* raf: > If you don't mind having a key that lasts "forever", you only need > one(!) extra line in Bind's zone config, and one(!) manual interaction > with your domain registrar.
Well, sort of. As per default settings, BIND does not appear to create a key signing key (KSK) / zone signing key (ZSK) pair, but instead one single key to sign each zone. That's sufficient from a technical perspective, but whenever that combined key changes, some key material must be refreshed in the parent zone. I highly recommend investing the extra time and effort to generate separate KSK and ZSK for each DNSSEC-protected domain. The KSK data will need to be published once, but you can roll your ZSK whenever you please without contacting a third party. This saves a lot of hassle in the long run. -Ralph P.S.: If you're looking for a DNSSEC aware resolver, try Unbound.
