What does DNSSEC provide?
DNSSEC lets a resolver verify that a DNS answer comes from the correct zone and has not been modified in transit.
It does not encrypt web or mail traffic, but it strengthens the foundation used by domains, MX, SPF, DKIM, DMARC and certificates.
What should be checked before deployment?
The DNS zone should be complete and stable first. A wrong DS record or inconsistent delegation can make a domain stop resolving correctly.
When moving to Hostilla.pl, DNSSEC should be planned together with nameserver changes and propagation tests.