This section gives the steps necessary for the Pre-Publish Rollover Scheme for ZSK rollover. The alternative, the double-signature method, is used for rolling over KSKs. Double signatures for records signed by the ZSK can increase the size of the zone many times. The Pre-Publish Rollover Scheme, although requiring more steps for the rollover, does not suffer from this problem. The size argument does not apply during KSK rollover since the DNSKEY RRset is the only record doubly signed by the KSK.
In the Pre-Publish Rollover Scheme, multiple ZSK keys are simultaneously maintained for a zone. These ZSKs are labeled the Current ZSK, the Published ZSK, and the New ZSK. The Current and Published ZSKs are used to sign the zone, while the New ZSK will be used in the future. When the Current ZSK expires, the following steps will be taken:
The Current ZSK becomes obsolete.
The Published ZSK becomes the Current ZSK.
The New ZSK becomes the Published ZSK.
A new New ZSK is generated.
A lot of record-keeping is required for managing a zone using the Pre-Publish Rollover Scheme. The DNSSEC-Tools utilities that automate ZSK rollover are described in Section 2. The actual steps taken in this rollover scheme are described in Section 3.