Problem migrating named/bind config to dnssec-policy

I have a working DNSSEC name server. It runs on the BIND 9.18 on recent Fedora. I have two keys (KSK, ZSK), my parent (DNS-wise) got a valid DS record and everything is fine. Really. The DNSSEC analyzers are happy with the setup too. But then came this log message: > 'auto-dnssec' option is deprecated and will be removed in BIND 9.19. > Please migrate to dnssec-policy I don't know if and when the 9.19 will pushed to updates. But I tried to be prepared and replaced this config (in the zone block): auto-dnssec maintain; inline-signing yes; with: dnssec-policy sk_policy; inline-signing yes; and the policy itself is defined in the top level config: dnssec-policy "sk_policy" { keys { ksk key-directory lifetime unlimited algorithm ecdsa256; zsk key-directory lifetime unlimited algorithm ecdsa256; // zsk rollover postponed for later // zsk key-directory lifetime P90D algorithm ecdsa256; }; nsec3param iterations 0 optout no salt-length 0; parent-ds-ttl PT1H; }; but the server logs every 10 minutes an error: reconfiguring zone keys zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk Google did not find anything when I searched for this error message. I tried with file permissions allowing everything in the keys directory, I tried to temporarily disable the SELinux (strict -> permissive to be precise), but no warnings were generated. Nothing helped so far. I don't know what file the server wants to write, where, what error. I also tried to remove the journal files, etc. but this is a production machine, I cannot experiment too much, so I returned everything to the original state and will stick with the version 9.18 for now. Could anybody help to get the 'dnssec-policy' working without errors? --- UPDATE #2: - I posted a summary of my experiments as an (preliminary) answer. I'm still looking for a good source of information in order to stop this trial-error experiments.