We occasionally need to regenerate the DNSSEC signing keys - usually ZSK (zone), rarely KSK (key). A rollover process is required  but needs to be fleshed out into a formal runbook-type process, including notes  about what we learned while fixing bug 872831.
 MarkMonitor change limits, rollover process requirements, how to validate published data, incomprehensible errors from dnssec-signzone, key expiration monitoring
 key type validation (type 7), comcast testing
We now use an external DNS provider and no longer have the need to maintain our own DNSSEC keys.