Deploying DNSSEC.

Even though I co-authored RFC 4641, laying out how you should run DNSSEC - I think in retrospect that BCP is way too complex, ah the sin of youth.

You should (if you want to run DNSSEC) run with a single key (called common-signing-key; CSK) and never roll your keys. This is what CoreDNS' sign plugin implements and what I use.

Also see this Mastodon post.