DNSSEC - How to Sign your .gov Zone

Much of the DNSSEC Documentation is based on NIST Special Publication 800-81 Rev 1 Secure Domain Name System Deployment Guide.
For reference, please read Download 800-81R1 PDF.

The first step to signing a DNS zone is to create the key signing key and the zone signing keys.
For background, read IETF Operational Procedures.

OPTION A: NSEC3 Zone Signing with SHA256 in Bind9.6.ESV (Use with OPTION B or C to support legacy validators)

dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE official.gov
dnssec-keygen -a RSASHA256 -b 1024 -e -n ZONE official.gov
dnssec-keygen -a RSASHA256 -b 1024 -e -n ZONE official.gov

When the commands finish, they will return a line like this for each keygen operation:

Kofficial.gov.+008+56487  (*This is the Key Signing Key because of the -f KSK option, trusted key)
Kofficial.gov.+008+62648
Kofficial.gov.+008+72348

OPTION B: NSEC3 Zone Signing with SHA1 (hashes child names to restrict enumeration)

dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE official.gov
dnssec-keygen -a NSEC3RSASHA1 -b 1024 -e -n ZONE official.gov
dnssec-keygen -a NSEC3RSASHA1 -b 1024 -e -n ZONE official.gov

When the commands finish, they will return a line like this for each keygen operation:

Kofficial.gov.+007+56497  (*This is the Key Signing Key because of the -f KSK option, trusted key)
Kofficial.gov.+007+62649
Kofficial.gov.+007+12349

OPTION C: NSEC Zone Signing - Less Secure, allows zone enumeration

dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE official.gov
dnssec-keygen -a RSASHA1 -b 1024 -e -n ZONE official.gov
dnssec-keygen -a RSASHA1 -b 1024 -e -n ZONE official.gov

When the commands finish, they will return a line like this for each keygen operation:

Kofficial.gov.+005+56487  (*This is the Key Signing Key because of the -f KSK option, trusted key)
Kofficial.gov.+005+62648
Kofficial.gov.+005+72348

Note that two files are returned for each key created. Include the public key (with the .key extension) in the zone file. Also note that the KSK will be used to sign your zone file.
The public KSK key will become the trusted key to validate official.gov. You should protect the private keys by keeping them offline and signing the zone offline.

Here is a sample zone file for the official.gov zone:

@ IN SOA ns1.official.gov dnsadm.official.gov. (
	2009010501    ; serial number (manually increment this number prior to each siging)
	10800         ; refresh period (3 hours)
	3600          ; retry refresh this often (1 hour)
	604800        ; expiration period (1 week)
	38400 )       ; minimum Time To Live (TTL) (10 hours 40 minutes)

@	IN NS   ns.official.gov.
ns     IN A    192.168.1.1
$include Kofficial.gov.+008+56487.key    ;key signing key SHA-256 (OPTION A: Bind 9.6.2+ validators)
$include Kofficial.gov.+008+62648.key    ;zone signing key SHA-256
$include Kofficial.gov.+008+72348.key    ;pre-published zone signing key SHA-256

$include Kofficial.gov.+007+56497.key    ;key signing key SHA-1 (OPTION B: Legacy validators)
$include Kofficial.gov.+007+62649.key    ;zone signing key SHA-1
$include Kofficial.gov.+007+12349.key    ;pre-published zone signing key SHA-1

With the Option A and B keys included in the zonefile, we are ready to sign the zone with NSEC3 using
the dnssec-signzone tool.

dnssec-signzone [-c Bind9.7 and up] -g -a -H 10 -3 bbab -k Kofficial.gov.+008+56487 -k Kofficial.gov.+007+56497 -o official.gov -e +7776000 official.gov Kofficial.gov.+008+62648 Kofficial.gov.+007+62649

If only the Option B keys are included in the zonefile, we may sign the zone with legacy SHA-1 NSEC3 using
the dnssec-signzone tool.

dnssec-signzone [-c Bind9.7 and up] -a -H 10 -3 bbab -k Kofficial.gov.+007+56487 -o official.gov -e +7776000 official.gov Kofficial.gov.+007+62648

Or, with the Option C keys included in the zone file, we are ready to sign the zone with NSEC using
the dnssec-signzone tool.

dnssec-signzone [-c Bind9.7 and up] -a -k Kofficial.gov.+005+56487 -o official.gov -e +7776000 official.gov Kofficial.gov.+005+62648

The -o is not necessary if the zonename and filename are identical, but was added for clarity.

The signed zone, official.gov.signed, is the new zone file that should be present in named.conf:

zone "official.gov" {
     type master;
     file "official.gov.signed";
};

Next, we add the following command to the named.conf options statements:

options {
	...
	...	
        dnssec-enable yes;
};

Next, we restart your nameserver with the following command:

/etc/init.d/named restart

In our final step, we upload the auto-generated keyset-official.gov. file to www.dotgov.gov to enable DNSSEC services.
All domains are automatically enrolled in our DNSSEC Key Monitor system but default. This system will email you
status and reminders to aid in the maintenance of signatures, key rollover, and failed validation.
You may opt out of the automated key management monitoring by clicking radio buttons after upload.

Official.gov will need to be resigned whenever the zone is changed or about 1 TTL prior to the signatures expiring.

KSK rollover will require new keysets to be uploaded into the dotgov system. Zones that have 'Opt-In' to the
DNSSEC Monitoring Service will not need to upload keysets to the www.dotgov.gov website after the initial upload.
We recommend you roll your KSK by pre-publishing the new KSK in your zone at least TTL * 2 + 1 Day prior to signing
the zone with the new KSK.

DEFAULT MONITOR OPT-IN: KSK rollover will occur automatically at the TLD when a new KSK is found in your zone. Remember
to follow the KSK and ZSK publishing instructions in NIST Special Pub 800-81R2 and publish BOTH KSKs during rollover to ensure
continuation of validation by name servers. Failure to publish all KSKs during the rollover duration may cause validation errors.