TL;DR
As Tony Finch observed, the benefit is only seen when SEP failures occur,
most often in key-rolls. I'd argue that the vast majority of observed
DNSSEC failures have been of the key-roll (or initial set-up) variety with
mismatches between DS and DNSKEY, but otherwise properly signed (by ZSK)
Tim Wicinski has requested publication of draft-ietf-dnsop-dnssec-key-timing-06
as Informational on behalf of the DNSOP working group.
Please verify the document's state at
http://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-key-timing/
___
DNSOP
