...
You can configure automatic ZSK rollovers on the Grid Master by using the double-signature rollover method or the pre-publish method. For more information, see Configuring DNSSEC Parameters below. The appliance initiates the ZSK rollover of signed zones when they are due. You can also perform a manual rollover of ZSKs. For more information about rolling zone-signing keys, see Signing a Zone.
The double signature method provides a grace period, which is half of the rollover period. The default ZSK rollover period is 30 days; thus, the default grace period is 15 days.
At the end of a rollover period of a ZSK, the Grid Master generates a new ZSK key pair. It signs the zone with the private key of the new ZSK key pair, and consequently generates new RRSIG RRs with the new signatures. However, the Grid Master also retains the old ZSK key pair and RRSIG RRs. Thus, during the grace period, the data in the zone is signed by the private keys of both the old and new ZSKs. Their corresponding public keys (stored in DNSSEC RRs) can be used to verify both the old and new RRSIGs.
The grace period also allows the data that exists in remote caches to expire and during this time, the updated zone data can be propagated to all authoritative name servers. The Grid Master removes the old ZSK and its RRSIGs when the rollover grace period elapses. When a scheduled DNSSEC operation exists for a zone, the appliance does not lock it against other administrative changes and the administrator can still operate on a given zone even if there is a pending DNSSEC operation scheduled for it.
The appliance sets pre-publish method described in RFC 4641 as the default zone-signing key rollover method for NIOS 8.6.11.0 x or later releases. In the pre-publish rollover method, the new key is published in the keyset before the actual rollover. After the key propagates to all client caches, Grid Master removes the old signatures and creates new signatures with the new keys. The pre-publish rollover method uses the current key to sign the zone.
...