Notes on switching a zone to its DNSSEC-signed version
------------------------------------------------------
($Id: DLV-NOTES,v 1.2 2010/10/15 13:41:35 wytze Exp $)

1. Edit /etc/nsd/nsd.conf and change the zonefile: from
   "unsigned/cacert.xxx" to "signed/cacert.xxx"

2. Load the signed zone file into the name server:

	sudo service nsd rebuild
	sudo service nsd reload

3. Add the dnskey for the zone to dlv.isc.org via their web interface
   (you need to setup a free account for this)
   The required dnskey record can be obtained through:

	sudo ods-ksmutil key export --zone cacert.xxx --keystate=ready

4. dlv.isc.org will instruct you to add a dlv txt record to the zone file
   for validation. Do this in /etc/nsd/unsigned/cacert.xxx and don't forget
   to update the serial in the SOA record.

5. Force a re-sign of the cacert.xxx zone with:

	sudo ods-signer sign cacert.xxx

   OpenDNSSEC will take care of propagating the updated zone file to nsd.

6. Go back to dlv.isc.org web interface and force a re-verification,
   which should succeed now.

7. DLV records for cacert.xxx can be inspected now with

	dig cacert.xxx.dlv.isc.org any

8. Indicate that DS record is published by dlv.isc.org:

	sudo ods-ksmutil key ds-seen --zone cacert.xxx --keytag XXXXX

9. For completeness, verify that all our secondary name servers are
   carrying the current information, by checking the output of:

	host -C cacert.xxx

NB: "xxx" can be "com", "org" or "net" in the above