Cloudflare DNSSEC + Verisign Registry Lock: Future disaster waiting to happen?

My primary domain is a .COM and uses Cloudflare’s Universal DNSSEC. It resides at a third-party registrar and has a full set of registrar and registry locks including clientUpdateProhibited and serverUpdateProhibited, both of which prevent updates to registry-held DNSSEC data e.g. the DS record.

It doesn’t look like Cloudflare does automatic KSK rollovers or anything like that, but there is a high probability that regardless of how far into the future, the DNSSEC data is eventually going to have to be updated. For example, Cloudflare could move from algorithm 13 to 15 or, given enough time, algorithm 13 could even become obsolete. I would assume that Cloudflare would provide notice ahead of time, but this still makes me slightly nervous because “unlocking” this domain name is (purposefully) not an easy or quick process.

Has Cloudflare provided any insight into what the procedure for an eventual DNSSEC update may look like?

Thank you for your time.

  • tls2point0