I would like to know if there is a mechanism to rotate the ZSK and KSK in the domains that enabled DNSSEC.
Of course ZSK rotation is easy and should be automatically rotated within Cloudflare. However, KSK rotation needs user action to update the new DS records to domain registrar.
It is not very secure if KSK is kept static for months and years, and HKIRC also suggest to rotate every year. We do have KSK rotation using double-signature mechanism before migrating to Cloudflare, but we do not see any clues or hints if this can be set in Cloudflare.
Hope anyone can give information regarding this.