Struggling with dnssec-policy timers

[vom513]

Thanks for the reply and info…

I would have thought the CDS would be published before the key went active.  I.e. there would be a period of TWO DS’es at the parent (I’m assuming the parent supports CDS/CDNSKEY which mine (registrar) does).

Since the new key goes active, CDS is published, and the old key is retired at the same time - isn’t this going to cause a (lack of coverage/chain of trust) problem ?  I’m really trying to get to a point of a “one command” rollover.  I.e. no API, no uploading DS, etc.  I guess I’ll see tonight when it happens, but I can’t help but feel when the clock strikes I’m going to be missing DS for the new key at the parent.