[knot-dns-users] expiring/renewing dnssec keys

Hi, We're new in the dnssec field, and we hope we understand the basics, also thanks to the much appreciated help received through this list and through searching it's archives, thanks again! We would like to ask two more short questions, but first a we will explain how we currently understand things. Our dns domain is sub.company.com, and we will activate DNSSEC somewhere next week, by doing: - enable dnssec for the zone / reverse zone in knot.conf - restart knot - display the generated dnssec keys, using: (plus the reverse) - send the outputs of the above to the admins at company.com - after they have entered the keys in their dns, the world can check & verify our dnssec, and things are operational. - verify everything at https://dnssec-analyzer.verisignlabs.com/ Now the two questions. We have set in knot.conf: zsk-lifetime: 30d ksk-lifetime: 365d We understand that with the above config, monthly zsk key rollovers happen automatically "inside" knot, but the yearly rollover (ksk) needs to be manually propagated by us to the parent dns. (through for example secured email to the admins at company.com) Question one: Is there some kind of notification mechanism in knot, that reminds us (through email for example) that a ksk is about to expire, and keys need to be renewed at company.com dns? I cannot find such a function. Does it not exist? Or do we misunderstand something? It seems to be so vital. Question two: How unreasonable/insecure would it be to take a longer ksk lifetime than one year, let's say 10 years. With the idea that we can always manually renew keys earlier, in case we need to. Feedback on the above is welcome. We have scheduled a maintenance moment next week with the admins on company.com to send them the keys and activate dnssec. Thanks in advance for any feedback/pointers you can provide. Best regards, MJ