If your signature expires, you will have to resign the zone and use the new signed file. You will also have to resign your zone if you make some change (add, modify or remove some record) in the zone file. At any rate, it is highly recommended to regenerate the KSK key at least every year and ZSK every three months.
After setting up DNSSEC, the next step is to provide our zone's DS (Delegation Signer) record to our parent, whenever the parent is also using DNSSEC. We can utilize for this purpose the following command, by passing as argument the ZSK file.
[root@dns test.local]# dnssec-dsfromkey Ktest.local.+005+05775.key test.local. IN DS 5775 5 1 01FC6E8961D76D6438CAC77260EFF2E28AC0EFB0 test.local. IN DS 5775 5 2 175D8A898137886AADE03886FD69F9EA0D3EF1230B803AAB7EF23F9B 409079E1
Let's move on by using another CentOS 6.2 client in order to check the DNSSEC configuration. This new computer will have as main DNS, the server that we have just set up, and it will request DNSSEC records (+dnssec) through a query.
[root@localhost ~] yum install bind-utils [root@localhost ~]# dig @dns.test.local test.local +dnssec ... ;; AUTHORITY SECTION: test.local. 86400 IN SOA dns.test.local. admin.test.local. 1 21600 3600 604800 86400 test.local. 86400 IN RRSIG SOA 5 2 86400 20120410195007 20120311195007 5775 test.local. KozjX5R/1gTw4Q4xYzVnkpOnyRwviJVbqrrWzH95qwuWVSaMqOrlchvn giTYs94B1esCdD1xHouPkqIQ+BmIin5OEd3+G0038b1GGv7QY7ylzJr5 LO+TFF6M7toZLAmTMrQigYvV/1IDVvqxKvI1zjJahU49e6Sl+Hyfl85B vCE= test.local. 86400 IN NSEC dns.test.local. NS SOA RRSIG NSEC DNSKEY test.local. 86400 IN RRSIG NSEC 5 2 86400 20120410195007 20120311195007 5775 test.local. Fxo9aBIpTgd52p+sEseqA7CWPLmRLhCzv2d4gZhdgbvk+whoSOpu6ZMf GotfqkocX6+nafHeFBJvknJY0R25yiYP75nSaZoxAdDnBWv7VgE0Ywzi lges8wZyGX0VUMVTUWrvJYdZr+aThJqE0Shf4TuVKjhQqlwxsio+YXeS WhU= ...
As you can appreciate above, we can get the corresponding RRSIG (Resource Record Signature) for each record.
And finally, also point out a quick method to validate if our DNS server is using DNSSEC. We can perform a DNS lookup by asking for the next name: www.dnssec-failed.org. If you come across a "not found" error as shown below, that means you are using a DNSSEC-validating DNS server.
[root@localhost ~]# host www.dnssec-failed.org Host www.dnssec-failed.org not found: 3(NXDOMAIN)