Haller.ws is now DNSSEC signed with DLV from dlv.isc.org. With a validating recursor, you can see the authenticated "ad" bit; and the zone now has crypto line noise in it.
$ dig +dnssec haller.ws @::1 | grep -E '(ad;|RRSIG)' ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 11 haller.ws. 161 IN RRSIG A 5 2 300 20130429113349 20130330113349 18528 haller.ws. BgfK3HNzfNcNr92QmoGXdMd7uP2rwUEHn1yKEOsDlhgPeTQ57SUHzZCb +I2gYCbUL8GIGqHHhr2xD/5n/kPl3Am8kwJC9McRlfChs3o9qsmSaO4+ VQ01jDnddKQGsIdeXjMq6w2L+ZqnXFOQt91TLsexeVp5klnxA1GiN8c9 4P4=
I wrote some scripts to help set things up. A good overview is at http://www.isc.org/files/DNSSEC_in_6_minutes.pdf.
Apparently, the goodness of DNSSEC cannot be held back and has inspired people to write up a quick walk-through on using the above scripts to set up a validating BIND9 server on Mac OS X.