Administration of a DNSSEC signed zone is more complex than that of an unsigned zone. Zone maintenance in the non-DNSSEC environment simply involves changing records as required and updating the serial number of the zone with each change. In many networks this is an automated process. However, in the DNSSEC environment this action alone would result in the invalidation of the zone data. Therefore, in addition to updating records and serial numbers the zone itself must be resigned. Care must be taken to keep keys and signatures current and not let signatures expire. If the zone is compromised either by malicious intent or neglect, the Zone Data Administrator must take actions to restore the zone’s place in the DNSSEC authentication chain.