DNSSEC - Zone Signing and Key Signing Keys

I'm looking into using DNSSEC for our Wide-Ips. I've got the signing working for our UAT records but now I'm more interested in the best practices for the Zone Signing and Key Signing Keys as well as how the rollover and expiration values work.

Here is what I know from reading:

The default for rollover is 0 and the expiration is 0 with the TTL set at 24 hours (86400 seconds). I do know that the the difference between the Expiration Period and Rollover Period must be greater than the TTL, Expiration - Rollover > TTL. The recommended Expiration Period for Zone Signing Keys are 30-90 days and Key Signing Keys are 1 year.

My questions are:

1. What is the function of the rollover period in relation to the expiration period?
2. What is the best practice value for the rollover period?
3. What happens once the Expiration Period ends? Will I need to recreate the keys?

Any help or guidance would be appreciated!