dnssec-policy change does not retire keys

When changing a policy for a zone (for example to perform an algorithm rollover), existing keys with no longer matching properties (for example that now have the wrong algorithm) are not being retired, thus are being kept in the zone and maintain active.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information