22.9 DNS Security
DNSSEC, or DNS security, is described in RFC 2535. The tools
available for DNSSEC are discussed in the BIND Manual.
A zone considered secure must have one or several zone keys associated
with it. These are generated with dnssec-keygen, just
like the host keys. The DSA encryption algorithm is currently used to
generate these keys. The public keys generated should be included in the
corresponding zone file with an $INCLUDE rule.
With the command dnssec-makekeyset, all keys generated
are packaged into one set, which must then be transferred to the parent
zone in a secure manner. On the parent, the set is signed with
dnssec-signkey. The files generated by this command
are then used to sign the zones with dnssec-signzone,
which in turn generates the files to include for each zone in