diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index e9ab2a866a..935d989c4d 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1463,6 +1463,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 static isc_result_t
 keymgr_update(dns_dnsseckeylist_t *keyring, dns_kasp_t *kasp, isc_stdtime_t now,
 	      isc_stdtime_t *nexttime, uint8_t opts) {
+	isc_result_t result = DNS_R_UNCHANGED;
 	bool changed;
 	bool force = ((opts & DNS_KEYMGRATTR_FORCESTEP) != 0);
 
@@ -1625,12 +1626,13 @@ transition:
 
 	/* We changed something, continue processing. */
 	if (changed) {
+		result = ISC_R_SUCCESS;
 		/* No longer force for the next run */
 		force = false;
 		goto transition;
 	}
 
-	return ISC_R_SUCCESS;
+	return result;
 }
 
 /*
@@ -2121,7 +2123,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 	       dns_dnsseckeylist_t *dnskeys, const char *keydir,
 	       dns_kasp_t *kasp, uint8_t opts, isc_stdtime_t now,
 	       isc_stdtime_t *nexttime) {
-	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t result = DNS_R_UNCHANGED;
 	dns_dnsseckeylist_t newkeys;
 	int numkeys = 0;
 	int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
@@ -2314,7 +2316,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 	}
 
 	/* Read to update key states. */
-	keymgr_update(keyring, kasp, now, nexttime, opts);
+	isc_result_t retval = keymgr_update(keyring, kasp, now, nexttime, opts);
 
 	/* Store key states and update hints. */
 	ISC_LIST_FOREACH(*keyring, dkey, link) {
@@ -2322,6 +2324,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 		if (dst_key_getttl(dkey->key) != dns_kasp_dnskeyttl(kasp)) {
 			dst_key_setttl(dkey->key, dns_kasp_dnskeyttl(kasp));
 			modified = true;
+			retval = ISC_R_SUCCESS;
 		}
 		if (modified && !dkey->purge) {
 			const char *directory = dst_key_directory(dkey->key);
@@ -2347,10 +2350,9 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 		dst_key_setmodified(dkey->key, false);
 	}
 
-	result = ISC_R_SUCCESS;
-
+	result = retval;
 failure:
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) {
 		ISC_LIST_FOREACH(newkeys, newkey, link) {
 			ISC_LIST_UNLINK(newkeys, newkey, link);
 			INSIST(newkey->key != NULL);
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 2ccfe722ca..edd6f5d143 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -22233,6 +22233,7 @@ zone_rekey(dns_zone_t *zone) {
 	bool newalg = false;
 	bool fullsign;
 	bool offlineksk = false;
+	bool kasp_change = false;
 	uint8_t options = 0;
 	uint32_t sigval = 0;
 	dns_ttl_t ttl = 3600;
@@ -22468,7 +22469,11 @@ zone_rekey(dns_zone_t *zone) {
 						kasp, options, now, &nexttime);
 			dns_zone_unlock_keyfiles(zone);
 
-			if (result != ISC_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS) {
+				kasp_change = true;
+			} else if (result == DNS_R_UNCHANGED) {
+				result = ISC_R_SUCCESS;
+			} else {
 				dnssec_log(zone, ISC_LOG_ERROR,
 					   "zone_rekey:dns_keymgr_run "
 					   "failed: %s",
@@ -22686,7 +22691,7 @@ zone_rekey(dns_zone_t *zone) {
 				   "allowed");
 		}
 
-		if (newactive || fullsign || sane_diff) {
+		if (newactive || fullsign || sane_diff || kasp_change) {
 			CHECK(dns_diff_apply(&diff, db, ver));
 			CHECK(clean_nsec3param(zone, db, ver, &diff));
 			CHECK(add_signing_records(db, zone->privatetype, ver,