Mark Minasi’s Windows Networking Tech page reports on what he learned at Microsoft’s recent BUILD conference about Windows Server 8. He notes that DNSSEC “gets more useful” in this version:

….DNSSEC is an up-and-coming technology that many of you will want to implement on your networks, and you also know that while Microsoft implemented DNSSEC in Windows Server 2008 R2 and Windows 7, their implementation was a bit uneven.  You must sign your zone by taking it offline and running a few pretty long, ugly DNSCMD commands.  It can’t validate zones that use the March 2008 RFC that introduces NSEC3, an inn0vation that most important zones are using.

With W8S, that changes.  Its new DNS does NSEC3 and can be configured to automatically sign your zones as they change.  Haven’t had time to try it out but it sounds pretty good.