NOTE: This may be out of date. In early 2021 I fucked with this and now the command to sign zones should be shorter. I just forget where I saved the syntax.
When you install BIND you should also install haveged (entropy generator to make key generation much faster) and ntp (because all DNS servers will need to have their time synchronized).
$ sudo apt-get install bind9 haveged ntp
Then you have to make a ZSK and KSK eh
# cd /etc/bind/zones/domain.tld # dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE domain.tld # dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE domain.tld
Then include the keys in the zone file with a script like this:
for key in `ls Kdomain.tld*.key` do echo "\$INCLUDE $key" >> domain.tld.zone done
And then sign the zone file
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.zone
The DS records need to be sent to the registrar for insertion in to the .ca registry and are found in the file
/etc/bind/zones/domain.tld/dsset-domain.tld.
Note the dot at the end of that filename.