fully document DNSSEC key (DS/DNSKEY) rotation procedures

in the latest DNSSEC incident (#42308 (closed)), we have noted that part of the problem was that the key rotation procedure was not reliable.

we used to have an automated rotation procedure but that was ripped out in #42268 (closed), and rightly so. besides, that automation only covered bits of the system, and actually made the system more brittle.

we don't need automation here, because we'll rotate those keys just in an emergency scenario (typically a host compromise).

but we do need a proper procedure in place. right now we have this procedure but it doesn't take into account the end of the expiry stuff.