# 2010/5/26 18:29:08
# rolling KSK
# using https://www.ripe.net/projects/disi/dnssec_howto/dnssec_howto-v1.6.html
# generating new KSK
dnssec-keygen -r/dev/random -a RSASHA1 -b 4096 -n ZONE -f KSK __domain__
K__domain__.+005+52558
# Insert the new KSK into the zone file:
#vi __domain__.hosts
; 2010/5/26 17:20:06
$include K__domain__.+005+52558.key
# Sign the zone with both KSKs and the active ZSK.
dnssec-signzone -N INCREMENT -o __domain__ -k K__domain__.+005+28678.key -k K__domain__.+005+52558.key __domain__.hosts K__domain__.+005+56916.key
__domain__.hosts.signed
# restart bind
# request re-check & add record
https://dlv.isc.org/
# add dlv TXT record
# Sign the zone with both KSKs and the active ZSK.
# restart bind
# cleanup old KSK
#vi __domain__.hosts
# Sign the zone with new KSK and the active ZSK.
dnssec-signzone -N INCREMENT -o __domain__ -k K__domain__.+005+52558.key __domain__.hosts K__domain__.+005+56916.key
# restart bind
# archive old KSK
