Implementing DNSSEC on Scientific Linux 6.7

My environment is running BIND in a chroot jail, using the bind-chroot package installed with YUM. This article at DigitalOcean got me started; this documents steps specific to a Scientific Linux (or Centos, RHEL, etc) install.

#change into the zone file directory
cd /var/named/chroot/var/named/
#generate a zone signing key
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE
#generate a key signing key
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE
#append an include to the zone file for both public key files
for key in Kexample*.key; do echo "\$INCLUDE $key" >>; done
#sign the zone (this needs to be done after each update, and every couple of weeks as well)
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o -f
#make sure bind is looking at the signed zone files
sed -i 's/;/;/' /var/named/chroot/etc/named.conf
#reload bind
rndc reload
#these are the DS records that the domain registrar needs