NSEC to NSEC3 rollover
The NSEC to NSEC3 rollover is described in RFC 6781: http://tools.ietf.org/html/rfc6781#section-4.1.4.4
It requires an existence of NSEC and NSEC3 chains in the zone, while NSEC3PARAM might not be there yet.
For algorithms, which use same algorithm number for NSEC and NSEC3, it is easy:
- Add NSEC3 chain.
- Add NSEC3PARAM in the zone.
- After all distant caches expire, remove old NSEC chain.
For algorithms, which use different algorithm numbers for NSEC and NSEC3, it is more complicated (algorithm rotation is performed simultaneously):
- Setup NSEC3 capable DNSKEY.
- Create NSEC3 chain, resign the zone with the new key, but do not include the new DNSKEY.
- After distant caches expire, add the new DNSKEY and remove the old one.
- After distant caches expire, remove the old DNSKEY, NSEC chain, signatures and add NSEC3PARAM.
Hopefully I wrote it right. Feel free to correct me.