One page howto for signing your DNS zone with DNSSEC

*** ON YOUR AUTHORITATIVE SERVER ***

1. Change to the directory where the zone resides

    # cd /etc/namedb/master

2. Generate first key pair (Zone Signing Key)

    # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE tld
    Ktld.+005+51333

3. Generate second key pair (Key Signing Key)

    # dnssec-keygen -f KSK -a RSASHA1 -b 1280 -n ZONE tld
    Ktld.+005+52159

4. Let's look at the keys:

    # ls -l Ktld.+005+5*
    -rw-r--r--  1 root  wheel   203 Nov 29 00:07 Ktld.+005+51333.key
    -rw-------  1 root  wheel   937 Nov 29 00:07 Ktld.+005+51333.private
    -rw-r--r--  1 root  wheel   247 Nov 29 00:07 Ktld.+005+52159.key
    -rw-------  1 root  wheel  1125 Nov 29 00:07 Ktld.+005+52159.private

4. Add the public keys to the end of the zone file:

    # cat >> tld

    ; Keys to be published in DNSKEY RRset

    $include "Ktld.+005+51333.key"     ; ZSK
    $include "Ktld.+005+52159.key"     ; KSK
    ^D

5. Sign the zone with the keys

    # cd /etc/namedb/master
    # dnssec-signzone -g -o tld -k Ktld.+005+52159 tld Ktld.+005+51333
    tld.signed

	# ls -l tld*
	-rw-r--r--  1 root  wheel   292 Nov 29 00:08 tld
	-rw-r--r--  1 root  wheel  4294 Nov 29 00:20 tld.signed

6. Change the /etc/namedb/named.conf definition that loads the zone, to point
   to the signed zone:

    zone "tld" {
            type master;
            file "master/tld.signed";
    };

7. Reconfigure/restart your nameserver

*** ON YOUR RESOLVER ***

1. Add the trusted key to your resolver, in named.conf.

    This is your KSK, in a slightly different format (in this case,
    the contents of file keys/Kexample.net.+005+16687.key):

    trusted-keys {
        "tld." 257 3 5
          "AwEAA......5bmK8=";
		   // KeyID= 
    }

2. Reconfigure your nameserver, and attempt to query

    # rndc reconfig
    # dig @localhost soa tld. +dnssec

4. Control output for 'ad' flag.