diff --git a/src/commands/signzone.rs b/src/commands/signzone.rs
index 7a41e20..1e00af9 100644
--- a/src/commands/signzone.rs
+++ b/src/commands/signzone.rs
@@ -1465,6 +1465,23 @@ impl SignZone {
                     // NSEC(3)s.
                     //
                     // TODO: Support partial and re-signing.
+                    //
+                    // Remove ZONEMD records at apex as well. We don't always
+                    // know the origin at this point. Just strip all ZONEMD
+                    // records if we don't, strip ZONEMD records at apex
+                    // if we do know the origin.
+                    if matches!(record.rtype(), Rtype::ZONEMD) {
+                        if let Some(origin) = &self.origin {
+                            if *record.owner() == origin {
+                                // ZONEMD record at origin, skip.
+                                continue;
+                            }
+                            // Keep ZONEMD records that are not at origin.
+                        } else {
+                            // Origin is not known, skip all ZONEMD records.
+                            continue;
+                        }
+                    }
                     if !matches!(
                         record.rtype(),
                         Rtype::RRSIG | Rtype::NSEC | Rtype::NSEC3 | Rtype::NSEC3PARAM