[knot-dns-users] manual KSK and automatic ZSK rollovers

Hello, I'd like to be able to do automatic ZSK and manual KSK rollovers. Basically the KSK should have an endless validity but I might want to roll it with (manually-trigerred) RFC 5011 semantics. It it permissible to have a policy such as shown below and then explicitly use `keymgr' commands to generate new keys and set `revoke', `retire' and `remove' timers on the older key? Testing indicates that it works as desired, I'm just unsure whether key manipulation is permitted. policy: - id: autoHSM keystore: pemstore single-type-signing: off manual: off ksk-shared: off ksk-lifetime: 0 zsk-lifetime: 30d cds-cdnskey-publish: rollover Thank you, -JP