This section gives the steps necessary for the double-signature scheme for KSK rollover. The alternative, the pre-publish method, is used for rolling over ZSKs. Double signatures for records signed by the ZSK can increase the size of the zone many times. The pre-publish scheme, although requiring more steps for the rollover, does not suffer from this problem. The size argument does not apply during KSK rollover since the DNSKEY RRset is the only record doubly signed by the KSK.

The DNSSEC-Tools utilities do not currently handle KSK rollover. The steps given below detail the double-signature scheme used for KSK rollover.