diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index cc5dea7f02..db63d40150 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -70,6 +70,7 @@
 #define DNS_KEYALG_INDIRECT	252
 #define DNS_KEYALG_PRIVATEDNS	253
 #define DNS_KEYALG_PRIVATEOID	254 /*%< Key begins with OID giving alg */
+#define DNS_KEYALG_MAX		255
 
 /* Protocol values  */
 #define DNS_KEYPROTO_RESERVED 0
diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index 86f46b7092..b51c0b1371 100644
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -1486,18 +1486,18 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
 		    dns_dnssec_signs(keyrdata, vctx->origin, &vctx->soaset,
 				     &vctx->soasigs, false, vctx->mctx))
 		{
-			if (active_keys[dnskey->algorithm] != 255) {
+			if (active_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
 				active_keys[dnskey->algorithm]++;
 			}
 		} else {
-			if (standby_keys[dnskey->algorithm] != 255) {
+			if (standby_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
 				standby_keys[dnskey->algorithm]++;
 			}
 		}
 		return;
 	}
 
-	if (active_keys[dnskey->algorithm] != 255) {
+	if (active_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
 		active_keys[dnskey->algorithm]++;
 	}
 
@@ -1637,11 +1637,13 @@ check_dnskey(vctx_t *vctx) {
 				return (ISC_R_FAILURE);
 			}
 			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
-			    vctx->revoked_ksk[dnskey.algorithm] != 255)
+			    vctx->revoked_ksk[dnskey.algorithm] !=
+				    DNS_KEYALG_MAX)
 			{
 				vctx->revoked_ksk[dnskey.algorithm]++;
 			} else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
-				   vctx->revoked_zsk[dnskey.algorithm] != 255)
+				   vctx->revoked_zsk[dnskey.algorithm] !=
+					   DNS_KEYALG_MAX)
 			{
 				vctx->revoked_zsk[dnskey.algorithm]++;
 			}