Well, all in all, the DNSSEC part isn’t that big a deal to me. Either use it or don’t, see my answer here: Experiments with External DNS - #8 by miabuser
However, what I see as well is that many of the records shown on the External DNS page or in the zone files are not needed if you are using external DNS. So I guess that part could be improved. Whether the export of the records should or can be further automated, I don’t know. I think this is probably beyond the scope of a project like Mail in a Box.
However, since Josh has expressed what changes he would accept in the meantime, I guess there’s no need to continue our discussion at this point