Create DNSSEC keys

To enable dnssec for your dns entries, use the following commands.
Create first a Key Signing Key (KSK) and zone sign key (ZSK) by using the following commands:

dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 2048 -n ZONE
dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE

Now you are ready to sign your DNS zone with the following command:

dnssec-signzone -l -o -k

The DS record should be published in the .net zone, to get a trust of anchor. The dns-signzone command has to be repeated every 30days or everytime the dns zone is changed.

Interesting links