diff --git a/CHANGES b/CHANGES
index 466cdab47a..287b83ea66 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 			recursion was requested by the client, not on
 			whether recursion was available. [GL #963]
 
+5209.	[bug]		When update-check-ksk is true, add_sigs was not
+			considering offline keys, leaving record sets signed
+			with the incorrect type key. [GL #763]
+
 5208.	[test]		Run valid rdata wire encodings through totext+fromtext
 			and tofmttext+fromtext methods to check these methods.
 			[GL #899]
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index f1d61771ac..2131daa14c 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -8869,9 +8869,6 @@ zone_sign(dns_zone_t *zone) {
 			if (!dst_key_isprivate(zone_keys[i])) {
 				continue;
 			}
-			/*
-			 * Should be redundant.
-			 */
 			if (dst_key_inactive(zone_keys[i])) {
 				continue;
 			}
@@ -8915,11 +8912,10 @@ zone_sign(dns_zone_t *zone) {
 					{
 						continue;
 					}
-					if (!dst_key_isprivate(zone_keys[j])) {
-						continue;
-					}
-					/*
-					 * Should be redundant.
+					/* Don't consider inactive keys, however
+					 * the key may be temporary offline, so do
+					 * consider keys which private key files are
+					 * unavailable.
 					 */
 					if (dst_key_inactive(zone_keys[j])) {
 						continue;