rndc zonestatus should report active signing keys
There's no straightforward way to see which keys are currently actively signing a zone - looking at the DNSKEY RRset doesn't necessarily tell you that, because some of them may be standby keys, or a key may no longer be active but still have signatures in the zone, or a key may be pre-signing before it's published. It would be nice if named
could report this, either with rndc zonestatus
or some other rndc
command.