KSK Rollover

Generate a key file for the new KSK.

›_ Console
`# dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -f KSK -l "pkcs11:token=Bind;object=ksk1" example.net`

Key file for new KSK

Add the new KSK to the zone file example.net.

example.net
`... $include "/usr/local/bin/Kexample.net.+008+65395.key"; //KSK old $include "/usr/local/bin/Kexample.net.+008+33262.key"; //KSK new ...`

Sign the zone with the old and new KSK.

›_ Console
`# dnssec-signzone -E pkcs11 -x -o example.net -k Kexample.net.+008+65395 -k Kexample.net.+008+33262 /var/named/example.net`

Signing zone with old and new KSK

Wait for the zone transfer time, TTL of DNSKEY resource record set and TTL on the DS record set.
Remove the old KSK entry from zone file example.net.

example.net
`... $include "/usr/local/bin/Kexample.net.+008+33262.key"; //KSK new ...`

Sign the zone with the new KSK.

›_ Console
`# dnssec-signzone -E pkcs11 -x -o example.net -k Kexample.net.+008+33262 /var/named/example.net`

Signing the zone with new KSK