*** ON YOUR AUTHORITATIVE SERVER ***

1. Change to the directory where the zone resides, and make a backup
   of the zone (assuming it's called "mytld"), just in case

    # cd /etc/namedb/master
	# cp mytld mytld.backup

2. Generate first key pair (Zone Signing Key)

    # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mytld
    Kmytld.+005+51333

3. Generate second key pair (Key Signing Key)

    # dnssec-keygen -f KSK -a RSASHA1 -b 1280 -n ZONE mytld
    Kmytld.+005+52159

4. Let's look at the keys:

    # ls -l Kmytld.+005+5*
    -rw-r--r--  1 root  wheel   203 Nov 29 00:07 Kmytld.+005+51333.key
    -rw-------  1 root  wheel   937 Nov 29 00:07 Kmytld.+005+51333.private
    -rw-r--r--  1 root  wheel   247 Nov 29 00:07 Kmytld.+005+52159.key
    -rw-------  1 root  wheel  1125 Nov 29 00:07 Kmytld.+005+52159.private

4. Add the public keys to the end of the zone file:

    # cat >> mytld

    ; Keys to be published in DNSKEY RRset

    $include "Kmytld.+005+51333.key"     ; ZSK
    $include "Kmytld.+005+52159.key"     ; KSK
    ^D

5. Sign the zone with the keys

    # cd /etc/namedb/master
    # dnssec-signzone -g -o mytld -k Kmytld.+005+52159 mytld Kmytld.+005+51333
	Verifying the zone using the following algorithms: RSASHA1.
	Zone signing complete:
	Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                    	ZSKs: 1 active, 0 stand-by, 0 revoked
	mytld.signed

	# ls -l mytld*
	-rw-r--r--  1 root  wheel   292 Nov 29 00:08 mytld
	-rw-r--r--  1 root  wheel  4294 Nov 29 00:20 mytld.signed

6. Notice that a set of DS records has been generated, and is ready to
   be communicated to your parent zone:

	# ls -l dsset-*
	-rw-r--r--  1 root  wheel  155 Nov 29 00:22 dsset-mytld.

   Look at the contents of the dsset:

	# cat dsset-mytld.

7. Change the /etc/namedb/named.conf definition that loads the zone, to point
   to the signed zone:

    zone "mytld" {
            type master;
            file "/etc/namedb/master/mytld.signed";
    };

8. Also in the named.conf, enable dnssec (for the authoritative part):

    ... in the options { .. }; section, add the following

    dnssec-enable yes;


9. Reconfigure/restart your nameserver

	# rndc reconfig

10. Test that the nameserver is answering with DNSSEC records:

	# dig @127.0.0.1 mytld SOA +dnssec

11. That's it - you now need to communicate the DS to your parent