[cyberax]

DNSSEC designers screwed up by making rollovers to be atomic. Instead, they should have allowed the responses to be signed by two keys. And a way to specify as a hint which key should be used, so that the zone owner could gather feedback on the rollover safety.

[teddyh]

No, DNSSEC does allow for multiple signatures. You can use tools like dnsviz.net to see which key is valid from upstream (if you don’t know how to do it manually).

[silisili]

You can and should sign by multiple keys before/during a rollover. That's exactly how it's supposed to work. The client is to check all, and any valid chain.