[knot-dns-users] Is it safe to alter dnssec-policy for a zone?

I have a zone for which I'd like to ensure an admin cannot mistakenly kick off a KSK rollover, so I am considering setting configuring its dnssec-policy to one with `manual: on' which prevents even a `knotc zone-key-rollover' on it. I have experimented with switching `manual: on' to `manual: off', and the idea seems to work. I have also apparently successfully been able to alter `ksk-lifetime', and have not noticed anything going wrong. Based on this, I wish to know if it is considered safe to alter many (all?) of a policy's settings, as long as neither algorithm nor key sizes are changed, and whether it is safe to alter the policy itself (i.e. also change a policy name for a zone). ksk-lifetime, delays, rrsig-lifetimes, ksk-submission, etc.: can all these be changed without breaking signing of a zone? Thank you & regards, -JP