When using DNSSEC your RRSIG expiry by default every 30 days.
A new signed zone file can be generated by using the dnssec-signzone command.
Although the KSK and ZSK don't expire, it's recommended to rotate the ZSK every 30 days and the KSK once per year.
The ZSK can be rotated without interaction with the domain registrar, but for KSK rotation the DS records at your registrar needs to be updated.
I use the following script to perform these key rotations.
In this setup the KSK are stored in /var/named/chroot/etc/pki/dnssec-keys and the ZSK in /var/named/chroot/etc/pki/dnssec-keys/zkeys.
The zone files are located in /var/named/chroot/var/named. Every zone file has a serialnumber in 10 digit format, like 2014022301.
if [ -z $1 ]; then
echo "Usage $0 [-monthly|-yearly] Domain"
exit 1
fi
if [ -z $2 ]; then
echo "Usage $0 [-monthly|-yearly] Domain"
exit 1
fi
DOMAIN=$2
KEYDIR=/var/named/chroot/etc/pki/dnssec-keys/
ZONEDIR=/var/named/chroot/var/named
#32 days expiry for each signature using ZSK
EXPIRY=`date --date="32 days" +%Y%m%d120001`
mkdir -p $KEYDIR/archive
monthly_r()
{
cd $ZONEDIR
serial=`egrep -o -i '[0-9]{10}' $DOMAIN`
ns=$((serial + 1))
mv $DOMAIN $DOMAIN.bak
echo $serial $ns
sed -e "s/$serial/$ns/" $DOMAIN.bak > $DOMAIN
#Generate your new ZSK every month
mv $KEYDIR/zkeys/K$DOMAIN* $KEYDIR/archive
newzsk=`/usr/sbin/dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 512 -n ZONE -K $KEYDIR/zkeys ${DOMAIN}`
/usr/sbin/dnssec-signzone -N INCREMENT -S -l dlvset-$DOMAIN. -K $KEYDIR -e $EXPIRY ${DOMAIN} $KEYDIR/zkeys/$newzsk
named-checkzone $DOMAIN $DOMAIN.signed
service named reload
}
case "$1" in
(-yearly)
# Generate a new KSK every year
mv $KDIR/K$DOMAIN.* $KDIR/archive
/usr/sbin/dnssec-keygen -r /dev/urandom -f KSK -a NSEC3RSASHA1 -b 1024 -K $KEYDIR -n ZONE ${DOMAIN}
monthly_r
;;
(-monthly)
monthly_r
;;
(*)
echo "Usage $0 [-monthly|-yearly] Domain"
exit 1
;;
esac
This script can be execute from a monthly cronjob.