AFAICT This does not include like an ACME implementation or anything like that, so:
You will need to obtain a suitable TLS certificate (for which you will have generated a private key).
For this to be of practical use outside of a toy, you will probably need to obtain the certificate from a different CA since you would want an ipAddress SAN (a certificate for the IP address of your DNS server, not the hostname) so that remote systems can use this server without also needing DNS, since if they have perfectly good DNS why use this server?
For a toy you can self-sign a certificate and set your test systems to trust that self-signed cert or whatever.
You will need to obtain a suitable TLS certificate (for which you will have generated a private key).
For this to be of practical use outside of a toy, you will probably need to obtain the certificate from a different CA since you would want an ipAddress SAN (a certificate for the IP address of your DNS server, not the hostname) so that remote systems can use this server without also needing DNS, since if they have perfectly good DNS why use this server?
For a toy you can self-sign a certificate and set your test systems to trust that self-signed cert or whatever.