Implementing DNSSEC on Scientific Linux 6.7

My environment is running BIND in a chroot jail, using the bind-chroot package installed with YUM. This article at DigitalOcean got me started; this documents steps specific to a Scientific Linux (or Centos, RHEL, etc) install.

#change into the zone file directory
cd /var/named/chroot/var/named/
 
#generate a zone signing key
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
 
#generate a key signing key
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
 
#append an include to the zone file for both public key files
for key in Kexample*.key; do echo "\$INCLUDE $key" >> db.example.com; done
 
#sign the zone (this needs to be done after each update, and every couple of weeks as well)
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -f db.example.com.signed db.example.com
 
#make sure bind is looking at the signed zone files
sed -i 's/db.example.com;/db.example.com.signed;/' /var/named/chroot/etc/named.conf
 
#reload bind
rndc reload
 
#these are the DS records that the domain registrar needs
cat dsset-example.com.