Bind has changed their DNSSEC management mechanism from `auto-dnssec maintain;` to policy-based management. This by itself does cause many headaches, but not immediate bugs. Unless the policy chooses to generate keys for signature schemes that are not actually used, for example because one later changes the policy defintion (i.e. initially RSA signatures were defined, but the registrar doesn't actually want them so you later change the policy to not generate them - but there are now some RRSIG in the dynamic signed zone. So we just adjust the policy and remove the unneeded keys, right? WRONG! Do not stupidly delete ZSK files!