Debian DNSSEC - howto secure a domain?
Background: DNSSEC in reality is couple of security keys and several DNS records that should exist in addition to your normal DNS records. Those reside in two places:
- Authoritative DNS server for your domain. This holds the DNSKEY, RRSIG and NSEC/NSEC3 records.
- Authoritative DNS server for your parent domain ("com" domain for example.com). This holds DS records.
Private keys themselves can actually be stored anywhere (or even deleted after they used to sign all that have to be signed), but normally they will also reside somewhere on the domain authoritative server.
Now, the answer to your question depends on how your DNS provider will implement DNSSEC support.
In simpliest (for you) scenario, DNS hosting will do all the work (creating KSK and ZSK keys, publishing DNSKEY records, signing and automatically resigning zone file with RRSIG and NSEC/NSEC3 records, and preparing DS key that you will send to your registrar).
(As you see it requires support not only from your DNS hosting but also from your registrar. ICANN maintains list of DNSSEC supporting registrars)
You in this case will only have to copy DS key provided by your DNS hosting and send it to your registrar (hopefully via web interface or by any other means that your registrar supports).
P.S. As you see, the whole process have nothing to do with your computer(s) nor with any OS which you run, be it debian or windows, heaven forbid.