DNSSEC, Bind 8.2.2-T3B, and slave servers

[Jesse Whyte]

I have a couple of questions...

1)  The only documentation for DNSSEC implementation in Bind that I have
found is Cricket Liu's Power Point presentation on acmebw.com.  Is there any
other good documentation on how to implement this.  I've read the RFCs and I
think I understand DNSSEC, but I'm looking for an implementation guide.

2)  In setting up DNSSEC, the primary master has a pubkey statement placed
in the named.conf file that looks like this...

zone "foobar.com" {
  type master;
  file "foobar.db";
  pubkey 16641 3 3 "GIBBERISH..."
};

What has to be done to a secondary slave server?  Will I have to run
dnskeygen on the secondary and put the secondary's public key in this area?
This doesn't make since, because the SIG records are signed with the primary
master's key.  So, should I put the primary master's public key here?

3)  When I set up DNSSEC without any pubkey record on my secondary server, I
get a "signature time is in the future" error when the secondary attempts an
AXFR on the domain.  The time difference on the two devices used to be an
hour (the primary was one hour ahead of the secondary).  So I reset the
times with the date command, reran dnssigner, changed the serial number, and
copied the newly signed file to the production database.  I ran "ndc reload
zone.name.com" and on the secondary, I still got the "signature time is in
the future" error.  How close do these times need to be?  If necessary, I'll
sync the times with NTP, but I am looking for a quick fix at the moment...

Both systems are running Bind 8.2.2-T3B, both systems are Linux.  The
primary master is a 2.0.36 kernel and the secondary slave is a 2.2.9 kernel.
Dns_signer is from the brand new contrib in the /testing directory on
ftp.isc.org that contained 8.2.2-T3B.

Thanks for your help and your advice,

Jesse