Yes, and it's by design. If you could then one random root key would be sufficient to "restore" all keys (as they are derived from that root key). U2F explicitly doesn't allow that given that the protocol has use counters.