diff --git a/lib/dnssec.c b/lib/dnssec.c
index eac2479d7353a7a7d9e2c3817670716b9ac01249..1dade8f9a3890b09527a7f71aa1bdc56ce2a28b2 100644
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -251,10 +251,12 @@ int kr_dnskeys_trusted(const knot_pkt_t *pkt, knot_section_t section_id, const k
 	int ret = kr_error(KNOT_DNSSEC_ENOKEY);
 	for (uint16_t i = 0; i < keys->rrs.rr_count; ++i) {
 		/* RFC4035 5.3.1, bullet 8 */ /* ZSK */
-		if (!(knot_dnskey_flags(&keys->rrs, i) & 0x0100)) {
+		const knot_rdata_t *krr = knot_rdataset_at(&keys->rrs, i);
+		const uint8_t *key_data = knot_rdata_data(krr);
+		if (!kr_dnssec_key_ksk(key_data) && !kr_dnssec_key_revoked(key_data)) {
 			continue;
 		}
-		const knot_rdata_t *krr = knot_rdataset_at(&keys->rrs, i);
+		
 		struct dseckey *key;
 		if (kr_dnssec_key_from_rdata(&key, krr, keys->owner) != 0) {
 			continue;
diff --git a/lib/dnssec.h b/lib/dnssec.h
index 0678a82148cc04f436c37a8a6733bbf19831eb5c..50caf7ac8362a2a477b4cbca18d4fc292b8b92e0 100644
--- a/lib/dnssec.h
+++ b/lib/dnssec.h
@@ -88,6 +88,12 @@ int kr_dnskeys_trusted(const knot_pkt_t *pkt, knot_section_t section_id, const k
                        const knot_rrset_t *ta, const knot_dname_t *zone_name, uint32_t timestamp,
                        bool has_nsec3);
 
+/** Return true if the DNSKEY indicates being KSK (=> has SEP).  */
+bool kr_dnssec_key_ksk(const uint8_t *dnskey_rdata);
+
+/** Return true if the DNSKEY is revoked. */
+bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata);
+
 /**
  * Construct a DNSSEC key.
  * @param key    Pointer to be set to newly created DNSSEC key.