no automatic DNSSEC key rollover

I have a DNSSEC bind server. Everything works just fine - except one little issue: Why there is no automatic ZSK rollover happening? I thought the bind will generate and install new ZSK keys every 180 days. Are my expectations incorrect or are there problems with my config? I did not found any hints in the logs. How can I debug it? I'm currently running version 9.18.24: The policy in /etc/named.conf: dnssec-policy "my_policy" { keys { ksk key-directory lifetime unlimited algorithm ecdsa256; zsk key-directory lifetime P180D algorithm ecdsa256; }; nsec3param iterations 0 optout no salt-length 0; parent-ds-ttl PT1H; }; and the output of rndc dnssec -status ..... (Why is *"No rollover scheduled"*?) key: 51503 (ECDSAP256SHA256), ZSK published: yes - since Fri Dec 9 12:11:44 2022 zone signing: yes - since Fri Dec 9 12:11:44 2022 No rollover scheduled - goal: omnipresent - dnskey: omnipresent - zone rrsig: omnipresent --- Update: I could not find a way to make an automatic rollover after the configured 180 days. So I did a manual rollover: rndc dnssec -rollover -key ... and the newly generated key has the next rollover scheduled. Hopefully that solved the problem. Maybe the policy is controlling the key only during its creation and later policy changes do not affect existing keys.