diff --git a/bin/named/server.c b/bin/named/server.c
index 86ddf1b64a..db395e20ef 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -6559,7 +6559,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	/*
 	 * Ensure that zone keys are reloaded on reconfig
 	 */
-	if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) {
+	if (dns_zone_getkasp(zone) != NULL) {
 		dns_zone_rekey(zone, fullsign);
 	}
 
@@ -11983,7 +11983,6 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex,
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
 	dns_zonetype_t type;
-	uint16_t keyopts;
 	bool fullsign = false;
 	char *ptr;
 
@@ -12014,14 +12013,10 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex,
 		return DNS_R_NOTPRIMARY;
 	}
 
-	keyopts = dns_zone_getkeyopts(zone);
-
 	/*
 	 * "rndc loadkeys" requires a "dnssec-policy".
 	 */
-	if ((keyopts & DNS_ZONEKEY_ALLOW) == 0) {
-		result = ISC_R_NOPERM;
-	} else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign) {
+	if (dns_zone_getkasp(zone) == NULL) {
 		result = ISC_R_NOPERM;
 	} else {
 		dns_zone_rekey(zone, fullsign);
@@ -14713,7 +14708,7 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
 	dns_zonetype_t zonetype;
 	bool dynamic = false, frozen = false;
 	bool hasraw = false;
-	bool secure, maintain, allow;
+	bool secure, maintain;
 	dns_db_t *db = NULL, *rawdb = NULL;
 	char **incfiles = NULL;
 	int nfiles = 0;
@@ -14770,8 +14765,7 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
 
 	/* Security */
 	secure = dns_db_issecure(db);
-	allow = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_ALLOW) != 0);
-	maintain = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0);
+	maintain = (dns_zone_getkasp(zone) != NULL);
 
 	/* Master files */
 	file = dns_zone_getfile(mayberaw);
@@ -14896,8 +14890,6 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
 			CHECK(putstr(text, "\nnext key event: "));
 			CHECK(putstr(text, kbuf));
 		}
-	} else if (allow) {
-		CHECK(putstr(text, "\nkey maintenance: on command"));
 	} else if (secure || hasraw) {
 		CHECK(putstr(text, "\nkey maintenance: none"));
 	}
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 0e069b1309..a0fe793c6f 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1616,14 +1616,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
 		CHECK(dns_zone_setrefreshkeyinterval(zone,
 						     cfg_obj_asuint32(obj)));
-
-		if (kasp != NULL) {
-			bool s2i = (strcmp(dns_kasp_getname(kasp),
-					   "insecure") != 0);
-			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
-			dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i);
-			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
-		}
 	}
 
 	if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index cb1b4b0773..dcf796f4c1 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -103,20 +103,10 @@ typedef enum {
 	DNS_ZONEOPT_AUTOEMPTY = 1 << 29,      /*%< automatic empty zone */
 	DNS_ZONEOPT_CHECKSVCB = 1 << 30,      /*%< check SVBC records */
 	DNS_ZONEOPT_ZONEVERSION = 1U << 31,   /*%< enable zoneversion */
+	DNS_ZONEOPT_FULLSIGN = 1ULL << 32,    /*%< fully sign zone */
 	DNS_ZONEOPT___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
 } dns_zoneopt_t;
 
-/*
- * Zone key maintenance options
- */
-typedef enum {
-	DNS_ZONEKEY_ALLOW = 0x00000001U,    /*%< fetch keys on command */
-	DNS_ZONEKEY_MAINTAIN = 0x00000002U, /*%< publish/sign on schedule */
-	DNS_ZONEKEY_CREATE = 0x00000004U,   /*%< make keys when needed */
-	DNS_ZONEKEY_FULLSIGN = 0x00000008U, /*%< roll to new keys immediately */
-	DNS_ZONEKEY___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
-} dns_zonekey_t;
-
 /*
  * Zone states
  */
@@ -762,25 +752,6 @@ dns_zone_getoptions(dns_zone_t *zone);
  *\li	'zone' to be a valid zone.
  */
 
-void
-dns_zone_setkeyopt(dns_zone_t *zone, unsigned int option, bool value);
-/*%<
- *	Set key options on ('value' == true) or off ('value' ==
- *	#false).
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-unsigned int
-dns_zone_getkeyopts(dns_zone_t *zone);
-/*%<
- *	Returns the current zone key options.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
 void
 dns_zone_setminrefreshtime(dns_zone_t *zone, uint32_t val);
 /*%<
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 6e54a08644..edb2a9d12d 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -439,11 +439,6 @@ struct dns_zone {
 	uint32_t nodes;
 	dns_rdatatype_t privatetype;
 
-	/*%
-	 * Autosigning/key-maintenance options
-	 */
-	atomic_uint_fast64_t keyopts;
-
 	/*%
 	 * True if added by "rndc addzone"
 	 */
@@ -589,11 +584,6 @@ typedef enum {
 #define DNS_ZONE_SETOPTION(z, o) atomic_fetch_or(&(z)->options, (o))
 #define DNS_ZONE_CLROPTION(z, o) atomic_fetch_and(&(z)->options, ~(o))
 
-#define DNS_ZONEKEY_OPTION(z, o) \
-	((atomic_load_relaxed(&(z)->keyopts) & (o)) != 0)
-#define DNS_ZONEKEY_SETOPTION(z, o) atomic_fetch_or(&(z)->keyopts, (o))
-#define DNS_ZONEKEY_CLROPTION(z, o) atomic_fetch_and(&(z)->keyopts, ~(o))
-
 /* Flags for zone_load() */
 typedef enum {
 	DNS_ZONELOADFLAG_NOSTAT = 0x00000001U, /* Do not stat() master files */
@@ -2629,10 +2619,8 @@ dns_zone_loadandthaw(dns_zone_t *zone) {
 		 * have been made. If we do DNSSEC maintenance on this
 		 * zone, schedule a full sign for this zone.
 		 */
-		if (zone->type == dns_zone_primary &&
-		    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
-		{
-			DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
+		if (zone->type == dns_zone_primary && zone->kasp != NULL) {
+			DNS_ZONE_SETOPTION(zone, DNS_ZONEOPT_FULLSIGN);
 		}
 		result = zone_load(zone, DNS_ZONELOADFLAG_THAW, false);
 	}
@@ -5444,9 +5432,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	/*
 	 * Schedule DNSSEC key refresh.
 	 */
-	if (zone->type == dns_zone_primary &&
-	    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
-	{
+	if (zone->type == dns_zone_primary && zone->kasp != NULL) {
 		zone->refreshkeytime = now;
 	}
 
@@ -6049,7 +6035,7 @@ dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
 
 dns_kasp_t *
 dns_zone_getkasp(dns_zone_t *zone) {
-	dns_kasp_t *kasp;
+	dns_kasp_t *kasp = NULL;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -6114,24 +6100,6 @@ dns_zone_getoptions(dns_zone_t *zone) {
 	return atomic_load_relaxed(&zone->options);
 }
 
-void
-dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, bool value) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (value) {
-		DNS_ZONEKEY_SETOPTION(zone, keyopt);
-	} else {
-		DNS_ZONEKEY_CLROPTION(zone, keyopt);
-	}
-}
-
-unsigned int
-dns_zone_getkeyopts(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return atomic_load_relaxed(&zone->keyopts);
-}
-
 void
 dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -22171,7 +22139,7 @@ zone_rekey(dns_zone_t *zone) {
 	 * True when called from "rndc sign".  Indicates the zone should be
 	 * fully signed now.
 	 */
-	fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
+	fullsign = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FULLSIGN);
 
 	if (offlineksk) {
 		/* Lookup the correct bundle in the SKR. */
@@ -22601,7 +22569,7 @@ zone_rekey(dns_zone_t *zone) {
 		 * Clear fullsign flag, if it was set, so we don't do
 		 * another full signing next time.
 		 */
-		DNS_ZONEKEY_CLROPTION(zone, DNS_ZONEKEY_FULLSIGN);
+		DNS_ZONE_CLROPTION(zone, DNS_ZONEOPT_FULLSIGN);
 
 		/*
 		 * Cause the zone to add/delete NSEC3 chains for the
@@ -22680,14 +22648,12 @@ zone_rekey(dns_zone_t *zone) {
 		dnssec_log(zone, ISC_LOG_DEBUG(3),
 			   "next key event in %u seconds", nexttime_seconds);
 		dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
-	}
-	/*
-	 * If we're doing key maintenance, set the key refresh timer to
-	 * the next scheduled key event or to 'dnssec-loadkeys-interval'
-	 * seconds in the future, whichever is sooner.
-	 */
-	else if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
-	{
+	} else {
+		/*
+		 * If we're doing key maintenance, set the key refresh timer to
+		 * the next scheduled key event or to 'dnssec-loadkeys-interval'
+		 * seconds in the future, whichever is sooner.
+		 */
 		isc_time_t timethen;
 		isc_stdtime_t then;
 
@@ -22804,7 +22770,7 @@ dns_zone_rekey(dns_zone_t *zone, bool fullsign) {
 		LOCK_ZONE(zone);
 
 		if (fullsign) {
-			DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
+			DNS_ZONE_SETOPTION(zone, DNS_ZONEOPT_FULLSIGN);
 		}
 
 		now = isc_time_now();
diff --git a/lib/ns/update.c b/lib/ns/update.c
index f215805e41..e781e8cb7f 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -2693,8 +2693,8 @@ update_action(void *arg) {
 	options = dns_zone_getoptions(zone);
 
 	is_inline = (!dns_zone_israw(zone) && dns_zone_issecure(zone));
-	is_maintain = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0);
-	is_signing = is_inline || (!is_inline && is_maintain);
+	is_maintain = (dns_zone_getkasp(zone) != NULL) && !dns_zone_israw(zone);
+	is_signing = is_inline || is_maintain;
 
 	/*
 	 * Get old and new versions now that queryacl has been checked.