DNSSEC keys within bigipgtm_conf

i have 2 devices in HA failover. i restored both to previous ucs. I have verified that DNSSEC KSK and ZSK are correct and match others in GTM. when i run "dig DNSKEY mydomain. @localhost +multiline" i see ZSK keytag 12345. however the correct tag is 67890 which is listed under only generation through gui. bigip_gtm.conf shows correct ZSK 67890, but bigip_gtm.conf.bak shows the 12345.

 

Today when i logged in and checked both the .conf and .conf.bak show correct keytag 67890 however "dig DNSKEY mydomain. @localhost +multiline" still shows incorrect 12345 only. i tried tmsh load bigip_gtm.conf. i received no errors and still same results.

 

What am i missing or doing incorrectly to force the BIGIP to read the keys in the bigip_gtm.conf?