Dnssec key rotation

When using DNSSEC your RRSIG expiry by default every 30 days.
A new signed zone file can be generated by using the dnssec-signzone command.

Although the KSK and ZSK don't expire, it's recommended to rotate the ZSK every 30 days and the KSK once per year.
The ZSK can be rotated without interaction with the domain registrar, but for KSK rotation the DS records at your registrar needs to be updated.

I use the following script to perform these key rotations.

In this setup the KSK are stored in /var/named/chroot/etc/pki/dnssec-keys and the ZSK in /var/named/chroot/etc/pki/dnssec-keys/zkeys.
The zone files are located in /var/named/chroot/var/named. Every zone file has a serialnumber in 10 digit format, like 2014022301.

#!/bin/sh
if [ -z $1 ]; then
 echo "Usage $0 [-monthly|-yearly] Domain"
 exit 1
fi
if [ -z $2 ]; then
 echo "Usage $0 [-monthly|-yearly] Domain"
 exit 1
fi

DOMAIN=$2

KEYDIR=/var/named/chroot/etc/pki/dnssec-keys/
ZONEDIR=/var/named/chroot/var/named

#32 days expiry for each signature using ZSK
EXPIRY=`date --date="32 days" +%Y%m%d120001`
mkdir -p $KEYDIR/archive

monthly_r()
{
    cd $ZONEDIR
    serial=`egrep -o -i '[0-9]{10}' $DOMAIN`
    ns=$((serial + 1))
    mv $DOMAIN $DOMAIN.bak
    echo $serial $ns
    sed -e "s/$serial/$ns/" $DOMAIN.bak > $DOMAIN
    
    #Generate your new ZSK every month
    mv $KEYDIR/zkeys/K$DOMAIN* $KEYDIR/archive
    newzsk=`/usr/sbin/dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 512 -n ZONE -K $KEYDIR/zkeys ${DOMAIN}`

    /usr/sbin/dnssec-signzone -N INCREMENT -S -l dlvset-$DOMAIN. -K $KEYDIR -e $EXPIRY ${DOMAIN} $KEYDIR/zkeys/$newzsk
    named-checkzone $DOMAIN $DOMAIN.signed
    service named reload
}

case "$1" in
 (-yearly)
    # Generate a new KSK every year
    mv $KDIR/K$DOMAIN.* $KDIR/archive
    /usr/sbin/dnssec-keygen -r /dev/urandom -f KSK -a NSEC3RSASHA1 -b 1024 -K $KEYDIR -n ZONE ${DOMAIN}
    monthly_r
    ;;
 (-monthly)
        monthly_r
    ;;
 (*)
    echo "Usage $0 [-monthly|-yearly] Domain"
    exit 1
    ;;
esac
 

This script can be execute from a monthly cronjob.