ldns-signzone generates invalid DNSSEC zones

The domain "exim.org" is DNSSEC-signed using ldns-signzone(1) on Ubuntu, ldnsutils 1.6.17-1 on i386.

After investigating spam rejections of exim-users mail, I determined that there was a broken signature upon the current DKIM key ("d201705._domainkey.exim.org"). I re-signed the zone and the record validated. I continued to investigate. I could not use dnssec-verify(1) from bind9utils because it fails upon the presence of a CAA record. So I copied the zonefiles to a FreeBSD box and used dnssec-verify there.

    Loading zone 'exim.org' from file 'db.exim.org'
    Verifying the zone using the following algorithms: ECDSAP256SHA256.
    No correct ECDSAP256SHA256 signature for d201705._domainkey.exim.org TXT
    No correct ECDSAP256SHA256 signature for www.pl.exim.org A
    The zone is not fully signed for the following algorithms: ECDSAP256SHA256.
    dnssec-verify: fatal: DNSSEC completeness test failed.

The newly-signed zone instead had:

    No correct ECDSAP256SHA256 signature for ftp.exim.org AAAA
    No correct ECDSAP256SHA256 signature for _443._tcp.lists.exim.org CNAME

Signing again:

    No correct ECDSAP256SHA256 signature for hummus.exim.org SSHFP
    No correct ECDSAP256SHA256 signature for k8ft27pqo4i3u7uqu5dk2l4ra1hsl6lt.exim.org NSEC3

I installed ldns in /opt/ldns from upstream source tarball, version 1.7.0, and changed the zone management script to use that ldns-signzone instead, and things work:

    Loading zone 'exim.org' from file 'db.exim.org-2017060402'
    Verifying the zone using the following algorithms: ECDSAP256SHA256.
    Zone fully signed:
    Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                                ZSKs: 1 active, 0 stand-by, 0 revoked

I don't know what the root cause of the signing failure in the packaged ldnsutils is, I just see that it's fixed in upstream.