DNSSEC - Quick and easy with BIND 9.9
I've just acquired a new domain in a registry that isn't yet signed (not that signed ones are much better as registrars all tend to fail to allow you to implement this properly - I'm looking at you 1&1).
In order to use DNSSEC with this you have to use "look-aside validation", which is a different trust anchor to the root "." zone. I have to admit I got a little confused as to how DNS resolvers know how to look at a DLV instead of the parent zone - apparently, they just have to be configured that way. If a resolver isn't configured to look at a DLV then the chain of trust will be broken - this shouldn't cause any day-to-day problems providing the parent zone (e.g. .com) isn't claiming that your domain should be signed - then there is a world of hurt.
ISC (the creators of the needlessly complex BIND name server) have a DLV that anybody can use and is generally accepted as a de-facto DLV. So there is a good chance of your DNSSEC working once registered with them.
Ironically, their how-to guide is out-dated and isn't the quickest way of doing things with their own product, BIND. So, on to the quick and easy...
Enabling DNSSEC
I'm not sure why this isn't turned on by default, it's the easiest way to get something adopted as most people tend to just roll the defaults. You'll have to add some bits to your named.conf to get DNSSEC working, and then some more to get the DLV working. First off turn on DNSSEC by adding dnssec-enable yes; and dnssec-validation yes; to your options section. That's it turned on, but again, by default it doesn't do a lot.
You then need to get BIND to trust the root keys, if you're doing this properly then you'll want to ensure you get the latest root keys (which haven't changed, ever, yet) from IANA's website. As keys may rotate, you need to set up a directory that BIND can read and write to, in order to manage those keys. And then add it to the options section managed-keys-directory "/var/lib/named/managedkeys"; (or similar).
Before we add the initial keys, we'll also enable DLV trust-anchor with the option dnssec-lookaside . trust-anchor dlv.isc.org.;
To add the inial keys (which you should verify yourself as my site could be compromised, they may have changed, etc), you need to add a new section:
managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh"; };
Done!
Create your keys
You need two keys, one for signing your zone, and one for signing the key that signs your zone (wtf... this is so if you want to change your zone key, you don't have to update the parent/dlv with new keys - best practice is to rotate your keys on a regular basis, not that I've seen anybody rotate any).
dnssec-keygen -3 -r /dev/urandom -f KSK -n ZONE example.com
Bish, you'll get two files in the format of Kzone.+005+random number with a .key and .private extension. As you've guessed it, the .key is your public key, and the .private is your super-secret private key, keep it secret, keep it safe etc.
That's your KSK, or Key Signing Key done. Now you need a Zone Signing Key, which is just as simple:
dnssec-keygen -3 -r /dev/urandom -f KSK -n ZONE example.com
You'll get similar files out as above. If you get confused and can't remember which one is which, take a look in the .key file and there will be a comment at the top telling you whether it was a KSK key or not.
Signing your zones
Plop your keys in a nice safe read-only place on your server and add these magic options to your zone section in named.conf auto-dnssec maintain;, key-directory "/var/lib/named/your-safe-place"; and inline-signing yes;.
Give BIND a kick up the arse, rcnamed restart is always a good one and you'll suddenly have a signed zone. You can update your zone file in the existing way and BIND will handle the rest.
Adding your zone to DLV
You'll have to register with ISC DLV, and then you'll need to follow the wizard to add in your public Key Signing Key (from the file above), it's clever enough for you to just copy and paste the entire line in sans-comments, or just upload the file through your web-browser. This is your public key, not your private one.
You will be prompted to add a TXT record to validate your entry, be sure to read the instructions and not put it in the wrong place as it can lead to much confusion... the TXT record is on a sub-domain 'dlv', so your zone file should have something like this added into it:
dlv.example.com. 0 IN TXT "DLV:1:xxxxxx"
Obviously with the example.com and the xxxxx replaced with the relevant values.
Check it all works by using Sandia's DNSViz, which will check against ISC's DLV as well as root.