At time of writing, Webmin handles DNSSEC pretty well actually, it’s mostly straight forward to set up DNSSEC if you know your way around DNS well enough already. The only problem is if you haven’t actually set up DNSSEC manually before, it can be confusing when you use Webmin to autogenerate your keys and autosign your zone only to find you’re being asked for stuff by your upstream domain provider that the Webmin control panel isn’t displaying to you.
What you need is your DS set, which on CentOS 7 is located at /var/named/dsset-<zone_name>. And it looks a bit like this:
Where 12345 is your key ID, 8 represents your algorithm type and 1 and 2 represents the digest algorithm. You’ll need to add both to your upstream DNS provider. Beware that the 64-char hash seems to contain an arbitrary space, which some providers may not validate, so you might need to remove it after pasting it in.
Give it about 5 or 10 minutes and your TLD’s zone should be updated with your new DS records, and providing everything went okay, you should be able to validate your DNSSEC setup here: http://dnssec-debugger.verisignlabs.com/