The following steps are taken from tips from the .pr and .gov TLDs. There really
isn't much to the initial signing of the zone. There are some considerations and
consequences to make sure you are aware of:
The signing with any software prior to Bind 9.6.0 will open your domain up
for enumeration. (e.g. testpay.domain.net will now be visible by NXDOMAIN records
if it was a hidden server in domain.net prior to DNSSEC zone signing) The upgrade to Bind 9.6.0 does not automatically enable NSEC3 which hashes
the child names and protects them from enumeration Many organizations want all children enumerable/walkable by google, msn,
yahoo, etc. so they do not want to sign using NSEC3 The salt used when signing NSEC3 should change every time you sign the zone Using the -A option when signing with NSEC3 does not protect against negative
existence validation, which is a way to validate the domain name does not exist Basic signing steps are to generate keys, sign zone, and upload DSSET file
generated to the parent domain administration server Your zone should be resigned at least every 90 days and whenever the zone
changes You should upload the auto-generated DSSETs when the contents change to
the parent domain administration server after zone signing. You can use this
simple NSEC3 zone signing shell script to know when to upload:
cp last-dsset.txt old-dsset.txt
mv dsset-domain.net. last-dsset.txt
dnssec-signzone -a -N increment -H 10 -3 aaaa \
-k Kdomain.net.+007+56487 \
-o domain.net domain.net Kdomain.net.+007+62648
diff dsset-domain.net. last-dsset.txt
If there is a difference in the dsset file, then it will need to be uploaded to the
parent zone administration system. Some administration systems (like .gov)
will use the initial key uploaded to automate this task for its children. There
are products available to manage this for any sized organization or name service.
Be sure to publish the old and new KSK when rolling keys and double sign the
zone with both keys for the full TTL periord to allow for a graceful retirement of
keys within your zones.
To sign with Bind 9.6.0 and NSEC or NSEC3, use the following instructions.
Remember, you must substitue your domain name for the 'official.gov':
http://www.dotgov.gov/Quickstart.html
To sign using NSEC only, follow the Option B steps in the above instructions.
After zone signing, restarting your named service and uploading the public
KSK to the parent, you can test the key validation here at the dnssecreport
web site at:
http://www.dnssecreport.com/DNSSECReport/DNSKeyReport.aspx