[silisili]

I've been out of the business for seven years, and don't have much anymore as I've switched jobs a few times.

It was mainly around process and timings. Bind9 has a pretty good guide on it. The easy option is to just add the new key, let everything sign, then later(after at least a TTL period, probably longer to be safe) remove the old.

The other way, that we did, is to publish keys before you use them, then retain the old key after the signing key swap, for a TTL period each. That keeps the zone size small.

Lastly, don't roll a KSK and ZSK at the same time. It's doable, but not worth the dance in any situation.

That said, if you have any specific questions, I'm happy to help.