DNSSEC Key Rollovers Explained

In an earlier post I explained the idea of DNSSEC how to generate keys and sign your DNS zone. In this post I will walk you through the rollover methods as described in RFC 6781. You should understand the rollover process so that you can securely run your zone. This way you can  replace the key in a secure manner when necessary, without service interruptions.

In the earlier post I explained that there are two sets of keys for most DNSSEC signed zones, a Key Signing Key (KSK) and a Zone Signing Key (ZSK). The ZSK is used most often, and should be replaced about yearly, and is also the easiest to replace. Once that process is explained, it is easier to understand how to rollover a KSK also. Continue reading