diff --git a/procedures/key-rotation.txt b/procedures/key-rotation.txt
new file mode 100644
index 0000000..c303cc0
--- /dev/null
+++ b/procedures/key-rotation.txt
@@ -0,0 +1,62 @@
+DNSSEC
+======
+
+ZSK
+---
+
+Assumes:
+- ZSK_p is the ZSK key in retirement (previous)
+- ZSK_c is the ZSK key that's going to be used for this period (current)
+- ZSK_n is the ZSK key that's going to be used for the period after
+  ZSK_c is used (next)
+
+1. On rotation day, generate ZSK_n and add its DNSKEY RR to the zone
+2. Remove DNSKEY RR for ZSK_p from the zone
+3. Sign DNSKEY RRs with KSK
+4. Sign rest of the zone with ZSK_c
+5. Publish signed zones, which includes:
+   - DNSKEY RRs for ZSK_c and ZSK_n signed by KSK
+   - Every other RR signed by ZSK_c
+   - Does not include ZSK_p DNSKEY RR nor any RRSIG signed by ZSK_p
+
+NSEC3PARAM
+----------
+
+On ZSK rotation day, generate a new salt with
+
+	openssl rand -hex 11
+
+and replace the current salt in the zone.
+
+KSK
+---
+
+TBD
+
+PGP
+===
+
+Main key
+--------
+
+TBD
+
+Git signing key
+---------------
+
+TBD
+
+SSH
+===
+
+1. Move current key set to `old/` directory
+2. Change `~/.ssh/config` to also try keys from `old/` directory
+3. Generate new key set
+4. SSH to target machine and add new key to `~/.ssh/authorized_keys`
+5. SSH again, with `-v` to confirm that the new key is being used
+6. Change `~/.ssh/config` back to stop trying keys from `old/` directory
+
+Key set:
+- Own infra
+- 3rd party infra
+- Git-over-SSH