named ignores a DNSKEY RRset received in an RFC 5011 refresh response if
there is a non-expired, validated version of that DNSKEY RRset available
in the cache.  In other words, any changes published on the
authoritative servers for a given trust point (e.g. adding new keys,
revoking ones already published) are not acted upon by named until the
TTL of the relevant cache entry expires.