DNSSEC, or DNS security, is described in RFC 2535. The tools available for DNSSEC are discussed in the BIND Manual.
A zone considered secure must have one or several zone keys associated with
it. These are generated with dnssec-keygen, just like the
host keys. The DSA encryption algorithm is currently used to generate these
keys. The public keys generated should be included in the corresponding zone
file with an $INCLUDE
rule.
With the command dnssec-makekeyset, all keys generated
are packaged into one set, which must then be transferred to the parent zone
in a secure manner. On the parent, the set is signed with
dnssec-signkey. The files generated by this command are
then used to sign the zones with dnssec-signzone, which
in turn generates the files to include for each zone in
/etc/named.conf
.