1. Install tinydns-sign and patched tinydns/axfrdns.
  2. Generate key(s). See the tinydns-sign manpage for details.
    It is common practice to have a "Key signing key" (KSK, with flags=257) and a "Zone signing key" (ZSK, with flags=256). The KSK is used only for signing the DNSKEY RRs, the ZSK is used for signing the rest. The KSK is more difficult to change because it is used in the delegating domain's referral, therefore it usually has more bits. The ZSK is used for signing all the other records, and is therefore usually shorter and changed more frequently.
    You should keep the keys in a safe place (outside the tinydns ROOT), e. g. in a directory "keys" located above the ROOT.
  3. Add the K pseudo records from the key files to your tinydns-data file. Also, add a P pseudo record for each signed zone.
  4. Adapt the Makefile to pipe your data file through tinydns-sign before running tinydns-data, e. g.
    data.cdb: data update
    	tinydns-sign ../keys/* <data >data.tmp
    	mv data.tmp data
    	rm -f update
    	touch update
  5. Run make.
  6. Set up a cronjob to periodically re-sign your data file before the signatures expire.
  7. Test! For example:
    • Use dig axfr domain @server and validate the result with a dnssec zone validator, like yazvs.
    • Use an online DNS or DNSSEC test tool. See here for a list.
  8. Read RFC-6781 to get a feeling for what is explicitly not called "Best Current Practices". :-)
    In particular, think about key lifetime and how to do a key rollover.
  9. Sacrifice a few small ani^H^H^Htofus to a deity of your choice. Get yourself a drink for really tough guys, like prune juice.
  10. If you feel brave, contact your upstream delegator to publish DS records for your zone.
    Note that this is a really good way to cut yourself off from the rest of the internet. You've been warned, so don't blame me.