The DNSSEC-Tools rollover commands can manage rollover of multiple zones. Zone files for these domains should be gathered into a single directory.

A number of zone parameters must be selected as well. These include such things as key length, number of ZSK keys to generate, and authentication algorithm. More information may be found in the man page for zonesigner. If these parameters will be used for every zone managed on this host, the DNSSEC-Tools configuration may be edited to have these values as the defaults.

Using the zonesigner command, sign each zone with the parameters chosen for that zone. The resulting files should be left in place.

If the zone does no delegation, the following example command could be used. It will generate keys for the zone example.com, where the ZSK keys have a length of 1024, and then sign the zone with those keys.

# zonesigner -genkeys -zsklength 1024 example.com [ENTER]

If the zone does delegation, the following example command could be used. It will generate keys for the zone example.com, where the ZSK keys have a length of 1024, and then sign the zone with those keys and generate DS records.

# zonesigner -gends -genkeys -zsklength 1024 example.com [ENTER]

A rollrec file gives information to the DNSSEC-Tools rollover daemon about the zones it is managing. The rollinit command may be used to create a rollrec file for a number of zones at once, though the zones entries will all have the same type of data.

The following command will generate a rollrec file for two zones.

If different values are needed for different zones, rollinit may be used to generate entries for zones individually. The following commands will generate a rollrec file for two zones. The first rollinit command will use the default name for the signed zone file, while the second rollinit command will specify a non-default location for the signed zone file.

The DNSSEC-Tools rollover daemon is named rollerd. Using the rollrec file created in the previous step, rollerd will manage the rollover of a set of zones. This section describes how to manually start rollerd.

The following command will manually start rollerd. It is assumed that rollerd is started in the same directory that holds the rollrec file, keyrec files, zone files, and authentication keys created in previous steps. rollerd should be run as root.

See the rollerd man page for more information on rollerd's options and execution.

Arranging for automatic execution of rollerd is operating system-dependent; as such, it is beyond the scope of this document.

The rollerd daemon can be controlled using the rollctl command. This command has a number of options that will modify rollerd's operating parameters, such as the zones being managed (by changing the rollrec file), log level, and log file. It may also be used to start or stop a GUI interface to rollerd and to halt rollerd's execution.

The following rollctl command retrieves status on each zone managed by rollerd. The zone name, roll/skip status, and rollover phase are displayed for each zone.

The following rollctl command starts a GUI interface to rollerd.

The following rollctl command sets rollerd's logging status to only record errors and fatal problems.

The following rollctl command changes the rollrec file in use by rollerd.

The following rollctl command causes rollerd to stop execution.