It seems I do have a problem with dnssec policy. DNSSEC for wisser.se is automatically managed by knot. If you do a "dig dnskey wisser.se" you will find a lot of old ZSK in my zone. 

I did some "digging" with the keymgr tool and found the following conf for all old keys 

I guess the retire and remove values are the problem. How do I set them for the old keys? And how do I configure my policy to set them for future keys?

Kind regards

Ulrich

Ulrich Wisser