OK so we all already know the difference between private and public keys.  We also already know the difference between signing, authentication, encryption, and decryption, and whose public/private keys are applied against cleartext/ciphertext and signed/unsigned messages.  This question goes a bit deeper, specifically into subkeys.  Lets also forgo revocation unless that ends up playing into my main question at the end.

Now, subkeys are the additional parts beyond the raw private key where if you elect to have them then you must have separate signing and encryption subkeys.  And all your subkeys each have their own expiration.  You can also have multiple subkeys of the same type.  This last part is very useful for when your subkey expires you can just create a new one.  Then as long as you do keep all your old expired subkeys you can still decrypt messages that were encrypted to them even past their expiry date.  So all this plays very well into key management for rolling them with all your external parties.

So heres my question... I also noticed that the main secret key can also have an expiration date.  But what is the proper way to handle rolling that?  Or, if we appropriately roll our subkeys could we not just set that main private key to have no expiration date?  Or is it simply useful to just have the main key have a yearly expiry date that you just manually periodically extend if all is going well and there are no breaches?  I suspect that might be useful but I do believe then that you must redistribute your public keys out everywhere again which sucks if you're not using any of the common keyserver systems, etc.

I have mine setup with a Master key with only the 'C' attribute.  3 subkeys are attached, individually with 'S', 'E', and 'A'.

I update my key expiration dates yearly in December, and set the master key for expiration 2 years out on 1 Jan, and the subkeys for 1 year out on 1 Jan.  All keys are extended as long as nothing funky has come up to make me think they have been compromised.  After update, the new expiration date is pushed to the major keyservers.  It's on anyone who wants to encrypt to me to update the keys when they notice they are expired.  My "real" key (not the arf key) is published so it is discoverable by WKD, so it is easy for contacts to update without relying on a keyserver.

Master key is stripped and stored on an airgapped, encrypted computer, with backup in an encrypted USB HDD.