diff --git a/src/knot/dnssec/policy.c b/src/knot/dnssec/policy.c
index bda881b6d..a16882f3c 100644
--- a/src/knot/dnssec/policy.c
+++ b/src/knot/dnssec/policy.c
@@ -42,5 +42,5 @@ void update_policy_from_zone(knot_kasp_policy_t *policy,
 	}
 
 	policy->soa_minimal_ttl = zone_soa_min_ttl(zone);
-	policy->zone_maximal_ttl = 0; // TODO
+	policy->zone_maximal_ttl = zone->max_ttl;
 }
diff --git a/src/knot/dnssec/zone-events.c b/src/knot/dnssec/zone-events.c
index 120ff6111..8928d9a64 100644
--- a/src/knot/dnssec/zone-events.c
+++ b/src/knot/dnssec/zone-events.c
@@ -28,7 +28,7 @@
 #include "knot/dnssec/zone-nsec.h"
 #include "knot/dnssec/zone-sign.h"
 
-static int sign_init(const zone_contents_t *zone, zone_sign_flags_t flags, zone_sign_roll_flags_t roll_flags,
+static int sign_init(zone_contents_t *zone, zone_sign_flags_t flags, zone_sign_roll_flags_t roll_flags,
 		     kdnssec_ctx_t *ctx, zone_sign_reschedule_t *reschedule)
 {
 	assert(zone);
@@ -50,16 +50,20 @@ static int sign_init(const zone_contents_t *zone, zone_sign_flags_t flags, zone_
 		}
 	}
 
-	// perform key rollover if needed
-	r = knot_dnssec_key_rollover(ctx, roll_flags, reschedule);
+	r = zone_contents_adjust_full(zone);
 	if (r != KNOT_EOK) {
 		return r;
 	}
 
 	// update policy based on the zone content
-
 	update_policy_from_zone(ctx->policy, zone);
 
+	// perform key rollover if needed
+	r = knot_dnssec_key_rollover(ctx, roll_flags, reschedule);
+	if (r != KNOT_EOK) {
+		return r;
+	}
+
 	// RRSIG handling
 
 	ctx->rrsig_drop_existing = flags & ZONE_SIGN_DROP_SIGNATURES;
diff --git a/src/knot/modules/onlinesign/onlinesign.c b/src/knot/modules/onlinesign/onlinesign.c
index 33868fe7b..2d2fab29c 100644
--- a/src/knot/modules/onlinesign/onlinesign.c
+++ b/src/knot/modules/onlinesign/onlinesign.c
@@ -25,6 +25,7 @@
 // Next dependencies force static module!
 #include "knot/dnssec/ds_query.h"
 #include "knot/dnssec/key-events.h"
+#include "knot/dnssec/policy.h"
 #include "knot/dnssec/zone-events.h"
 #include "knot/nameserver/query_module.h"
 #include "knot/nameserver/process_query.h"
@@ -536,6 +537,7 @@ static knotd_in_state_t pre_routine(knotd_in_state_t state, knot_pkt_t *pkt,
 		}
 	}
 	if (ret == KNOT_EOK || knot_time_cmp(ctx->event_rollover, mod->dnssec->now) <= 0) {
+		update_policy_from_zone(mod->dnssec->policy, qdata->extra->zone->contents);
 		ret = knot_dnssec_key_rollover(mod->dnssec, KEY_ROLL_ALLOW_KSK_ROLL | KEY_ROLL_ALLOW_ZSK_ROLL, &resch);
 	}
 	if (ret == KNOT_EOK) {
diff --git a/src/knot/zone/contents.c b/src/knot/zone/contents.c
index 671b483bb..755d24f27 100644
--- a/src/knot/zone/contents.c
+++ b/src/knot/zone/contents.c
@@ -280,6 +280,16 @@ static int measure_size(zone_node_t *node, void *data){
 	return KNOT_EOK;
 }
 
+static int measure_max_ttl(zone_node_t *node, void *data){
+
+	uint32_t *max = data;
+	int rrset_count = node->rrset_count;
+	for (int i = 0; i < rrset_count; i++) {
+		*max = MAX(*max, node->rrs[i].ttl);
+	}
+	return KNOT_EOK;
+}
+
 static bool nsec3_params_match(const knot_rdataset_t *rrs,
                                const dnssec_nsec3_params_t *params,
                                size_t rdata_pos)
@@ -319,7 +329,9 @@ static int adjust_normal_node(zone_node_t **tnode, void *data)
 		return ret;
 	}
 
-	measure_size(*tnode, &((zone_adjust_arg_t *)data)->zone->size);
+	zone_adjust_arg_t *arg = data;
+	measure_size(*tnode, &arg->zone->size);
+	measure_max_ttl(*tnode, &arg->zone->max_ttl);
 
 	// Connect nodes to their NSEC3 nodes
 	return adjust_nsec3_pointers(tnode, data);
@@ -353,6 +365,7 @@ static int adjust_nsec3_node(zone_node_t **tnode, void *data)
 	args->previous_node = node;
 
 	measure_size(*tnode, &args->zone->size);
+	measure_max_ttl(*tnode, &args->zone->max_ttl);
 
 	// check if this node belongs to correct chain
 	const knot_rdataset_t *nsec3_rrs = node_rdataset(node, KNOT_RRTYPE_NSEC3);
@@ -1178,3 +1191,10 @@ size_t zone_contents_measure_size(zone_contents_t *zone)
 	zone_contents_apply(zone, measure_size, &zone->size);
 	return zone->size;
 }
+
+uint32_t zone_contents_max_ttl(zone_contents_t *zone)
+{
+	zone->max_ttl = 0;
+	zone_contents_apply(zone, measure_max_ttl, &zone->size);
+	return zone->max_ttl;
+}
diff --git a/src/knot/zone/contents.h b/src/knot/zone/contents.h
index 6d6e3c971..e8ffa9610 100644
--- a/src/knot/zone/contents.h
+++ b/src/knot/zone/contents.h
@@ -42,6 +42,7 @@ typedef struct zone_contents {
 
 	dnssec_nsec3_params_t nsec3_params;
 	size_t size;
+	uint32_t max_ttl;
 	bool dnssec;
 } zone_contents_t;
 
@@ -274,4 +275,14 @@ bool zone_contents_is_empty(const zone_contents_t *zone);
  */
 size_t zone_contents_measure_size(zone_contents_t *zone);
 
+/*!
+ * \brief Obtain maximal TTL above all the records in zone.
+ *
+ * The value is also stored in zone_contents structure.
+ *
+ * \param zone   Zone in question.
+ * \return Maximal TTL.
+ */
+uint32_t zone_contents_max_ttl(zone_contents_t *zone);
+
 /*! @} */
diff --git a/tests-extra/tests/dnssec/key_rollovers/data/example.com.zone b/tests-extra/tests/dnssec/key_rollovers/data/example.com.zone
new file mode 100644
index 000000000..ecd27e06e
--- /dev/null
+++ b/tests-extra/tests/dnssec/key_rollovers/data/example.com.zone
@@ -0,0 +1,9 @@
+example.com.        	3	SOA	dns1.example.com. hostmaster.example.com. 2010111227 21600 3600 604800 3
+example.com.        	0	NS	dns1.example.com.
+example.com.        	2	MX	10 mail.example.com.
+dns1.example.com.   	4	A	192.0.2.1
+dns1.example.com.   	3	AAAA	2001:db8::1
+foo.example.com.    	5	A	192.0.2.4
+mail.example.com.   	3	A	192.0.2.3
+mail.example.com.   	1	AAAA	2001:db8::3
+
diff --git a/tests-extra/tests/dnssec/key_rollovers/test.py b/tests-extra/tests/dnssec/key_rollovers/test.py
index f848e6eba..240f71dbc 100644
--- a/tests-extra/tests/dnssec/key_rollovers/test.py
+++ b/tests-extra/tests/dnssec/key_rollovers/test.py
@@ -166,7 +166,7 @@ t.link(parent_zone, parent)
 parent.dnssec(parent_zone).enable = True
 
 child = t.server("knot")
-child_zone = t.zone("example.com.")
+child_zone = t.zone("example.com.", storage=".")
 t.link(child_zone, child)
 
 def cds_submission():
diff --git a/tests-extra/tests/modules/onlinesign_rollovers/data/example.com.zone b/tests-extra/tests/modules/onlinesign_rollovers/data/example.com.zone
new file mode 100644
index 000000000..ecd27e06e
--- /dev/null
+++ b/tests-extra/tests/modules/onlinesign_rollovers/data/example.com.zone
@@ -0,0 +1,9 @@
+example.com.        	3	SOA	dns1.example.com. hostmaster.example.com. 2010111227 21600 3600 604800 3
+example.com.        	0	NS	dns1.example.com.
+example.com.        	2	MX	10 mail.example.com.
+dns1.example.com.   	4	A	192.0.2.1
+dns1.example.com.   	3	AAAA	2001:db8::1
+foo.example.com.    	5	A	192.0.2.4
+mail.example.com.   	3	A	192.0.2.3
+mail.example.com.   	1	AAAA	2001:db8::3
+
diff --git a/tests-extra/tests/modules/onlinesign_rollovers/test.py b/tests-extra/tests/modules/onlinesign_rollovers/test.py
index 1ad6c7fe2..f5eb2829d 100644
--- a/tests-extra/tests/modules/onlinesign_rollovers/test.py
+++ b/tests-extra/tests/modules/onlinesign_rollovers/test.py
@@ -164,7 +164,7 @@ t.link(parent_zone, parent)
 parent.dnssec(parent_zone).enable = True
 
 child = t.server("knot")
-child_zone = t.zone("example.com.")
+child_zone = t.zone("example.com.", storage=".")
 t.link(child_zone, child)
 
 def cds_submission():