Thanks @JoshData, now we’re cooking. It’s not how I’d have thought to do it but if that works for you then I’m happy to go that way. We’d thrash out the details some more, but would you agree that in principle we “define” that the presense or absense of $STORAGE_ROOT/dns/dnssec is treated as the definitive flag for whether the user has opted out of DNSSEC or not. I.e. If the directory is present, dns.sh wouldn’t create it but pupulate it. If it IS present which it is by default, then it gets populated and the DNS zones gets signed etc. Would that still be in line with you believe you can manage in terms of user education and expectations?
Naturally the appropriate documentation would be essential. That is, if we go ahead with this at all, which is still an open question to me seeing that I’ve not heard back from an overwhelming horde of people who’d like to use it. But rest assured, if I do find motive to make the changes discussed keeping you happy to accept it into the code is my only objective. I don’t have space in my life to maintain my own fork of MiaB.