DNSSEC made simple, is this possible?

[Howard Leadmon]

 OK, in an attempt to start using DNSSEC over here, I suppose I bit myself
in the backside, and even spending some time using googlefu I still haven't
quite figured this all out.

 I am currently running the current BIND 9.8.1, and setup to support DNSSEC.
After reading around a bit, I saw that setting auto-dnssec in the config
would read in the keys and sign the zones automatically, this seemed in
theory to be perfect, so I configured it this way.   After that the domains
were signed, and going to places like the verisign debugger showed my domain
was happily secured with DNSSEC.  

 Then I go to make a change to my DNS file, whoa was I in for a shock, as
apparently BIND took my nice text file for DNS I have edited for ages, and
converted it into a full signed zone.   Try and edit that file, and if
course it bitches about it no longer matching the .jnl file and drops the
zone.    This sure makes it hard to update things, well the way I am used to
doing it.

 So I guess my million dollar question is, I want to use DNSSEC (it's
actually working now), but I want to be able to edit my zone files the way I
always have for many years, and just have BIND sign the zones with the keys
and update as needed to keep DNS running smoothly.   Is there some easy way
to do this, some scripts someone has made, or some documentation to walk me
through accomplishing this?

 I can't believe there aren't a lot of others that have run DNS just as I
have for years and years, and just want a nice simple way to keep using BIND
and implementing the new security for the domains I manage.   I have googled
till I have about turned blue, and maybe I am missing it, but I have seen
some very complex keymanagement systems and so forth, I have no need for
anything that complex, so figure I am missing the solution that is hiding
someplace.   Any pointers??


---
Howard Leadmon