Algorithm rollover: Timing between publish of new RRSIGs and new DNSKEYs

Hello,

right now algorithm rollover begins with the signing (creation of the RRSIGs) of records with the new ZSK. After one hour (propagation delay?) the new ZSK/KSK is published. From my reading of RFC6781 the publishing of the new keys should be delayed until all RRSIGs are expired which means the highest TTL from the zone (in my case 1 day for NS records). Am I reading the RFC wrong or should the delay be improved to cover the TTLs?

I don't think any resolver still uses the strict approach so this probably has no practical impact but in theory it could happen. Otherwise why not publish keys and RRSIGs at the same time? This would be the regular Double-Signature KSK rollover (Section 4.1.2) from the RFC.