*** ON YOUR AUTHORITATIVE SERVER ***

1. Change to the directory where the zone resides, and make a backup
   of the zone (assuming it's called "mytld"), just in case

    # cd /etc/namedb/master
    # cp mytld mytld.backup

2. Generate first key pair (Zone Signing Key)

    # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mytld
    Kmytld.+005+51333

3. Generate second key pair (Key Signing Key)

    # dnssec-keygen -f KSK -a RSASHA1 -b 1280 -n ZONE mytld
    Kmytld.+005+52159

4. Let's look at the keys:

    # ls -l Kmytld.+005+5*
    -rw-r--r--  1 root  wheel   203 Nov 29 00:07 Kmytld.+005+51333.key
    -rw-------  1 root  wheel   937 Nov 29 00:07 Kmytld.+005+51333.private
    -rw-r--r--  1 root  wheel   247 Nov 29 00:07 Kmytld.+005+52159.key
    -rw-------  1 root  wheel  1125 Nov 29 00:07 Kmytld.+005+52159.private

4. Add the public keys to the end of the zone file:

    Edit the zone file for "mytld" and add the keys at the end:

    ; Keys to be published in DNSKEY RRset

    $include "/etc/namedb/master/Kmytld.+005+51333.key"     ; ZSK
    $include "/etc/namedb/master/Kmytld.+005+52159.key"     ; KSK

    Save and exit.

5. Sign the zone with the keys

    # cd /etc/namedb/master
    # dnssec-signzone -N incrememt -o mytld -k Kmytld.+005+52159 mytld Kmytld.+005+51333
    Verifying the zone using the following algorithms: RSASHA1.
    Zone signing complete:
    Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                        ZSKs: 1 active, 0 stand-by, 0 revoked
    mytld.signed

	Note: the "-N increment" option automatically changes the serial for your
	zone. This is required otherwise your slave server will not pick up the
	change!

    # ls -l mytld*
    -rw-r--r--  1 root  wheel   292 Nov 29 00:08 mytld
    -rw-r--r--  1 root  wheel  4294 Nov 29 00:20 mytld.signed

6. Notice that a set of DS records has been generated, and is ready to
   be communicated to your parent zone:

    # ls -l dsset-*
    -rw-r--r--  1 root  wheel  155 Nov 29 00:22 dsset-mytld.

   Look at the contents of the dsset:

    # cat dsset-mytld.

7. Change the /etc/namedb/named.conf definition that loads the zone, to point
   to the signed zone:

    zone "mytld" {
            type master;
            file "/etc/namedb/master/mytld.signed";
    };

8. Also in the named.conf, enable dnssec (for the authoritative part):

    ... in the options { .. }; section, add the following

    dnssec-enable yes;

9. Reconfigure/restart your nameserver

    # rndc reconfig

10. Test that the nameserver is answering with DNSSEC records:

    # dig @127.0.0.1 mytld SOA +dnssec

11. Now you need to make sure that your slave has ALSO configured their
    nameserver to enable dnssec in their configuration (step 8). They
	should have done it since they are working on the same lab, but check
	anyway!

	To test:

	# dig @10.10.Y.1 mytld SOA +dnssec

	... where Y is the IP of the partner you picked to be slave for your
	domain.

12. That's it - you now need to communicate the DS to your parent