Overall objective: We have a DNS server running on Red Hat 6 running Bind 9, and have a "dnssec-keyrotation" script that runs via cron that rotates all the KSKs yearly and ZSKs every 12 weeks and signs with dnssec-keygen. The problem is I don't have much Perl experience and have to manage this script now, so hoping for someone to provide better understanding by commenting the script, and resolving a couple things noted in the details below.
More specifically: In the past year the timing seems to be off somehow as the script ran and generated new keys a couple times, and we had to send the new "dsset-$NewKey" files to our upstream DNS admins, and I'm having a hard time diagnosing the script. Now our upstream parent DNS folks are saying the signature expired on one of our zones, so we need to "re-sign". I assume now I need to run the dnssec-keyrotation script but do not want to resign and generate keys for *all* of our zones, but for just this one zone.
So again hoping for someone with dnssec and perl experience to help me with the issue and be able to document the script and provide some understanding of how it works. Attaching script and I only commented out the name of our zones at bottom of script. Thank you.