...
How a Device Key is derived from the KDK is described in MTS2. As Device Keys are stored in non-secure environments, it is appropriate to regularly roll them. Likewise, it is also reasonable to rotate KSKsKDKs, as they are distributed over a potential large number of participants and devices. The required timing for updating the KDK is determined bilaterally between the participants, which would also affect any roll-over schedules. KDKs are generally valid for as long as they are available though the Devices API. During a roll-over several KDKs will normally have to be available, and the receiving party should accept them all as valid. As a key is no longer available through the API is , it must be removed from all validating devices.
...