These notes are cribbed from http://www.isc.org/files/DNSSEC_in_6_minutes.pdf

For a bind9 recursor that you want to validate DNSSEC signed records,
	run dns-root-key.sh > managed-keys.txt
	edit your named conf as indicated by dnssec-named.conf

For a authoritative bind9 that you want to sign your domain records,
	run dns-zone-signing.sh example.com /etc/bind/db.com.example
	then go sign up for DLV or follow your parent domain's validation procedure
	add a cronjob to periodically (way before your domains RRSIG expiration date!) run 
		dns-zone-resign.sh example.com /etc/bind/db.com.example