Craig's DNSSEC Notes
These notes are ISC BIND centric.

Choosing the DNSKEY Algorithm

The recommended algorithms used in DNSKEY records changes over time when older algorithms are no longer cryptographically secure. Check the most recent version of draft-ietf-dnsop-algorithm-update for current recommendations. It's best to pick an algorithm that is listed as MUST for DNSSEC signing and validation.

As of July 2020, the recommended algorithms are RSASHA256 (type 008) and ECDSAP256SHA256 (type 013).

Initial Zone Signing

Starting with an unsigned zone with type master the first step is to generate zone signing keys (ZSK) and key signing (KSK): 
set z=example.com
cd /usr/local/etc/namedb/keys
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 ${z}
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 -fk ${z}
chmod -w,g+r K${z}.+013+*
chown bind:bind K${z}.+013+*
rndc loadkeys ${z}

After creating the keys we adjust their permissions and ownership and ask named to load them.

Add the following lines to the zone definition in named.conf: 

auto-dnssec maintain;
dnssec-secure-to-insecure yes;
After making the changes update named: 
rndc reconfig
Now sign the zone; NSEC3 is recommended as NSEC allows clients to walk the zone and build a list of all of its DNS records. Use openssl to generate a random hex number to use as the salt value in the hash calculation: 
rndc signing -nsec3param 1 0 10 `openssl rand -hex 4` ${z}
Look for DNSKEY records: 
dig dnskey ${z}
The existence of DNSKEY records provide verification that the zone has been signed. However resolvers will not perform DNSSEC validation until you upload the corresponding DS record to the registrar and it appears in the parent domain in the root nameservers.

Calculate the DS parameters: 

dig dnskey ${z} | dnssec-dsfromkey -f - ${z}
example.com. IN DS 12345 13 2 SOMEBIGLONGHASHYOUWILLPASTEIN
Once the new DS record is visible the best way to verify correct operation is with DNSViz, a fantastic tool developed by Casey Deccio. Another good tool is Verisign Labs DNSSEC Analyzer.

Upgrading to Different DNSKEY Algorithms

Starting with a zone signed by one (or more) algorithms, here's how to upgrade to a different algorithm.

Upgrade to use ECDSAP256SHA256 (type 013): 

set z=example.com
cd /usr/local/etc/namedb/keys
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 ${z}
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 -fk ${z}
chmod -w,g+r K${z}.+013+*
chown bind:bind K${z}.+013+*
rndc loadkeys ${z}
dig dnskey ${z}.
Make sure you see a pair of DNSKEY records, one ZSK and one KSK.

Now wait one TTL for propagation; use the TTL from the DS record in the parent zone: 

dig +trace ds ${z}.

After waiting the appropriate amount of time generate the DS key and upload to registrar: 

dig dnskey ${z} | dnssec-dsfromkey -f - ${z}

Decommission The Old Algorithm

Remove the DS key(s) from the parent by logging into the registrar.

Remove ZSK and KSK keys from signing; RSASHA1 (type 007) is used in this example: 

dnssec-settime -D now -I now keys/K${z}.+007+12345
dnssec-settime -D now -I now keys/K${z}.+007+23456
-D sets when the DNSKEY record is removed from the zone. -I sets when the DNSKEY record becomes inactive.

It's now ok to remove the obsolete keys from named's keys directory and run a final loadkeys: 

rndc loadkeys ${z}
dig dnskey ${z}.
You should only see DNSKEY records for the new algorithm. And it's always a good idea to run DNSViz.

References:

[email Craig]