diff --git a/CHANGES b/CHANGES
index d403c335b7..adb76a253e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4415.	[bug]		dnssec-keymgr: Expired/deleted keys were not always
+			excluded. [RT #42884]
+			
 4414.	[bug]		Corrected a bug in the MIPS implementation of
 			isc_atomic_xadd(). [RT #41965]
 
diff --git a/bin/python/isc/keyseries.py.in b/bin/python/isc/keyseries.py.in
index cdcdd62e37..7c6191a868 100644
--- a/bin/python/isc/keyseries.py.in
+++ b/bin/python/isc/keyseries.py.in
@@ -31,15 +31,14 @@ class keyseries:
             for alg, keys in kdict[zone].items():
                 for k in keys.values():
                     if k.sep:
-                        self._K[zone][alg].append(k)
+                        if not (k.delete() and k.delete() < now):
+                          self._K[zone][alg].append(k)
                     else:
-                        self._Z[zone][alg].append(k)
+                        if not (k.delete() and k.delete() < now):
+                          self._Z[zone][alg].append(k)
 
-                for group in [self._K[zone][alg], self._Z[zone][alg]]:
-                    group.sort()
-                    for k in group:
-                        if k.delete() and k.delete() < now:
-                            group.remove(k)
+                self._K[zone][alg].sort()
+                self._Z[zone][alg].sort()
 
     def __iter__(self):
         for zone in self._zones: