diff --git a/src/knot/dnssec/key-events.c b/src/knot/dnssec/key-events.c
index 1401ac562fce777b692b769c4afeaf21975b10f4..db762b629ae347d0895705fdebc71037bc370eb4 100644
--- a/src/knot/dnssec/key-events.c
+++ b/src/knot/dnssec/key-events.c
@@ -429,7 +429,9 @@ static roll_action_t next_action(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flag
 		    (key->is_zsk && !(flags & KEY_ROLL_ALLOW_ZSK_ROLL))) {
 			continue;
 		}
-		clear_future_timers(key, ctx);
+		if (!(flags & KEY_ROLL_PRESERVE_FUTURE)) {
+			clear_future_timers(key, ctx);
+		}
 		if (key->is_ksk) {
 			switch (get_key_state(key, ctx->now)) {
 			case DNSSEC_KEY_STATE_PRE_ACTIVE:
diff --git a/src/knot/dnssec/zone-events.h b/src/knot/dnssec/zone-events.h
index 3215fa2644ce8285f24d7b972a2b413a455a83c6..2f756142e50b3de76cee875b151b7124e176a87f 100644
--- a/src/knot/dnssec/zone-events.h
+++ b/src/knot/dnssec/zone-events.h
@@ -36,7 +36,8 @@ typedef enum {
 	KEY_ROLL_ALLOW_NSEC3RESALT = (1 << 4),
 	KEY_ROLL_ALLOW_ALL         = KEY_ROLL_ALLOW_KSK_ROLL |
 	                             KEY_ROLL_ALLOW_ZSK_ROLL |
-	                             KEY_ROLL_ALLOW_NSEC3RESALT
+	                             KEY_ROLL_ALLOW_NSEC3RESALT,
+	KEY_ROLL_PRESERVE_FUTURE   = (1 << 5),
 } zone_sign_roll_flags_t;
 
 typedef struct {
diff --git a/src/utils/keymgr/offline_ksk.c b/src/utils/keymgr/offline_ksk.c
index ab13d51990781f6699cf06e4440af213e89f2c22..05b2d2b3e3191064745e2aeeb6937660220b5512 100644
--- a/src/utils/keymgr/offline_ksk.c
+++ b/src/utils/keymgr/offline_ksk.c
@@ -40,7 +40,7 @@ static int pregenerate_once(kdnssec_ctx_t *ctx, knot_time_t *next)
 	memset(ctx->stats, 0, sizeof(*ctx->stats));
 
 	// generate ZSKs
-	int ret = knot_dnssec_key_rollover(ctx, KEY_ROLL_ALLOW_ZSK_ROLL, &resch);
+	int ret = knot_dnssec_key_rollover(ctx, KEY_ROLL_ALLOW_ZSK_ROLL | KEY_ROLL_PRESERVE_FUTURE, &resch);
 	if (ret != KNOT_EOK) {
 		ERR2("key rollover failed");
 		return ret;
diff --git a/tests-extra/tests/dnssec/offline_ksk2/test.py b/tests-extra/tests/dnssec/offline_ksk2/test.py
index b052b6e37044416f61a0718127a87e26f5446d8e..587e5435e1f65bbdabb83a365283fa7937ae3d8a 100644
--- a/tests-extra/tests/dnssec/offline_ksk2/test.py
+++ b/tests-extra/tests/dnssec/offline_ksk2/test.py
@@ -95,6 +95,12 @@ KSR = knot.keydir + "/ksr"
 SKR = knot.keydir + "/skr"
 SKR_BROKEN = SKR + "_broken"
 Keymgr.run_check(knot.confile, ZONE, "pregenerate", "+20", "+" + str(FUTURE))
+t.sleep(1)
+Keymgr.run_check(knot.confile, ZONE, "pregenerate", "+20", "+" + str(FUTURE))
+_, out, _ = Keymgr.run_check(knot.confile, ZONE, "list")
+if out.count("created") != 2:
+    detail_log(out)
+    set_err("Pregenerated ZSKs: %d" % out.count("created"))
 _, out, _ = Keymgr.run_check(knot.confile, ZONE, "generate-ksr", "+0", "+" + str(FUTURE))
 writef(KSR, out)
 _, out, _ = Keymgr.run_check(signer.confile, ZONE, "sign-ksr", KSR)