If a zone with a high serial (~ "made a few changes today") is deleted and recreated quickly, the SOA serial can end up being lower or equal on the primary than on the secondary nameservers. This may obstruct replication, and the zone is stuck publicly with an old DNSKEY.
To make this work correctly, also trigger replication whenever DNSKEY has changed (i.e. include it in a hash along with the serial, or something like that).
If a zone with a high serial (~ "made a few changes today") is deleted and recreated quickly, the SOA serial can end up being lower or equal on the primary than on the secondary nameservers. This may obstruct replication, and the zone is stuck publicly with an old DNSKEY.
To make this work correctly, also trigger replication whenever DNSKEY has changed (i.e. include it in a hash along with the serial, or something like that).