diff --git a/CHANGES b/CHANGES
index ee9d0881b9..23a47a4555 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3165.	[bug]		dnssec-signzone could generate new signatures when
+			resigning, even when valid signatures were already
+			present. [RT #26025]
+
 3164.	[func]		Enable DLZ modules to retrieve client information,
 			so that responses can be changed depending on the
 			source address of the query. [RT #25768]
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 6afd66d520..52cea87978 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.279 2011/07/19 23:47:48 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.280 2011/10/11 19:26:05 each Exp $ */
 
 /*! \file */
 
@@ -411,6 +411,7 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) {
 	if (result == ISC_R_SUCCESS) {
 		key->force_publish = ISC_FALSE;
 		key->force_sign = ISC_FALSE;
+		key->index = keycount++;
 		ISC_LIST_APPEND(keylist, key, link);
 	}
 
@@ -557,36 +558,34 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 			vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
 				 keep ? "retained" : "dropped", sigstr);
 		} else if (issigningkey(key)) {
+			wassignedby[key->index] = ISC_TRUE;
+
 			if (!expired && rrsig.originalttl == set->ttl &&
 			    setverifies(name, set, key->key, &sigrdata)) {
 				vbprintf(2, "\trrsig by %s retained\n", sigstr);
 				keep = ISC_TRUE;
-				wassignedby[key->index] = ISC_TRUE;
-				nowsignedby[key->index] = ISC_TRUE;
 			} else {
 				vbprintf(2, "\trrsig by %s dropped - %s\n",
 					 sigstr, expired ? "expired" :
 					 rrsig.originalttl != set->ttl ?
 					 "ttl change" : "failed to verify");
-				wassignedby[key->index] = ISC_TRUE;
 				resign = ISC_TRUE;
 			}
 		} else if (!ispublishedkey(key) && remove_orphans) {
 			vbprintf(2, "\trrsig by %s dropped - dnskey removed\n",
 				 sigstr);
 		} else if (iszonekey(key)) {
+			wassignedby[key->index] = ISC_TRUE;
+
 			if (!expired && rrsig.originalttl == set->ttl &&
 			    setverifies(name, set, key->key, &sigrdata)) {
 				vbprintf(2, "\trrsig by %s retained\n", sigstr);
 				keep = ISC_TRUE;
-				wassignedby[key->index] = ISC_TRUE;
-				nowsignedby[key->index] = ISC_TRUE;
 			} else {
 				vbprintf(2, "\trrsig by %s dropped - %s\n",
 					 sigstr, expired ? "expired" :
 					 rrsig.originalttl != set->ttl ?
 					 "ttl change" : "failed to verify");
-				wassignedby[key->index] = ISC_TRUE;
 			}
 		} else if (!expired) {
 			vbprintf(2, "\trrsig by %s retained\n", sigstr);
@@ -619,6 +618,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 			}
 		} else {
 			tuple = NULL;
+			vbprintf(2, "removing signature by %s\n", sigstr);
 			result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
 						      name, sigset.ttl,
 						      &sigrdata, &tuple);
@@ -650,7 +650,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 	     key != NULL;
 	     key = ISC_LIST_NEXT(key, link))
 	{
-		if (nowsignedby[key->index] && !ispublishedkey(key))
+		if (nowsignedby[key->index])
 			continue;
 
 		if (!issigningkey(key))
@@ -3364,6 +3364,8 @@ usage(void) {
 	fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
 	fprintf(stderr, "\t-P:\t");
 	fprintf(stderr, "disable post-sign verification\n");
+	fprintf(stderr, "\t-R:\t");
+	fprintf(stderr, "remove signatures from keys that no longer exist\n");
 	fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs\n");
 	fprintf(stderr, "\t-t:\t");
 	fprintf(stderr, "print statistics\n");
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index e4c1c2ad5c..89922138bb 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.42 2011/05/23 20:10:02 each Exp $
+# $Id: clean.sh,v 1.43 2011/10/11 19:26:06 each Exp $
 
 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
 rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk
@@ -46,6 +46,7 @@ rm -f ns3/secure.optout.example.db
 rm -f */named.secroots
 rm -f ns1/managed.key.id
 rm -f signer/example.db
+rm -f signer/signer.out.1 signer/signer.out.2
 rm -f ns2/algroll.db
 rm -f ns3/kskonly.example.db
 rm -f ns4/named.conf
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index f491ba0491..5dd4e01f86 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.96 2011/10/10 00:34:57 marka Exp $
+# $Id: tests.sh,v 1.97 2011/10/11 19:26:06 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1050,6 +1050,26 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking dnssec-signzone retains unexpired signatures ($n)"
+ret=0
+(
+cd signer
+$SIGNER -Sxt -o example example.db > signer.out.1 2>&1
+$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1
+) || ret=1
+gen1=`awk '/generated/ {print $3}' signer/signer.out.1`
+retain1=`awk '/retained/ {print $3}' signer/signer.out.1`
+drop1=`awk '/dropped/ {print $3}' signer/signer.out.1`
+gen2=`awk '/generated/ {print $3}' signer/signer.out.2`
+retain2=`awk '/retained/ {print $3}' signer/signer.out.2`
+drop2=`awk '/dropped/ {print $3}' signer/signer.out.2`
+[ "$retain2" -eq `expr "$gen1" + "$retain1"` ] || ret=1
+[ "$gen2" -eq 0 ] || ret=1
+[ "$drop2" -eq 0 ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking validated data are not cached longer than originalttl ($n)"
 ret=0
 $DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1