diff --git a/bind-9.20-robust-key-rollovers.patch b/bind-9.20-robust-key-rollovers.patch
new file mode 100644
index 0000000..32d3be8
--- /dev/null
+++ b/bind-9.20-robust-key-rollovers.patch
@@ -0,0 +1,97 @@
+diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
+index 6c04682004..8eda1535a0 100644
+--- a/lib/dns/keymgr.c
++++ b/lib/dns/keymgr.c
+@@ -1154,19 +1154,18 @@ static bool
+ keymgr_transition_allowed(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key,
+ 			  int type, dst_key_state_t next_state,
+ 			  bool secure_to_insecure) {
++	bool rule1a, rule1b, rule2a, rule2b, rule3a, rule3b;
++	rule1a = keymgr_have_ds(keyring, key, type, NA, secure_to_insecure);
++	rule1b = keymgr_have_ds(keyring, key, type, next_state, secure_to_insecure);
++	rule2a = keymgr_have_dnskey(keyring, key, type, NA);
++	rule2b = keymgr_have_dnskey(keyring, key, type, next_state);
++	rule3a = keymgr_have_rrsig(keyring, key, type, NA);
++	rule3b = keymgr_have_rrsig(keyring, key, type, next_state);
++
+ 	/* Debug logging. */
+ 	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+-		bool rule1a, rule1b, rule2a, rule2b, rule3a, rule3b;
+ 		char keystr[DST_KEY_FORMATSIZE];
+ 		dst_key_format(key->key, keystr, sizeof(keystr));
+-		rule1a = keymgr_have_ds(keyring, key, type, NA,
+-					secure_to_insecure);
+-		rule1b = keymgr_have_ds(keyring, key, type, next_state,
+-					secure_to_insecure);
+-		rule2a = keymgr_have_dnskey(keyring, key, type, NA);
+-		rule2b = keymgr_have_dnskey(keyring, key, type, next_state);
+-		rule3a = keymgr_have_rrsig(keyring, key, type, NA);
+-		rule3b = keymgr_have_rrsig(keyring, key, type, next_state);
+ 		isc_log_write(
+ 			dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_DNSSEC,
+ 			ISC_LOG_DEBUG(1),
+@@ -1179,30 +1178,40 @@ keymgr_transition_allowed(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key,
+ 			rule3a ? "true" : "false", rule3b ? "true" : "false");
+ 	}
+ 
+-	return (
+-		/*
+-		 * Rule 1: There must be a DS at all times.
+-		 * First check the current situation: if the rule check fails,
+-		 * we allow the transition to attempt to move us out of the
+-		 * invalid state.  If the rule check passes, also check if
+-		 * the next state is also still a valid situation.
+-		 */
+-		(!keymgr_have_ds(keyring, key, type, NA, secure_to_insecure) ||
+-		 keymgr_have_ds(keyring, key, type, next_state,
+-				secure_to_insecure)) &&
+-		/*
+-		 * Rule 2: There must be a DNSKEY at all times.  Again, first
+-		 * check the current situation, then assess the next state.
+-		 */
+-		(!keymgr_have_dnskey(keyring, key, type, NA) ||
+-		 keymgr_have_dnskey(keyring, key, type, next_state)) &&
+-		/*
+-		 * Rule 3: There must be RRSIG records at all times. Again,
+-		 * first check the current situation, then assess the next
+-		 * state.
+-		 */
+-		(!keymgr_have_rrsig(keyring, key, type, NA) ||
+-		 keymgr_have_rrsig(keyring, key, type, next_state)));
++	/*
++	 * Rule checking:
++	 * First check the current situation: if the rule check fails,
++	 * we allow the transition to attempt to move us out of the
++	 * invalid state.  If the rule check passes, also check if
++	 * the next state is also still a valid situation.
++	 */
++	char keystr2[DST_KEY_FORMATSIZE];
++	dst_key_format(key->key, keystr2, sizeof(keystr2));
++
++	/*
++	 * Rule 1: There must be a DS at all times.
++	 */
++	if (!rule1a && !rule1b && next_state == UNRETENTIVE) {
++		return false;
++	}
++	/*
++	 * Rule 2: There must be a DNSKEY at all times.  Again, first
++	 * check the current situation, then assess the next state.
++	 */
++	if (!rule2a && !rule2b && next_state == UNRETENTIVE) {
++		return false;
++	}
++	/*
++	 * Rule 3: There must be RRSIG records at all times. Again,
++	 * first check the current situation, then assess the next
++	 * state.
++	 */
++	if (!rule3a && !rule3b && next_state == UNRETENTIVE) {
++		return false;
++	}
++
++	return (!rule1a || rule1b) && (!rule2a || rule2b) &&
++		   (!rule3a || rule3b);
+ }
+ 
+ /*
diff --git a/bind.spec b/bind.spec
index a48bde8..c4c5cd4 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  40%{?dist}
+Release:  41%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -201,6 +201,8 @@ Patch224: bind-9.16-CVE-2025-40780.patch
 Patch225: bind-9.16-CVE-2025-40778.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7942
 Patch226: bind-9.16-properly-process-extra-nameserver-lines.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11329
+Patch227: bind-9.20-robust-key-rollovers.patch
 
 %{?systemd_ordering}
 # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
@@ -1260,11 +1262,14 @@ fi;
 %endif
 
 %changelog
+* Thu Jan 29 2026 Fedor Vorobev <fvorobev@redhat.com> - 32:9.16.23-41
+- Backport fix for manual DNSSEC key rollovers. (RHEL-12487)
+
 * Wed Jan 28 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-40
 - Add forgotten _libdir/named into bind-chroot tmpfiles (RHEL-135629)
 
 * Thu Jan 22 2026 Fedor Vorobev <fvorobev@redhat.com> - 32:9.16.23-39
-- Backport fix for nameserver line processing. (RHEL-79714) 
+- Backport fix for nameserver line processing. (RHEL-79714)
 
 * Fri Dec 12 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-38
 - Add sysusers named user creation (RHEL-132053)