I wrote myself a small bash script to handle ZSK rollover, it might handle KSK but I have tried it. All it does is to setup for a DNSSEC-keygen. My idea is to automatically pick a ZSK and use it as the base for the next key set, as per the -S param in DNSSEC-keygen. The only real additions are the calculation of an Inactivation and a Deletion date based upon the new keys Activation date retrieved from the base key. I use a param which I call the "active life" (Active - Inactive) and a second param called "retirement" (Inactive - deletion).
A couple of questions: Does anybody know if key rolling is going to be part of Bind (as part of maintain/inline) maybe? Has the been any discussion on basing the +/-nn part of the date/time params, not on today, but on one of the existing params when the -S option is used?