In theory a variety of key rollover mechanisms are possible and are described in detail in: http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-02
A summary is given below:
|ZSK Method||KSK Method||Description|
Publish DNSKEY before the RRSIG
Publish DNSKEY and RRSIG at the same time. For a KSK, this happens before the DS is published
Publish RRSIG before the DNSKEY
Publish DS before DNSKEY
Publish DNSKEY and DS in parallel.
OpenDNSSEC currently supports the following mechanisms:
Future versions of OpenDNSSEC will support additional mechanisms.