I am going to use my own names for the various period in the life of a DNSSEC key set. I know that there are some standard definitions in an RFC however I find the official names less than informative.

For this exercise all time is measured in days 

|<--------------------------- Key Life ------------------------------>|
|                                                                     |
|<- Lead Time ->|<--------- Active  Life --------->|<-  Retirement  ->|
|               |                                  |                  |
|____ __________|__________________________________|__________________|
|    |          |                                  |                  |
|  Publish      |                                  |                  |
|               |                                  |                  |
|<- Create      |<- Active              Inactive ->|          Delete->|
  1. retrieve the information from the current key (ZSK for now).

  2. subtract the lead time from the current key inactive day (GD). The result is the earliest date for generating a new key set.
    Note: A new key set can be generate at any timeĀ  after the planned creation date and before the publish date(deadline). I personally of the opinion that the interval between creation and publishing should be zero, but this period can provide for some operational flexibility.

  3. If GD less than or equal to today's date then generate a new key set using the current key (the same as 1).
    Note: This can be done using dnssec-keygen with the -S option and the interval between publish to active as -i option. The resulting key should have active date equal to the current key inactive date and an appropriate publish date.

  4. Set the inactive and delete times. this can be incorporated it the keygen using theĀ  -I and -D options.

  5. Repeat process in active life days time.
Problem:
--
John Allen