diff --git a/doc/man/keymgr.8in b/doc/man/keymgr.8in
index e17f85bd97f74204e583336fcda2badf83baa7de..f089af49e187c949668429c62c9458d4665246be 100644
--- a/doc/man/keymgr.8in
+++ b/doc/man/keymgr.8in
@@ -149,13 +149,15 @@ utilities.
 .INDENT 0.0
 .TP
 \fBzone\fP \fBkey\fP \fBlist\fP \fIzone\-name\fP [\fBfilter\fP [\fBfilter\fP]]
-List key IDs and tags of zone keys. The \fBfilter\fP can be a key tag, a key ID prefix, a key state (active, published, retired, removed) or ksk/zsk. Key state and ksk/zsk combination is possible, also these filters require \(aq+\(aq prefix.
+List key IDs and tags of zone keys. The \fBfilter\fP can be a key tag, a key ID prefix, a key state (active, published, retired, removed) or ksk/zsk. Key state and ksk/zsk combination is possible.
+Use these key state and ksk/zsk with prefix \(aq+\(aq (\(aq+ksk\(aq, \(aq+active\(aq).
 .TP
 \fBzone\fP \fBkey\fP \fBshow\fP \fIzone\-name\fP \fIkey\fP
 Show zone key details. The \fIkey\fP can be a key tag or a key ID prefix.
 .TP
 \fBzone\fP \fBkey\fP \fBds\fP \fIzone\-name\fP \fIfilter\fP
-Show DS records for a zone key. The \fIfilter\fP can be a key tag, a key ID prefix or state with \(aq+\(aq prefix (limited to active and published ksk).
+Show DS records for a zone key. The \fIfilter\fP can be a key tag, a key ID prefix or key state (limited to active and published ksk).
+Use these key state as \(aq+active\(aq or \(aq+published\(aq.
 .TP
 \fBzone\fP \fBkey\fP \fBgenerate\fP \fIzone\-name\fP [\fIkey\-parameter\fP\&...]
 Generate a new key for a zone.
diff --git a/doc/man_keymgr.rst b/doc/man_keymgr.rst
index 4c690b659577d2382c9edc14af473fff8ff640f6..4101bbbacbd85fb67deffdccde5d3d1a31f1ecc7 100644
--- a/doc/man_keymgr.rst
+++ b/doc/man_keymgr.rst
@@ -119,13 +119,15 @@ zone commands
 .............
 
 **zone** **key** **list** *zone-name* [**filter** [**filter**]]
-  List key IDs and tags of zone keys. The **filter** can be a key tag, a key ID prefix, a key state (active, published, retired, removed) or ksk/zsk. Key state and ksk/zsk combination is possible, also these filters require '+' prefix.
+  List key IDs and tags of zone keys. The **filter** can be a key tag, a key ID prefix, a key state (active, published, retired, removed) or ksk/zsk. Key state and ksk/zsk combination is possible.
+  Use these key state and ksk/zsk with prefix '+' ('+ksk', '+active').
 
 **zone** **key** **show** *zone-name* *key*
   Show zone key details. The *key* can be a key tag or a key ID prefix.
 
 **zone** **key** **ds** *zone-name* *filter*
-  Show DS records for a zone key. The *filter* can be a key tag, a key ID prefix or state with '+' prefix (limited to active and published ksk).
+  Show DS records for a zone key. The *filter* can be a key tag, a key ID prefix or key state (limited to active and published ksk).
+  Use these key state as '+active' or '+published'.
 
 **zone** **key** **generate** *zone-name* [*key-parameter*...]
   Generate a new key for a zone.
diff --git a/src/dnssec/lib/event/keystate.c b/src/dnssec/lib/event/keystate.c
index 31185c92cdbdbcdf0f61d7a0c41612513cad497a..9eaef4d83cf0a8dbfa93beaef96a13e5dfa351e9 100644
--- a/src/dnssec/lib/event/keystate.c
+++ b/src/dnssec/lib/event/keystate.c
@@ -25,8 +25,10 @@
 _public_
 key_state_t get_key_state(const dnssec_kasp_key_t *key, time_t moment)
 {
-	assert(key);
-	assert(time > 0);
+	if (!key || time <= 0)
+	{
+		return DNSSEC_KEY_STATE_INVALID;
+	}
 
 	/*
 	 * The meaning of unset timing parameter is different for key
diff --git a/src/dnssec/tests/event_keystate.c b/src/dnssec/tests/event_keystate.c
index da0efb9c8eb9f709e3ef659169211ebe59ebcc31..6ae47217408de620927abb97c406047aa834abb2 100644
--- a/src/dnssec/tests/event_keystate.c
+++ b/src/dnssec/tests/event_keystate.c
@@ -17,7 +17,7 @@
 #include <tap/basic.h>
 #include <string.h>
 
-#include "event/keystate.h"
+#include "dnssec/keystate.h"
 
 #define PAST   1426852710
 #define NOW    1426852711
diff --git a/src/utils/keymgr/keymgr.c b/src/utils/keymgr/keymgr.c
index a2995728a9fb61e3a46a3010306fa30b8ae2b1bf..cea54a6a6279e4c1d894f01f5ded26de6f0458a9 100644
--- a/src/utils/keymgr/keymgr.c
+++ b/src/utils/keymgr/keymgr.c
@@ -48,6 +48,9 @@
 
 #define MANUAL_POLICY "default_manual"
 
+static const uint16_t DNSKEY_FLAGS_KSK = 257;
+static const uint16_t DNSKEY_FLAGS_ZSK = 256;
+
 /* -- global options ------------------------------------------------------- */
 
 static options_t options = { 0 };
@@ -328,19 +331,26 @@ static int print_list(dnssec_list_t *list, const char *filter,
 static int print_list_filtered(dnssec_list_t *list, const char *filter1, const char *filter2, list_print_cb print)
 {
 	assert(list);
+	// TODO: error if only one is valid filter when both filters defined
 	key_state_t state = str_to_keystate(filter1);
 	if (state == DNSSEC_KEY_STATE_INVALID) {
-	state = str_to_keystate(filter2);
+		state = str_to_keystate(filter2);
 	}
 	uint16_t flag;
+
 	if ((filter1 && strcmp(filter1, "+ksk") == 0) || (filter2 && strcmp(filter2, "+ksk") == 0)) {
-		flag = 257;
+		flag = DNSKEY_FLAGS_KSK;
 	} else if ((filter1 && strcmp(filter1, "+zsk") == 0) || (filter2 && strcmp(filter2, "+zsk") == 0)) {
-		flag = 256;
+		flag = DNSKEY_FLAGS_ZSK;
 	} else {
 		flag = 0;
 	}
 
+	if (state == DNSSEC_KEY_STATE_INVALID && flag == 0)
+	{
+		return DNSSEC_ERROR;
+	}
+
 	int found = 0;
 	time_t current = time(NULL);
 	dnssec_list_foreach(item, list) {
@@ -924,6 +934,11 @@ static int cmd_zone_key_list(int argc, char *argv[])
 	dnssec_list_t *zone_keys = dnssec_kasp_zone_get_keys(zone);
 	int count = print_list_filtered(zone_keys, filter1, filter2, item_print_key);
 	if (count < 0) { // Look only if filter isnt state
+		if ((filter1 && filter1[0] == '+') || filter2)
+		{
+			error("Invalid filter.");
+			return 1;
+		}
 		count = print_list(zone_keys, filter1, item_match_key, item_print_key);
 	}
 	if (count == 0) {
@@ -1053,6 +1068,10 @@ static int cmd_zone_key_ds(int argc, char *argv[])
 
 	key_state_t state = str_to_keystate(key_name);
 	if (state == DNSSEC_KEY_STATE_INVALID) {
+		if (key_name[0] == '+') {
+			error("Wrong filter");
+			return 1;
+		}
 		int r = search_unique_key(keys, key_name, &key);
 		if (r != DNSSEC_EOK) {
 			return 1;
@@ -1066,7 +1085,7 @@ static int cmd_zone_key_ds(int argc, char *argv[])
 			key = dnssec_item_get(item);
 			uint16_t flags = dnssec_key_get_flags(key->key);
 			const void *value = dnssec_item_get(item);
-			if (get_key_state(key, current) == state && flags == 257) {
+			if (get_key_state(key, current) == state && flags == DNSKEY_FLAGS_KSK) {
 				item_print_key(value);
 				for (const dnssec_key_digest_t *d = digests; *d != 0; d++) {
 					create_and_print_ds(key->key, *d);
@@ -1075,6 +1094,7 @@ static int cmd_zone_key_ds(int argc, char *argv[])
 		}
 	} else { // if onther state than active or published
 		error("Wrong filter.");
+		return 1;
 	}
 
 	return 0;
@@ -1174,7 +1194,7 @@ static int cmd_zone_key_generate(int argc, char *argv[])
 		return 1;
 	}
 
-	uint16_t flags = config.is_ksk ? 257 : 256;
+	uint16_t flags = config.is_ksk ? DNSKEY_FLAGS_KSK : DNSKEY_FLAGS_ZSK;
 
 	dnssec_key_t *dnskey = NULL;
 	dnssec_key_new(&dnskey);