Howto
-----

1. Install tinydns-sign and patched tinydns/axfrdns.
2. Generate key(s). See the tinydns-sign manpage for details.
   It is common practice to have a "Key signing key" (KSK, with
   flags=257) and a "Zone signing key" (ZSK, with flags=256).
   The KSK is used only for signing the DNSKEY RRs, the ZSK
   is used for signing the rest. The KSK is more difficult to
   change because it is used in the delegating domain's referral,
   therefore it usually has more bits. The ZSK is used for signing
   all the other records, and is therefore usually shorter and
   changed more frequently.
   You should keep the keys in a safe place (outside the
   tinydns ROOT), e.g. in a directory "keys" located above the ROOT.
3. Add the K pseudo records from the key files to your tinydns-data file. Also, add a P pseudo record for each signed zone.
4. Adapt the Makefile to pipe your data file through tinydns-sign
   before running tinydns-data, e.g.

   data.cdb: data update
     tinydns-sign ../keys/* <data >data.tmp
     mv data.tmp data
     tinydns-data
     rm -f update

   update:
     touch update
5. Run make.
6. Set up a cronjob to periodically re-sign your data file
   before the signatures expire.
7. Test! For example:
     o Use dig axfr domain @server and validate the result
       with a dnssec zone validator, like yazvs.
     o Use an online DNS or DNSSEC test tool. See here for a list.
8. Read RFC-6781 to get a feeling for what is explicitly not called
   "Best Current Practices". :-)
   In particular, think about key lifetime and how to do a key rollover.
9. Sacrifice a few small ani^H^H^Htofus to a deity of your choice. Get
   yourself a drink for really tough guys, like prune juice.
10.If you feel brave, contact your upstream delegator to publish DS
   records for your zone.
   Note that this is a really good way to cut yourself off from the
   rest of the internet. You've been warned, so don't blame me.
