dnssec-keymgr doesn't work correctly with "."
When you run
dnssec-keymgr with a given zone name the first time, it generates a KSK/ZSK set for that zone. Run it again for the same zone name, it should detect the existing keys and apply the key management policy to them, which in most cases means it won't do anything at all.
However, when you run
dnssec-keymgr . multiple times, it generates a new keys for the root zone every single time. I haven't had time to figure out why it's doing this, but it's wrong.
(I'm not really expecting them to start using
dnssec-keymgr to maintain the root keys, so it isn't the most urgent problem, but we should look into it anyway.)