diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c
index f67f6c3db46e12bd4346a11e93b8c1d5af75bc5c..f21660553c90ae85f56b4c263e57d3f693446c49 100644
--- a/src/knot/dnssec/zone-keys.c
+++ b/src/knot/dnssec/zone-keys.c
@@ -98,6 +98,7 @@ static void set_zone_key_flags(const knot_key_params_t *params,
 	key->next_event = next_event;
 
 	key->is_ksk = params->flags & KNOT_RDATA_DNSKEY_FLAG_KSK;
+	key->is_zsk = !key->is_ksk;
 
 	key->is_active = params->time_activate <= now &&
 	                 (params->time_inactive == 0 || now < params->time_inactive);
@@ -134,11 +135,8 @@ static int check_keys_validity(const knot_zone_keys_t *keys)
 
 			// need fully enabled ZSK and KSK for each algorithm
 			if (key->is_active) {
-				if (key->is_ksk) {
-					algorithms[a].ksk_enabled = true;
-				} else {
-					algorithms[a].zsk_enabled = true;
-				}
+				if (key->is_ksk) { algorithms[a].ksk_enabled = true; }
+				if (key->is_zsk) { algorithms[a].zsk_enabled = true; }
 			}
 		}
 	}
diff --git a/src/knot/dnssec/zone-keys.h b/src/knot/dnssec/zone-keys.h
index e1c22e2e72411a8362c277f1b01e28ee241c88b4..ff40be60d92f0a5968f787917d48a00ed2017a31 100644
--- a/src/knot/dnssec/zone-keys.h
+++ b/src/knot/dnssec/zone-keys.h
@@ -40,7 +40,8 @@ typedef struct {
 	knot_dnssec_key_t dnssec_key;
 	knot_dnssec_sign_context_t *context;
 	uint32_t next_event;                 //!< Timestamp of next key event.
-	bool is_ksk;                         //!< Is KSK key.
+	bool is_ksk;                         //!< Is key-signing.
+	bool is_zsk;                         //!< Is zone-signing.
 	bool is_public;                      //!< Currently in zone.
 	bool is_active;                      //!< Currently used for signing.
 } knot_zone_key_t;
diff --git a/src/knot/dnssec/zone-sign.c b/src/knot/dnssec/zone-sign.c
index 63438f9207dea4b5b6ddb178f61cfe64be9c7a0e..75c5572c228623e229528a73de5bfd55491d95df 100644
--- a/src/knot/dnssec/zone-sign.c
+++ b/src/knot/dnssec/zone-sign.c
@@ -110,18 +110,10 @@ static bool use_key(const knot_zone_key_t *key, const knot_rrset_t *covered)
 		return false;
 	}
 
-	if (key->is_ksk) {
-		if (covered->type != KNOT_RRTYPE_DNSKEY) {
-			return false;
-		}
+	bool is_zone_key = covered->type == KNOT_RRTYPE_DNSKEY &&
+	                   knot_dname_is_equal(key->dnssec_key.name, covered->owner);
 
-		// use KSK only in the zone apex
-		if (!knot_dname_is_equal(key->dnssec_key.name, covered->owner)) {
-			return false;
-		}
-	}
-
-	return true;
+	return (key->is_ksk && is_zone_key) || (key->is_zsk && !is_zone_key);
 }
 
 /*!