DNSSEC has a lot of commands to learn and type when maintaining your system. Hopefully this simplifies it for you. Usage: sign_zone.sh <domain>. I verified this working with Bind 9.7.3 on Amazon EC2 and also with Bind 9.7.0 on CentOS using the bind97 RPMs and chroot jail. I store my ZSK and KSK for all domains in /var/named/dynamic. Then I have each zone in a subfolder /var/named/dynamic/<domain>. /etc/named.conf is configured to look for the generated <domain>.signed file. It will automatically increment the serial number for the zone then resign. I have a separate script to run this every night on a cron.
#!/bin/bash
#this file is /usr/local/bin/sign_zone.sh
domain=$1
nsec3_salt=`/usr/local/bin/random_salt`
cd /var/named/dynamic/$domain
ZSK=`grep -iH 'zone' ../K${domain}.*key | cut -d':' -f1`
KSK=`grep -iH 'key-sign' ../K${domain}.*key | cut -d':' -f1`
SOA_SERIAL=`grep serial $domain | sed -e 's/^[ \t]*//g' | awk '{print $1}'`
NEW_SERIAL=`expr $SOA_SERIAL + 1`
echo "detected SOA SERIAL: $SOA_SERIAL"
echo "generating a new zone with NEW SOA SERIAL: $NEW_SERIAL"
cat $domain | sed -e "s/[0-9][0-9]*.*;.*serial/${NEW_SERIAL} ; serial/" > $domain.new
cp $domain.new $domain
echo "detected ZSK: $ZSK"
echo "detected KSK: $KSK"
echo "running signzone..."
echo dnssec-signzone -3 $nsec3_salt -a -S -k $KSK $domain $ZSK
dnssec-signzone -3 $nsec3_salt -a -S -k $KSK $domain $ZSK
Code to make a random salt for above:
#!/bin/bash
# save this file as /usr/local/bin/random_salt
dd if=/dev/urandom bs=16 count=1 2>/dev/null | hexdump -e \"%08x\"
