Just a follow up for the DNSSEC and DANE TLSA issue I opened, which has been taken up and started making progress on.
I notice the automatic DNSSEC key re-signing screen, plus the DS (delegation signer) screen, these make life easier to get DNSSEC up for a domain.
Although, to get DNSSEC fully automated, it would require some type of web service call to add the DS record to your domain registrar of choice, ie the registrar from whom you are renting the domain name. Which is problematic when you're hosting a domain for a customer and only they have access to their registrar's domain panel.
Anyway, the one part of this request which IS possible to fully automate without any user intervention is the DANE TLSA part.
As soon as you have a TLS certificate (via Lets Encrypt or a paid commercial cert), you can and should add the following for each TLS service port running on the system. Mail, Web, every service using TLS.
Example: _443._tcp.project.exampledomain.com. IN TLSA 3 1 1 cc75c5800c1bc8cff1fa74a360f0c1c697e57a4822163dc09b3f7721dd5949ab
The page which will generate the DANE TLSA records: https://www.huque.com/bin/gen_tlsa This code probably ought to be brought inside virtualmin so it can calculate these records without outside help.
To test the DANE TLSA records: https://www.huque.com/bin/danecheck