Correct way to change DNSKEY TTL in inline-signed, auto-dnssec zone?

[Jan-Piet Mens]

I'm stumped. I have a zone which had a default $TTL of 86400 and I want to
reduce it to 3600. This is normally not a problem, but the TTL of the DNSKEY
RRset won't budge from 86400.

What is the correct method to change a zone's DNSKEY TTL when it's already been
signed with inline-signing yes; auto-dnssec maintain; ?

zone "udp53.org." IN {
         type primary;
         file "udp53.org";

         dnssec-dnskey-kskonly yes;
         inline-signing yes;
         auto-dnssec maintain;

         update-policy {
                 grant local-ddns zonesub ANY;
         };
};

I've tried changing the zone's default $TTL with a freeze/edit/thaw dance
followed by `rndc loadkeys' and `rndc sign', but that doesn't alter the zone's
DNSKEY TTL.  I thought maybe $TTL would be the problem, so I set the SOA TTL
explicitly and redid the dance; no change.

Then I used `dnssec-settime -L ' to change the TTL in the .key file (and
verified the ttl was actually set there), but neither of `rndc sign zone',
`loadkeys', 'freeze/edit/thaw' cause the new TTL to be published in the DNSKEY
RR.

I've not found an issue in BIND gitlab, and none of the solutions in a 2016
thread by somebody who had the same problem seem sane. (One of the ideas by a
person who's name I won't mention I think suggested editing the signed zone
file ;)

I think the only way I'll be able to solve this is to stop the daemon, remove
the *.signed* files, and restart to have the signer kick off anew.

Is there something else I can try? I'm out of ideas.

	-JP