I noticed in passing that if you run dnssec-dsfromkey on an arbitrary DNSKEY RRset, it'll convert all keys with a SEP bit into DS records, including the revoked keys, which is probably not wanted. (dig dnskey nuthaven.org | dnssec-dsfromkey -f - nuthaven.org to demonstrate.)

Maybe we want to include revoked keys if using the -A option (which means all keys, not omitting ZSKs), but I think not by default.