If the KSK is also compromised, perform the emergency KSK rollover first.

The emergency procedures described for key rollover use the rationale that injection of valid but false data (which can be generated using the compromised key) is more serious than discontinuity in our ability to validate true data. Thus, during emergency ZSK rollover, there will be a period (up to twice the maximum zone TTL) where the cached zone data may not validate against the new ZSK.

The DNSSEC-Tools utilities do not currently handle emergency KSK rollover. However, the utilities may be used to automate some of the steps required.