...
You can configure automatic ZSK rollovers on the Grid Master by using the double-signature rollover method or the pre-publish method. For more information, see Configuring DNSSEC Parameters below. The appliance initiates the ZSK rollover of signed zones when they are due. You can also perform a manual rollover of ZSKs. For more information about rolling zone-signing keys, see Signing a Zone.
The double signature method provides a grace period, which is half of the rollover period. The default ZSK rollover period is 30 days; thus, the default grace period is 15 days.
At the end of a rollover period of a ZSK, the Grid Master generates a new ZSK key pair. It signs the zone with the private key of the new ZSK key pair, and consequently generates new RRSIG RRs with the new signatures. However, the Grid Master also retains the old ZSK key pair and RRSIG RRs. Thus, during the grace period, the data in the zone is signed by the private keys of both the old and new ZSKs. Their corresponding public keys (stored in DNSSEC RRs) can be used to verify both the old and new RRSIGs.
The grace period also allows the data that exists in remote caches to expire and during this time, the updated zone data can be propagated to all authoritative name servers. The Grid Master removes the old ZSK and its RRSIGs when the rollover grace period elapses. When a scheduled DNSSEC operation exists for a zone, the appliance does not lock it against other administrative changes and the administrator can still operate on a given zone even if there is a pending DNSSEC operation scheduled for it.
The appliance sets pre-publish method described in RFC 4641 as the default zone-signing key rollover method for NIOS 6.11.0 or later releases. In the pre-publish rollover method, the new key is published in the keyset before the actual rollover. After the key propagates to all client caches, Grid Master removes the old signatures and creates new signatures with the new keys. The pre-publish rollover method uses the current key to sign the zone.
...
Grid: On the Data Management tab, select the DNS tab. Expand the Toolbar and click Grid DNS Properties.
Zone: On the Data Management tab, select the DNS tab -> Zones tab -> zone checkbox, and then click the Edit icon. Click Override to override the parameters.
Standalone appliance: On the Data Management tab, select the DNS tab. Expand the Toolbar and click System DNS Properties.In the editor, click Toggle Advanced Mode.
When the additional tabs appear, click DNSSEC.
On the DNSSEC tab, click the Basic tab and complete the following:
Resource Record Type for Nonexistent Proof: Select the resource record type (NSEC or NSEC3) you want to use for handling non-existent names in DNS. The default is NSEC3. The algorithms used by the KSK and ZSK can generate the same type of NSEC record. Note that a zone cannot contain both NSEC and NSEC3 resource records.
Key-signing Key: Click the Add icon to add the cryptographic algorithm that the Grid Master or HSM uses when it generates the KSK. You can add multiple algorithms, but you cannot add the same algorithm more than once. Grid Manager adds a row to the table each time you click the Add icon. Select the row and the algorithm from the drop-down list and enter the key size for the algorithm. The default is RSA/SHA1 with the key size as 2048.
Following are the valid values for each algorithm:
RSA/SHA1: The minimum is 512 bits, the maximum is 4096 bits, and the default is 2048 bits.
RSA/SHA-256: The minimum is 512 bits, the maximum is 4096 bits, and the default is 2048 bits.
RSA/SHA-512: The minimum is 1024 bits, the maximum is 4096 bits, and the default is 2048 bits.
ECDSAP/SHA-256: The minimum is 160 bits, the maximum is 256 bits.
ECDSAP/SHA-384: The minimum is 160 bits, the maximum is 384 bits.
You can delete an algorithm by selecting it and clicking the Delete icon.Key-signing Key Rollover Interval: Specify the key signing key rollover interval for all the algorithms. The minimum value is one day and the maximum is the time remaining to January 2038. The default is one year.
Zone-signing Key: Click the Add icon to add the cryptographic algorithm that the Grid Master or HSM uses when it generates the ZSK. You can add multiple algorithms, but you cannot add the same algorithm more than once. Grid Manager adds a row to the table each time you click the Add icon. Select the row and the algorithm from the drop-down list and enter the key size for the algorithm. The default is RSA/SHA1 with the key size 1024.
Following are the valid values for each algorithm:
RSA/SHA1: The minimum is 512 bits, the maximum is 4096 bits, and the default is 1024 bits.
RSA/SHA-256: The minimum is 512 bits, the maximum is 4096 bits, and the default is 1024 bits.
RSA/SHA-512: The minimum is 1024 bits, the maximum is 4096 bits, and the default is 1024 bits.
ECDSAP/SHA-256: The minimum is 160 bits, the maximum is 256 bits.
ECDSAP/SHA-384: The minimum is 160 bits, the maximum is 384 bits.
You can delete an algorithm by selecting it and clicking the Delete icon.Zone-signing Key Rollover Interval: Specify the zone signing key rollover interval for all the algorithms. The minimum value is one day and the maximum is the time remaining to January 2038. The default is 30 days.
Signature Validity: Specify the signature validity period for RRSIG RRs. The minimum is one day and the maximum is 3660 days. The default signature validity interval is four days.
Zone-signing Key rollover method: You can use either of these methods to sign all the RRsets in a zone:
Pre-publish: Select this if you want to use the pre-publish signature scheme to sign all the RRsets in a zone while performing the ZSK rollover. When you select this option, the record sets are signed using a single key. The appliance sets this option as the default zone-signing key method for all NIOS 6.11.0 and later releases.
Double Sign: Select this if you want to use the double signature scheme to sign all the RRsets in a zone while performing the ZSK rollover. The non-DNSKEY RRset are signed twice, which increases the size of the zone files.
Note that you can select the Zone-signing Key rollover method only after you enable DNSSEC.
Save the configuration and click Restart if it appears at the top of the screen.
...