Rolling Over a Key-Signing Key (KSK)
DNSSEC key-signing keys (KSKs) require annual rollover and key promotion.
Use the zone stage DNSSEC key version command o stage a new key:
oci dns zone stage-dnssec-key-version --zone-name-or-id zone_name or zone_OCID --predecessor-dnssec-key-version-uuid previous-key-ID ... [OPTIONS]
Use the zone promote DNSSEC key version command to promote the staged key:
oci dns zone promote-dnssec-key-version --zone-name-or-id zone_name or zone_OCID --dnssec-key-version-uuid key-ID ... [OPTIONS]
For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.
Run the stageDnssecKeyVersion operation to stage a new key. Run the promoteDnssecKeyVersion to promote the staged key.