The howto that used to be here was outdated. It was using zonesigner and lot of other tools which became unnecessary because nowadays BIND can sign the zonefiles itself. There are two excellent howto's (in Dutch) which explain this:
Because not everyone understands Dutch, here's a short summary of those articles:
dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; key-directory "/etc/bind/keys";
mkdir -p /etc/bind/keys/
cd /etc/bind/keys/ dnssec-keygen -f KSK -3 -a RSASHA256 -b 2048 -r /dev/random -n ZONE example.com dnssec-keygen -3 -a RSASHA256 -b 1024 -r /dev/random -n ZONE example.comNote: Using /dev/random might be slow on systems with low activity. You might consider using /dev/urandom, but this uses less 'randomness'.
auto-dnssec maintain; inline-signing yes;
rndc reconfig rndc sign example.com.
rndc signing -list example.com