I set up my (authoritative) BIND nameserver for DNSSEC and installed one ZSK for my currently only zone. In order to test if I can use multiple ZSKs for a single zone, I generated a new key pair and copied that into the same folder like the first key pair. After doing a reload, the server found the new ZSK key pair and signed the zone with both ZSKs.
Now I noticed that I don't need two ZSKs at the same time and thought that I could delete the new ZSK the same way I added it and deleted the corresponding files in the configuration directory.
Unfortunately, this didn't remove the newer ZSK from the system and after a reload the nameserver is missing the files and is still responding with both ZSKs over DNS.
Now my question is, how can I remove BIND's knowledge of the second ZSK and return to signing with a single ZSK?
I managed to solve the problem by running
rndc delzone mydomain.example, then deleting all the automatically created files that start with my zone-file's file name and then restarting (rather than reloading, I tried only that already) the server usingservice named restart.Now I only have the signatures with the remaining ZSK.
I hope this might help someone else in the future.
This howto may help you: https://www.nlnetlabs.nl/publications/dnssec_howto/
There is a specific paragraph about ZSK rollovers. On production systems you should not do rollovers by hand, specifically ZSKs as they are bound to happen "often". You should use a software like OpenDNSSEC.