diff --git a/docs/group_vars/all/zones/zone.example.org.yml b/docs/group_vars/all/zones/zone.example.org.yml
index f0a3aa4..b35d91c 100644
--- a/docs/group_vars/all/zones/zone.example.org.yml
+++ b/docs/group_vars/all/zones/zone.example.org.yml
@@ -10,9 +10,13 @@ knot_zone_example.org:
     - ns3.example.org
   updaters:
     - foo.example.org
+  parents:
+    - a.gtld-servers.net
 
   # Replace example.org. with your zone name
   name: example.org.
+  # Enable automatic KSK rollover once a year
+  ksk_lifetime: 365d
 
   # Configure the SOA record to your liking
   soa:
diff --git a/docs/host_vars/a.gtld-servers.net/knot.yml b/docs/host_vars/a.gtld-servers.net/knot.yml
new file mode 100644
index 0000000..367a7d8
--- /dev/null
+++ b/docs/host_vars/a.gtld-servers.net/knot.yml
@@ -0,0 +1,5 @@
+---
+
+knot_dns_addresses:
+  - "2001:503:a83e::2:30"
+  - "192.5.6.30"
diff --git a/docs/host_vars/ns1.example.org/knot.yml b/docs/host_vars/ns1.example.org/knot.yml
index 5084056..5108a42 100644
--- a/docs/host_vars/ns1.example.org/knot.yml
+++ b/docs/host_vars/ns1.example.org/knot.yml
@@ -19,6 +19,3 @@ knot_tsig_key:
   secret: pZxgYlANxwWscfrZz4sdi6mQUlWFWlhUO/y7wjSJ6qdcXXGTaAxtwlaHWYYhJfTN
 
 # Change other host specific options here
-
-# knot 2.7 in Debian stable doesn't know double-ds yet
-knot_dnssec_policy_cds_publish: always
diff --git a/docs/host_vars/ns2.example.org/knot.yml b/docs/host_vars/ns2.example.org/knot.yml
index f914f80..018495e 100644
--- a/docs/host_vars/ns2.example.org/knot.yml
+++ b/docs/host_vars/ns2.example.org/knot.yml
@@ -18,6 +18,3 @@ knot_tsig_key:
   algorithm: hmac-sha384
   secret: poAeCzXByHLuuHjDfLceKmlUWFD+08p8QfV0ikXMBn0qTSJEXnBaDUupaG8aRS8M
 # Change other host specific options here
-
-# knot 2.7 in Debian stable doesn't know double-ds yet
-knot_dnssec_policy_cds_publish: always
diff --git a/docs/inventory.ini b/docs/inventory.ini
index 1eebc0b..4075d12 100644
--- a/docs/inventory.ini
+++ b/docs/inventory.ini
@@ -11,3 +11,6 @@ ns2.example.org
 ns3.example.org
 # TSIG update clients, also dummy host only
 foo.example.org
+# Parents nameservers to check for publication of DS records upon KSK
+# rollover
+a.gtld-servers.net