I just added a new zone to an OpenDNSSEC installation which works for
several other zones.

I tried adding the new zone bot with zonelist.xml + ods-enforcer zone
import, and with ods-enforcer zone add. Same result in both cases.

The KSK stays in state "generate" (why?):

% sudo ods-enforcer key list --keystate generate --zone foo.example

Keys:
Zone: Keytype: State: Date of next transition:
foo.example KSK generate 2018-11-12 06:46:20
key list completed in 0 seconds.

The ZSK is in state publish:

% sudo ods-enforcer key list --zone foo.example

Keys:
Zone: Keytype: State: Date of next transition:
foo.example ZSK publish 2018-11-12 06:46:20
key list completed in 0 seconds.

But no DNSKEY at all is added in the signed zone. (There are RRSIGs,
and NSEC3.)

OpenDNSSEC 2.0.4

(Side note: when NSD loads a zone with no DNSKEY, it doesn't serve the
signatures at all.)

Key policy is:

<Keys>
<TTL>PT7200S</TTL>
<RetireSafety>PT7200S</RetireSafety>
<PublishSafety>PT7200S</PublishSafety>
<Purge>P14D</Purge>
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P3Y</Lifetime>
<Repository>SoftHSM</Repository>
<ManualRollover/>
</KSK>
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>SoftHSM</Repository>
</ZSK>
</Keys>