 haller.ws. 
	BgfK3HNzfNcNr92QmoGXdMd7uP2rwUEHn1yKEOsDlhgPeTQ57SUHzZCb +I2gYCbUL8GIGqHHhr2xD/5n/kPl3Am8kwJC9McRlfChs3o9qsmSaO4+ 
	VQ01jDnddKQGsIdeXjMq6w2L+ZqnXFOQt91TLsexeVp5klnxA1GiN8c9 4P4=

I wrote some scripts to help set things up. A good overview is at http://www.isc.org/files/DNSSEC_in_6_minutes.pdf.

Update:
Apparently, the goodness of DNSSEC cannot be held back and has inspired people to write up a quick walk-through on using the above scripts to set up a validating BIND9 server on Mac OS X.