Install bind9 to your Linux server. Add the following line to /etc/bind/named.conf
create a directory /etc/bind/dnssec/ and under it another one for each domain you want to sign
for example /etc/bind/dnssec/73.fi/
Change directory to the one you just made and create the keys:
dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom -n ZONE 73.fi
dnssec-keygen -f KSK -a RSASHA256 -b 2048 -r /dev/urandom -n ZONE 73.fi
(Remeber to correct the domain names to match your ones in all the commands)
List the key file names
and add them to the end of the zone file /etc/named/pri/73.zone
Now you can sign the zone.
dnssec-signzone -r /dev/urandom -K /etc/named/dnssec/73.fi -N unixtime -g -o 73.fi /etc/named/pri/73.zone
Change the zone file definition in /etc/bind/named.conf
Restart bind and see that the slave DNS severs get the new signed zone file.
Sign to gandi.net and update your DNSSEC key.
Select your domain, select [Manage DNSSEC],
select Flags: [257 - KSK] and Algorithm: [8 - RSA/SHA-256],
paste your Key Signing Key to the box and click [Add].
The correct key file is the one that has the numbers 257 3 8 on the first non-commented line.
You can find the Key Signing Key after the
until the end of the file.
The zone needs to be signed again within 30 days, so you should probably add the signing procedure to the crontab. If you modify the zone file, you will obviously also need to sign the zone again.