DNSSEC Operation with BIND9

Make zone's keyset: dnssec-keygen
make KSK
     # dnssec-keygen -a rsa -b 768 -n zone sec.jinmei.org
     Ksec.jinmei.org.+001+43015
                Ksec.jinmei.org.+001+43015.{key, private}
make ZSK
     # dnssec-keygen -a rsa -b 512 -n zone sec.jinmei.org
     Ksec.jinmei.org.+001+26689
                Ksec.jinmei.org.+001+26689.{key, private}
Incorporate the key to the zone
    $INCLUDE Ksec.jinmei.org.+001+43015.key
    $INCLUDE Ksec.jinmei.org.+001+26689.key
Sign the zone: dnssec-signzone
     # dnssec-signzone -o sec.jinmei.org -g
       -k Ksec.jinmei.org.+001+43015 sec.jinmei.zone
     sec.jinmei.zone.signed
RRSIG, NSEC RRs will be generated automatically
keyset and DS RRs will also be generated