ZSK Rollover

Generate key file for the new ZSK.

›_ Console
`# dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=Bind;object=zsk1" example.net`

Key file for new ZSK

Add the new ZSK to the zone file example.net.

example.net
`... $include "/usr/local/bin/Kexample.net.+008+60816.key"; //ZSK old $include "/usr/local/bin/Kexample.net.+008+33663.key"; //ZSK new ...`

Re-sign the zone with the KSK and old ZSK.

›_ Console
`# dnssec-signzone -E pkcs11 -x -o example.net -k Kexample.net.+008+33262 /var/named/example.net Kexample.net.+008+60816`

Signing zone with old ZSK

Wait for the zone transfer time and TTL of the key set.
Sign the zone with new ZSK.

›_ Console
`# dnssec-signzone -E pkcs11 -x -o example.net -k Kexample.net.+008+33262 /var/named/example.net Kexample.net.+008+33663`

Signing zone with new ZSK

Wait for the zone transfer time and maximum TTL used in the zone.
Remove old ZSK from the zone file example.net.

example.net
`... $include "/usr/local/bin/Kexample.net.+008+33663.key"; //ZSK new ...`

Re-sign the zone with the KSK. Now we have only one ZSK in example.net so it will automatically pick this new ZSK for signing zone.

›_ Console
`# dnssec-signzone -E pkcs11 -x -o example.net -k Kexample.net.+008+33262 /var/named/example.net`

Signing zone with new ZSK

Stop and start the named service using below command.

›_ Console
`# /usr/local/sbin/named -f -4 -E pkcs11 -c /usr/local/etc/named.conf`

Starting named service

This completes the Integration for Bind9 with Utimaco SecurityServer.