     *****  Manual DNSSEC Zone Signing ****

    *** ON YOUR AUTHORITATIVE SERVER auth1.grpX.ws.nsrc.org ***

1. Change to the directory where the zone resides, and make a backup
   of the zone (assuming it's called MYNAME), just in case

    $ sudo -s

    To become root

    #

    Then

    cd /etc/namedb/master
    cp MYNAME MYNAME.backup

  Also create a directory for the keys to live in, and let's create them

    mkdir /etc/namedb/keys
    chown bind /etc/namedb/keys

    cd /etc/namedb/keys

2. Generate first key pair (Zone Signing Key or ZSK)

    dnssec-keygen -a RSASHA256 -b 1024 -n ZONE MYNAME

    The output will be of the form KMYNAME.+008+nnnnn

4. Generate second key pair (Key Signing Key or KSK)

    dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE MYNAME

    The output will be of the form KMYNAME.+008+bbbbb

5. Let's look at the keys:

    ls -l KMYNAME.+008+*
    -rw-r--r--  1 root  wheel   203 Nov 29 00:07 KMYNAME.+008+nnnnn.key
    -rw-------  1 root  wheel   937 Nov 29 00:07 KMYNAME.+008+nnnnn.private
    -rw-r--r--  1 root  wheel   247 Nov 29 00:07 KMYNAME.+008+bbbbb.key
    -rw-------  1 root  wheel  1125 Nov 29 00:07 KMYNAME.+008+bbbbb.private

6. Add the public keys to the end of the zone file:

    Edit the zone file for MYNAME and add the keys at the end:

	cd /etc/namedb/master

	(edit the file MYNAME, and add the lines corresponding to your keys)

    ; Keys to be published in DNSKEY RRset

    $include "/etc/namedb/keys/KMYNAME.+008+nnnnn.key"     ; ZSK
    $include "/etc/namedb/keys/KMYNAME.+008+bbbbb.key"     ; KSK

    Increment the serial number.
    Save and exit.

7. Sign the zone with the keys

    cd /etc/namedb/keys

    dnssec-signzone -x -o MYNAME -k KMYNAME.+008+bbbbb ../master/MYNAME KMYNAME.+008+nnnnn

    (Note: The prior command should all be on one line even if the
           line may wrap on the screen)

    Verifying the zone using the following algorithms: RSASHA256.
    Zone signing complete:
    Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                          ZSKs: 1 active, 0 stand-by, 0 revoked
    MYNAME.signed

    The signed zone has been written out in the master/ directory, sot let's
    check it out:

    cd /etc/namedb/master/
    ls -l MYNAME*

    -rw-r--r--  1 root  wheel   292 Nov 29 00:08 MYNAME
    -rw-r--r--  1 root  wheel  4294 Nov 29 00:20 MYNAME.signed

    Take a look (cat, less, more) at the zone contents, and observe the 
    new records and signatures.

8. Notice that a set of DS records has been generated, and is ready to
   be communicated to your parent zone:

    cd /etc/namedb/keys/
    ls -l dsset-*

    -rw-r--r--  1 root  wheel  155 Nov 29 00:22 dsset-MYNAME.

   Look at the contents of the dsset:

    cat dsset-MYNAME.

9. Change the /etc/namedb/named.conf definition that loads the zone, to point
   to the signed zone:

    zone "MYNAME" {
            type master;
            file "/etc/namedb/master/MYNAME.signed"; // load the signed zone
            also-notify { 10.10.Y.2; };
    };

10. Also in the named.conf, enable dnssec (for the authoritative part):

    ... in the options { .. }; section, add the following

    dnssec-enable yes;

11. Reconfigure/restart your nameserver

    rndc reconfig

12. Test that the nameserver is answering with DNSSEC records:

    dig @127.0.0.1 MYNAME SOA +dnssec

13. Now you need to make sure that your slave grpY has ALSO configured 
    their nameserver to enable dnssec in their configuration. They
    should have done it since they are working on the same lab, but check
    anyway!

    To test:

    dig @10.10.Y.2 MYNAME SOA +dnssec

    ... where Y is the group number of your slave.

14. You now need to communicate the DS to your parent

    Go to https://rzm.dnssek.org/

    Login with MYNAME and pasword (you should have signed up earlier)

    Check to see under Trust Anchor Details that your DS has automatically
    appeared AND matches. It is NOT automatically activated - the only thing
    the the RZM has done is "grab" the key from you and is waiting for your
    confirmation (click on "eye" to get green "check" mark) to enable the 
    DS in the parent zone.

    Once you are certain that the DS is included in the parent zone, using dig:

    dig +cdflag DS MYNAME.    (the +cdflag disables validation checking.  This 
                                is useful during debugging as is +multi)

    ... to verify that the DS is published. Then it's a matter of waiting
    for the cache to expire on the resolver, before you can verify your
    signatures.

   ... then you can begin to test validation!

15. Test that the AD bit is set:

    dig @10.10.0.230 +dnssec www.MYNAME.

    (10.10.0.230 is the default resolver for the class but is repeated here)

    Is it ?

    If not, note that the root manager may not have necessarily signed the 
    root zone with your DS included yet, OR due to the *negative TTL*, the 
    DS record may not be in the cache of the resolver. You may have to wait, 
    but check with your root manager at:

    http://monitor.dnssek.org