For anyone else who is contemplating a similar path, I would recommend the following article, which explains how to set up in-line signing of zones using NSSEC3: https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in... Note that if you have /etc/rndc.key installed (the exact location may depend on the distribution), you don't need to include the rndc-related material from the sample configuration shown in the article. Also, if you're running Fedora, as my server is, you need to configure SELinux to allow Bind to write to the zone files: setsebool -P named_write_master_zones 1 Yes, I discovered this the hard way with file creation errors and audit logs. audit2allow recommended changing the above setting. Comments are welcome, as always. I have more work to do to implement some of Rick's suggestions, but that won't happen tonight.