On 20.01.2015, at 04:47, John john@klam.ca wrote:
I wrote myself a small bash script to handle ZSK rollover, it might handle KSK but I have tried it. All it does is to setup for a DNSSEC-keygen. My idea is to automatically pick a ZSK and use it as the base for the next key set, as per the -S param in DNSSEC-keygen. The only real additions are the calculation of an Inactivation and a Deletion date based upon the new keys Activation date retrieved from the base key. I use a param which I call the "active life" (Active - Inactive) and a second param called "retirement" (Inactive - deletion).
Just in case that you don't know this already: DNSSEC Zone Key Tool (http://www.zonekeytool.de) is a combination of scripts to handle key rollover with BIND.
Regards, Jan