Zonesigner is a DNS Zone File signing script that makes the process of signing DNS zones incredibly easy. With a single call to the script you can perform all the needed operations of zonesigning in one call. Although it is designed to "just do the right thing" It is highly flexible and can be tailored to meet the needs of each deployed environment.
You can either keep reading, or you might be interested in watching A demonstration video on the subject.
Getting started with zonesigner is easy. Simply run it as follows the first time:
zonesigner --genkeys db.example.com db.example.com.signed
It will generate new keys for you (that's what the --genkeys option does) and place the finished and signed zone file in the db.example.com.signed file which you should serve with your name server. Next time you need to update your zone simply run the same command without the --genkeys option:
zonesigner db.example.com db.example.com.signed
That's it! There are, of course, many other options.
rfc:5155 defines support for NSEC3 which prevents zone enumeration and walking. If you wish to use NSEC3 you'll need version 9.6 of the bind software or later and version 1.5 or later of the DNSSEC-Tools package. Use the --usensec3 flag to zonesigner to sign your zone with NSEC3 support.