diff --git a/CHANGES b/CHANGES
index 9ebc7a9a24..1c0469ec8c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2838.	[bug]		A KSK revoked by named could not be deleted.
+			[RT #20881]
+
 2837.	[port]		Prevent Linux spurious warnings about fwrite().
 			[RT #20812]
 
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 6509a89c25..db63291a9c 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.117 2009/12/18 23:49:03 tbox Exp $
+ * $Id: dnssec.c,v 1.118 2010/01/13 08:35:24 fdupont Exp $
  */
 
 /*! \file */
@@ -1449,6 +1449,33 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
 					  directory, mctx, &privkey);
 
+		/*
+		 * If the key was revoked and the private file
+		 * doesn't exist, maybe it was revoked internally
+		 * by named.  Try loading the unrevoked version.
+		 */
+		if (result == ISC_R_FILENOTFOUND) {
+			isc_uint32_t flags;
+			flags = dst_key_flags(pubkey);
+			if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+				dst_key_setflags(pubkey,
+						 flags & ~DNS_KEYFLAG_REVOKE);
+				result = dst_key_fromfile(dst_key_name(pubkey),
+							  dst_key_id(pubkey),
+							  dst_key_alg(pubkey),
+							  DST_TYPE_PUBLIC|
+							  DST_TYPE_PRIVATE,
+							  directory,
+							  mctx, &privkey);
+				if (result == ISC_R_SUCCESS &&
+				    dst_key_pubcompare(pubkey, privkey,
+						       ISC_FALSE)) {
+					dst_key_setflags(privkey, flags);
+				}
+				dst_key_setflags(pubkey, flags);
+			}
+		}
+
 		if (result != ISC_R_SUCCESS) {
 			char keybuf[DNS_NAME_FORMATSIZE];
 			char algbuf[DNS_SECALG_FORMATSIZE];