Information
Each zone should have a unique Zone Signing Keys (ZSK) and a unique Key Signing Keys (KSK) that is different from all other keys.
Rationale:
The ZSK key typically has a shorter expiration date then the KSK, and should be unique from the KSK as well as keys used for other zones. If a private key is compromised, the damage is limited to unique key that was disclosed, rather the compromising multiple zones.
Solution
To remediate a duplicate key, perform the following:
Generate a new key to replace the duplicate key using dnssec-keygen and one of the recommended algorithms. An example command is shown below:
# dnssec-keygen -a ECDSAP256SHA256 example.org
Implement a rollover period to phase out the duplicate key and replace it with the the newly generated key.
Once the key is fully deleted from the active use, remove the file.