The Core

Unfortunately, same experience here. Research. Get confused. Decide that if I'm not worried even about PCI compliance let alone state secrets, I'm going to wait

So I finally looked into this a bit more after analyzing a few sites with Hardenize
https://www.hardenize.com/

Turns out this is not hard or expensive.

You can enable it for free via Cloudflare
First turn it on
https://www.cloudflare.com/dns/dnssec/

Then set it up on your registrar (in my case Namecheap)
https://support.cloudflare.com/hc/en-us/articles/209833347-How-to-add-a-DS-record-to-Namecheap

Or set it up on Namecheap for 40 cents per month

It comes with Namecheap Premium DNS, which is $4.88/year
https://www.namecheap.com/support/knowledgebase/article.aspx/9723/2232/managing-dnssec-for-domains-pointed-to-premium-or-basicdns
https://www.namecheap.com/security/premiumdns.aspx

Or set up your own BIND server for whatever the server costs ($5/month for the slave and master = $10/month).
https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

In my case, I'm on the Cloudflare + Namecheap option. When I run it through a tester,
https://dnssec-analyzer.verisignlabs.com

 I get this (see attached image - all tests pass)

To the best of my knowledge to get a full DNSSEC stack you'd need registrar-level keys to sign the root, so that might not even be an option.

That is correct. Your registrar and your DNS provider must be able to exchange the hash, I suppose very roughly like a TLS handshake (or probably more like a DKIM verification actually).

So if you can't set the hash, specify the hash schema and algorithm etc at the registrar, there's no point in doing anything at the DNS level. In fact, I think that might just serve to make your site inaccessible, because the hash check would fail and security conscious browsers would block the site.