Adjust kasp tests to use 'checkds'

With 'checkds' replacing 'parent-registration-delay', the kasp
test needs the expected times to be adjusted. Also the system test
needs to call 'rndc dnssec -checkds' to progress the rollovers.

Since we pretend that the KSK is active as soon as the DS is
submitted (and parent registration delay is no longer applicable)
we can simplify the 'csk_rollover_predecessor_keytimes' function
to take only one "addtime" parameter.

This commit also slightly changes the 'check_dnssecstatus' function,
passing the zone as a parameter.

diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh
index 65907690db7afc2e53492124e98ae6bfa7bcc8da..8b1cdde60e6dfc670b622dcff5bce69e7b6429f2 100644 (file)
--- a/bin/tests/system/kasp/clean.sh
+++ b/bin/tests/system/kasp/clean.sh
@@ -24,5 +24,5 @@ rm -f ns*/managed-keys.bind
 rm -f ns*/*.mkeys
 rm -f ns*/zones ns*/*.db.infile
 rm -f *.created published.test* retired.test*
-rm -f rndc.dnssec.status.out.*
+rm -f rndc.dnssec.*.out.*
 rm -f python.out.*

diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf b/bin/tests/system/kasp/ns3/policies/autosign.conf
index bafbe859ef45b7765f41e7214a9a816d8bb274b6..aa11f8b43d5113d8d086727c0e5c40f24643fa69 100644 (file)
--- a/bin/tests/system/kasp/ns3/policies/autosign.conf
+++ b/bin/tests/system/kasp/ns3/policies/autosign.conf
@@ -126,6 +126,6 @@ dnssec-policy "csk-roll2" {
        max-zone-ttl 1d;
 
        parent-ds-ttl PT1H;
-       parent-registration-delay P1W;
-       parent-propagation-delay PT1H;
+       parent-registration-delay PT0S;
+       parent-propagation-delay P1W;
 };

diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index b3c41d9c88dbdce5209d43388944252c57017cfb..f75cd6e53ad731b2d85199dbf47b92249dc0dd80 100644 (file)
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -221,23 +221,22 @@ setup step3.enable-dnssec.autosign
 # Step 4:
 # The DS has been submitted long enough ago to become OMNIPRESENT.
 setup step4.enable-dnssec.autosign
-# DS TTL:                    1 day (86400 seconds)
-# parent-registration-delay: 1 day (86400 seconds)
+# DS TTL:                    2 hour (7200 seconds)
 # parent-propagation-delay:  1 hour (3600 seconds)
 # retire-safety:             20 minutes (1200 seconds)
-# Total aditional time:      98400 seconds
-# 44700 + 98400 = 143100
-TpubN="now-143100s"
-# 43800 + 98400 = 142200
-TcotN="now-142200s"
-TsbmN="now-98400s"
+# Total aditional time:      12000 seconds
+# 44700 + 12000 = 56700
+TpubN="now-56700s"
+# 43800 + 12000 = 55800
+TcotN="now-55800s"
+TsbmN="now-12000s"
 keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
 CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
 $SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone 13 "$CSK" >> "$infile"
 $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
-setup step3.enable-dnssec.autosign
+setup step4.enable-dnssec.autosign
 
 #
 # The zones at zsk-prepub.autosign represent the various steps of a ZSK
@@ -547,7 +546,7 @@ setup step3.ksk-doubleksk.autosign
 #                                   Tnow
 #
 # Lksk:           60d
-# Dreg:           1d
+# Dreg:           N/A
 # DprpP:          1h
 # TTLds:          1h
 # retire-safety:  2d
@@ -557,23 +556,23 @@ setup step3.ksk-doubleksk.autosign
 # publish-safety: 1d
 # IpubC:          27h
 #
-# Tact(N)    = Tnow + Dreg - Lksk = now + 1d - 60d = now - 59d
-# Tret(N)    = Tnow + Dreg = now + 1d
-# Trem(N)    = Tnow + Dreg + Iret = now + 1d + 50h = now + 74h
+# Tact(N)    = Tnow + Lksk = now - 60d = now - 60d
+# Tret(N)    = now
+# Trem(N)    = Tnow + Iret = now + 50h
 # Tpub(N+1)  = Tnow - IpubC = now - 27h
 # Tsbm(N+1)  = now
 # Tact(N+1)  = Tret(N)
-# Tret(N+1)  = Tnow + Dreg + Lksk = now + 1d + 60d = now + 61d
-# Trem(N+1)  = Tnow + Dreg + Lksk + Iret = now + 61d + 50h
-#            = now + 1464h + 50h = 1514h
-TactN="now-59d"
-TretN="now+1d"
-TremN="now+74h"
+# Tret(N+1)  = Tnow + Lksk = now + 60d
+# Trem(N+1)  = Tnow + Lksk + Iret = now + 60d + 50h
+#            = now + 1440h + 50h = 1490h
+TactN="now-60d"
+TretN="now"
+TremN="now+50h"
 TpubN1="now-27h"
 TsbmN1="now"
 TactN1="${TretN}"
-TretN1="now+61d"
-TremN1="now+1514h"
+TretN1="now+60d"
+TremN1="now+1490h"
 ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}  -D ${TremN}"
 newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
 zsktimes="-P ${TactN}  -A ${TactN}"
@@ -597,7 +596,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 setup step4.ksk-doubleksk.autosign
 # According to RFC 7583:
 #
-# Tret(N)   = Tsbm(N+1) + Dreg
+# Tret(N)   = Tsbm(N+1)
 # Tdea(N)   = Tret(N) + Iret
 # Tact(N+1) = Tret(N)
 #
@@ -613,24 +612,24 @@ setup step4.ksk-doubleksk.autosign
 #                                                             Tnow
 #
 # Lksk: 60d
-# Dreg: 1d
+# Dreg: N/A
 # Iret: 50h
 #
 # Tact(N)   = Tnow - Lksk - Iret = now - 60d - 50h
 #           = now - 1440h - 50h = now - 1490h
 # Tret(N)   = Tnow - Iret = now - 50h
 # Trem(N)   = Tnow
-# Tpub(N+1) = Tnow - Iret - Dreg - IpubC = now - 50h - 1d - 27h
-#           = now - 101h
-# Tsbm(N+1) = Tnow - Iret - Dreg = now - 50h - 1d = now - 74h
+# Tpub(N+1) = Tnow - Iret - IpubC = now - 50h - 27h
+#           = now - 77h
+# Tsbm(N+1) = Tnow - Iret = now - 50h
 # Tact(N+1) = Tret(N)
 # Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h
 # Trem(N+1) = Tnow + Lksk = now + 60d
 TactN="now-1490h"
 TretN="now-50h"
 TremN="now"
-TpubN1="now-101h"
-TsbmN1="now-74h"
+TpubN1="now-77h"
+TsbmN1="now-50h"
 TactN1="${TretN}"
 TretN1="now+1390h"
 TremN1="now+60d"
@@ -657,21 +656,21 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 setup step5.ksk-doubleksk.autosign
 # Subtract DNSKEY TTL from all the times (2h).
 # Tact(N)   = now - 1490h - 2h = now - 1492h
-# Tret(N)   = now - 52h - 2h = now - 52h
+# Tret(N)   = now - 50h - 2h = now - 52h
 # Trem(N)   = now - 2h
-# Tpub(N+1) = now - 101h - 2h = now - 103h
-# Tsbm(N+1) = now - 74h - 2h = now - 76h
+# Tpub(N+1) = now - 77h - 2h = now - 79h
+# Tsbm(N+1) = now - 50h - 2h = now - 52h
 # Tact(N+1) = Tret(N)
 # Tret(N+1) = now + 1390h - 2h = now + 1388h
 # Trem(N+1) = now + 60d + 2h = now + 1442h
 TactN="now-1492h"
 TretN="now-52h"
 TremN="now-2h"
-TpubN1="now-103h"
-TsbmN1="now-76h"
+TpubN1="now-79h"
+TsbmN1="now-52h"
 TactN1="${TretN}"
 TretN1="now+1388h"
-TremN1="now+1438h"
+TremN1="now+1442h"
 ksktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN}  -I ${TretN}  -D ${TremN}"
 newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
 zsktimes="-P ${TactN}  -A ${TactN}"
@@ -694,11 +693,6 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # The zones at csk-roll.autosign represent the various steps of a CSK rollover
 # (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
 #
-#
-# The activation time for zone signing (ZSK) is different than for chain of
-# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ
-# instead of Tact and Tret.
-#
 
 # Step 1:
 # Introduce the first key. This will immediately be active.
@@ -715,28 +709,25 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # It is time to introduce the new CSK.
 setup step2.csk-roll.autosign
 # According to RFC 7583:
-# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
-# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub
+# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
+# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
 # IpubC = DprpC + TTLkey (+publish-safety)
 # Ipub  = IpubC
 # Lcsk = Lksk = Lzsk
 #
 # Lcsk:           6mo (186d, 4464h)
-# Dreg:           1d
+# Dreg:           N/A
 # DprpC:          1h
 # TTLkey:         1h
 # publish-safety: 1h
 # Ipub:           3h
 #
-# Tact(N)  = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1d
-#          = now - 4464h + 3h + 24h = now - 4437h
-# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h
-#          = now - 4464h + 3h = now - 4461h
-TactN="now-4437h"
-TactZN="now-4461h"
-csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}"
+# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h
+#         = now - 4464h + 3h = now - 4461h
+TactN="now-4461h"
+csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
 CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone 13 "$CSK" >> "$infile"
 $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@@ -747,15 +738,15 @@ setup step3.csk-roll.autosign
 # According to RFC 7583:
 #
 # Tsbm(N+1) >= Trdy(N+1)
-# KSK: Tact(N+1)  = Tsbm(N+1) + Dreg
-# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
+# KSK: Tact(N+1) = Tsbm(N+1)
+# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
 # KSK: Iret  = DprpP + TTLds (+retire-safety)
 # ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
 #
 # Lcsk:           186d
 # Dprp:           1h
 # DprpP:          1h
-# Dreg:           1d
+# Dreg:           N/A
 # Dsgn:           25d
 # TTLds:          1h
 # TTLsig:         1d
@@ -764,37 +755,29 @@ setup step3.csk-roll.autosign
 # IretZ:          26d3h
 # Ipub:           3h
 #
-# TactZ(N)   = Tnow - Lcsk = now - 186d
-# TretZ(N)   = now
-# Tact(N)    = Tnow + Dreg - Lcsk = now + 1d - 186d = now - 185d
-# Tret(N)    = Tnow + Dreg = now + 1d
-# Trem(N)    = Tnow + IretZ = now + 26d3h = now + 627h
-# Tpub(N+1)  = Tnow - Ipub = now - 3h
-# Tsbm(N+1)  = TretZ(N)
-# TactZ(N+1) = TretZ(N)
-# TretZ(N+1) = Tnow + Lcsk = now + 186d
-# Tact(N+1)  = Tret(N)
-# Tret(N+1)  = Tnow + Dreg + Lcsk = now + 1d + 186d = now + 187d
-# Trem(N+1)  = Tnow + Lcsk + IretZ = now + 186d + 26d3h =
-#            = now + 5091h
-TactZN="now-186d"
-TretZN="now"
-TactN="now-185d"
-TretN="now+1d"
+# Tact(N)   = Tnow - Lcsk = now - 186d
+# Tret(N)   = now
+# Trem(N)   = Tnow + IretZ = now + 26d3h = now + 627h
+# Tpub(N+1) = Tnow - Ipub = now - 3h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = Tnow + Lcsk = now + 186d = now + 186d
+# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h =
+#           = now + 5091h
+TactN="now-186d"
+TretN="now"
 TremN="now+627h"
 TpubN1="now-3h"
 TsbmN1="now"
-TactZN1="${TsbmN1}"
-TretZN1="now+186d"
 TactN1="${TretN}"
-TretN1="now+187d"
+TretN1="now+186d"
 TremN1="now+5091h"
-csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
-newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactZN  -r $O $TactZN -d $O $TactN  -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1  -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  -z $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
@@ -806,50 +789,40 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # Step 4:
 # Some time later all the ZRRSIG records should be from the new CSK, and the
 # DS should be swapped.  The ZRRSIG records are all replaced after IretZ
-# (which is 26d3h).  The DS is swapped after Dreg + Iret (which is 1d4h).
+# (which is 26d3h).  The DS is swapped after Iret (which is 4h).
 # In other words, the DS is swapped before all zone signatures are replaced.
 setup step4.csk-roll.autosign
 # According to RFC 7583:
-# Trem(N)    = TretZ(N) + IretZ
-# Tnow       = Tsbm(N+1) + Dreg + Iret
+# Trem(N)    = Tret(N) - Iret + IretZ
+# Tnow       = Tsbm(N+1) + Iret
 #
 # Lcsk:   186d
 # Iret:   4h
 # IretZ:  26d3h
 #
-# TactZ(N)   = Tnow - Iret - Dreg - Lcsk = now - 4h - 24h - 4464h
-#            = now - 4492h
-# TretZ(N)   = Tnow - Iret - Dreg = now - 4h - 1d = now - 28h
-# Tact(N)    = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h
-# Tret(N)    = Tnow - Iret = now - 4h = now - 4h
-# Trem(N)    = Tnow - Iret - Dreg + IretZ = now - 4h - 1d + 26d3h
-#            = now + 24d23h = now + 599h
-# Tpub(N+1)  = Tnow - Iret - Dreg - IpubC = now - 4h - 1d - 3h = now - 31h
-# Tsbm(N+1)  = TretZ(N)
-# TactZ(N+1) = TretZ(N)
-# TretZ(N+1) = Tnow - Iret - Dreg + Lcsk = now - 4h - 1d + 186d
-#            = now + 4436h
-# Tact(N+1)  = Tret(N)
-# Tret(N+1)  = Tnow - Iret + Lcsk = now + 6mo - 4h = now + 4460h
-# Trem(N+1)  = Tnow - Iret - Dreg + Lcsk + IretZ = now - 4h - 1d + 186d + 26d3h
-#           = now + 5063h
-TactZN="now-4492h"
-TretZN="now-28h"
+# Tact(N)   = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h
+# Tret(N)   = Tnow - Iret = now - 4h = now - 4h
+# Trem(N)   = Tnow - Iret + IretZ = now - 4h + 26d3h
+#           = now + 623h
+# Tpub(N+1) = Tnow - Iret - IpubC = now - 4h - 3h = now - 7h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h
+# Trem(N+1) = Tnow - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h
+#          = now + 5087h
 TactN="now-4468h"
 TretN="now-4h"
-TremN="now+599h"
-TpubN1="now-31h"
-TsbmN1="${TretZN}"
-TactZN1="${TretZN}"
-TretZN1="now+4436h"
+TremN="now+623h"
+TpubN1="now-7h"
+TsbmN1="${TretN}"
 TactN1="${TretN}"
 TretN1="now+4460h"
-TremN1="now+5063h"
-csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
-newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
+TremN1="now+5087h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
@@ -864,36 +837,28 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # At this time these have all become hidden.
 setup step5.csk-roll.autosign
 # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
-# TactZ(N)   = now - 4492h - 2h = now - 4494h
-# TretZ(N)   = now - 28h - 2h = now - 30h
-# Tact(N)    = now - 4468h - 2h = now - 4470h
-# Tret(N)    = now - 4h - 2h = now - 6h
-# Trem(N)    = now + 599h - 2h = now + 597h
-# Tpub(N+1)  = now - 31h - 2h = now - 33h
-# Tsbm(N+1)  = TretZ(N)
-# TactZ(N+1) = TretZ(N)
-# TretZ(N+1) = now + 4436h - 2h = now + 4434h
-# Tact(N+1)  = Tret(N)
-# Tret(N+1)  = now + 4460h - 2h = now + 4458h
-# Trem(N+1)  = now + 5063h - 2h = now + 5061h
-TactZN="now-4494h"
-TretZN="now-30h"
+# Tact(N)   = now - 4468h - 2h = now - 4470h
+# Tret(N)   = now - 4h - 2h = now - 6h
+# Trem(N)   = now + 623h - 2h = now + 621h
+# Tpub(N+1) = now - 7h - 2h = now - 9h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4460h - 2h = now + 4458h
+# Trem(N+1) = now + 5087h - 2h = now + 5085h
 TactN="now-4470h"
 TretN="now-6h"
-TremN="now+597h"
-TpubN1="now-33h"
-TsbmN1="now-30h"
-TactZN1="${TsbmN1}"
-TretZN1="now+4434h"
+TremN="now+621h"
+TpubN1="now-9h"
+TsbmN1="${TretN}"
 TactN1="${TretN}"
 TretN1="now+4458h"
-TremN1="now+5061h"
-csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
-newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
+TremN1="now+5085h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactZN -r $U now-2h  -d $H now-2h -z $U $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $O $TactN  -r $U now-2h  -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
@@ -907,45 +872,35 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # removed from the zone.
 setup step6.csk-roll.autosign
 # According to RFC 7583:
-# Trem(N) = TretZ(N) + IretZ
-# TretZ(N) = TactZ(N) + Lcsk
+# Trem(N) = Tret(N) + IretZ
+# Tret(N) = Tact(N) + Lcsk
 #
 # Lcsk:   186d
 # Iret:   4h
 # IretZ:  26d3h
 #
-# TactZ(N)   = Tnow - IretZ - Lcsk = now - 627h - 186d
-#            = now - 627h - 4464h = now - 5091h
-# TretZ(N)   = Tnow - IretZ = now - 627h
-# Tact(N)    = Tnow - IretZ - Lcsk + Dreg = now - 627h - 186d + 1d =
-#              now - 627h - 4464h + 24h = now - 5067h
-# Tret(N)    = Tnow - IretZ + Dreg = now - 627h + 24h
-#            = Tnow - 603h
-# Trem(N)    = Tnow
-# Tpub(N+1)  = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h
-# Tsbm(N+1)  = TretZ(N)
-# TactZ(N+1) = TretZ(N)
-# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h
-# Tact(N+1)  = Tret(N)
-# Tret(N+1)  = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h
-# Trem(N+1)  = Tnow + Lcsk = now + 186d
-TactZN="now-5091h"
-TretZN="now-627h"
-TactN="now-5067h"
-TretN="now-603h"
+# Tact(N)   = Tnow - IretZ - Lcsk = now - 627h - 186d
+#           = now - 627h - 4464h = now - 5091h
+# Tret(N)   = Tnow - IretZ = now - 627h
+# Trem(N)   = Tnow
+# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h
+# Trem(N+1) = Tnow + Lcsk = now + 186d
+TactN="now-5091h"
+TretN="now-627h"
 TremN="now"
 TpubN1="now-630h"
-TsbmN1="${TretZN}"
-TactZN1="${TretZN}"
-TretZN1="now+3837h"
+TsbmN1="${TretN}"
 TactN1="${TretN}"
-TretN1="now+4460h"
+TretN1="now+3837h"
 TremN1="now+186d"
-csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
-newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactZN -r $H $TremN  -d $H $TremN  -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN  -r $H $TremN  -d $H $TremN  -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN  -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
@@ -959,36 +914,28 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # Some time later the predecessor DNSKEY enters the HIDDEN state.
 setup step7.csk-roll.autosign
 # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
-# TactZ(N) = now - 5091h - 2h = now - 5093h
-# TretZ(N) = now - 627h - 2h  = now - 629h
-# Tact(N)  = now - 5067h - 2h = now - 5069h
-# Tret(N)  = now - 603h - 2h  = now - 605h
+# Tact(N) = now - 5091h - 2h = now - 5093h
+# Tret(N) = now - 627h - 2h  = now - 629h
 # Trem(N) = now - 2h
 # Tpub(N+1) = now - 630h - 2h = now - 632h
-# Tsbm(N+1) = now - 627h - 2h = now - 629h
-# TactZ(N+1) = Tsbm(N+1)
-# TretZ(N+1) = now + 3837h - 2h = now + 3835h
+# Tsbm(N+1) = Tret(N)
 # Tact(N+1) = Tret(N)
-# Tret(N+1) = now + 4460h - 2h = now + 4458h
+# Tret(N+1) = now + 3837h - 2h = now + 3835h
 # Trem(N+1) = now + 186d - 2h = now + 4462h
-TactZN="now-5093h"
-TretZN="now-629h"
-TactN="now-5069h"
-TretN="now-605h"
+TactN="now-5093h"
+TretN="now-629h"
 TremN="now-2h"
 TpubN1="now-632h"
-TsbmN1="${TretZN}"
-TactZN1="${TretZN}"
-TretZN1="now+3835h"
+TsbmN1="${TretN}"
 TactN1="${TretN}"
-TretN1="now+4458h"
+TretN1="now+3835h"
 TremN1="now+4462h"
-csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
-newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN  -r $H $TremN  -d $H $TremN  -z $H $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $U $TremN  -r $H $TremN  -d $H $TremN  -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
@@ -1003,11 +950,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # This scenario differs from the above one because the zone signatures (ZRRSIG)
 # are replaced with the new key sooner than the DS is swapped.
 #
-#
-# The activation time for zone signing (ZSK) is different than for chain of
-# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ
-# instead of Tact and Tret.
-#
 
 # Step 1:
 # Introduce the first key. This will immediately be active.
@@ -1024,28 +966,25 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # It is time to introduce the new CSK.
 setup step2.csk-roll2.autosign
 # According to RFC 7583:
-# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
-# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub
+# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
+# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
 # IpubC = DprpC + TTLkey (+publish-safety)
 # Ipub  = IpubC
 # Lcsk = Lksk = Lzsk
 #
 # Lcsk:           6mo (186d, 4464h)
-# Dreg:           1w
+# Dreg:           N/A
 # DprpC:          1h
 # TTLkey:         1h
 # publish-safety: 1h
 # Ipub:           3h
 #
-# Tact(N)  = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1w
-#          = now - 4464h + 3h + 168h = now - 4293h
-# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h
+# Tact(N)  = Tnow - Lcsk + Ipub = now - 186d + 3h
 #          = now - 4464h + 3h = now - 4461h
-TactN="now-4293h"
-TactZN="now-4461h"
-csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}"
+TactN="now-4461h"
+csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
 CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone 13 "$CSK" >> "$infile"
 $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@@ -1056,54 +995,46 @@ setup step3.csk-roll2.autosign
 # According to RFC 7583:
 #
 # Tsbm(N+1) >= Trdy(N+1)
-# KSK: Tact(N+1)  = Tsbm(N+1) + Dreg
-# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
+# KSK: Tact(N+1) = Tsbm(N+1)
+# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
 # KSK: Iret  = DprpP + TTLds (+retire-safety)
 # ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
 #
 # Lcsk:           186d
 # Dprp:           1h
-# DprpP:          1h
-# Dreg:           1w
+# DprpP:          1w
+# Dreg:           N/A
 # Dsgn:           12h
 # TTLds:          1h
 # TTLsig:         1d
 # retire-safety:  1h
-# Iret:           3h
+# Iret:           170h
 # IretZ:          38h
 # Ipub:           3h
 #
-# TactZ(N)   = Tnow - Lcsk = now - 186d
-# TretZ(N)   = now
-# Tact(N)    = Tnow + Dreg - Lcsk = now + 1w - 186d = now - 179d
-# Tret(N)    = Tnow + Dreg = now + 7d
-# Trem(N)    = Tnow + Dreg + Iret = now + 1w + 3h = now + 171h
-# Tpub(N+1)  = Tnow - Ipub = now - 3h
-# Tsbm(N+1)  = TretZ(N)
-# TactZ(N+1) = TretZ(N)
-# TretZ(N+1) = Tnow + Lcsk = now + 186d
-# Tact(N+1)  = Tret(N)
-# Tret(N+1)  = Tnow + Lcsk + Dreg = now + 186d + 7d = now + 193d
-# Trem(N+1)  = Tnow + Lcsk + Dreg + Iret = now + 186d + 7d + 3h =
-#            = now + 193d + 3h = now + 4632h + 3h = now + 4635h
-TactZN="now-186d"
-TretZN="now"
-TactN="now-179d"
-TretN="now+7d"
-TremN="now+171h"
+# Tact(N)   = Tnow - Lcsk = now - 186d
+# Tret(N)   = now
+# Trem(N)   = Tnow + Iret = now + 170h
+# Tpub(N+1) = Tnow - Ipub = now - 3h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = Tnow + Lcsk = now + 186d
+# Trem(N+1) = Tnow + Lcsk + Iret = now + 186d + 170h =
+#           = now + 4464h + 170h = now + 4634h
+TactN="now-186d"
+TretN="now"
+TremN="now+170h"
 TpubN1="now-3h"
-TsbmN1="${TretZN}"
-TactZN1="${TretZN}"
-TretZN1="now+186d"
+TsbmN1="${TretN}"
 TactN1="${TretN}"
-TretN1="now+193d"
-TremN1="now+4635h"
-csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
-newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
+TretN1="now+186d"
+TremN1="now+4634h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactZN  -r $O $TactZN -d $O $TactN  -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1  -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  -z $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
@@ -1119,49 +1050,38 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # signatures are replaced before the DS is swapped.
 setup step4.csk-roll2.autosign
 # According to RFC 7583:
-# Trem(N)    = Tret(N) + Iret
-# Tnow       = TretZ(N) + IretZ
+# Trem(N)    = Tret(N) + IretZ
 #
 # Lcsk:   186d
-# Dreg:   1w
-# Iret:   3h
+# Dreg:   N/A
+# Iret:   170h
 # IretZ:  38h
 #
-# TactZ(N)   = Tnow - IretZ = Lcsk = now - 38h - 186d
+# Tact(N)    = Tnow - IretZ = Lcsk = now - 38h - 186d
 #            = now - 38h - 4464h = now - 4502h
-# TretZ(N)   = Tnow - IretZ = now - 38h
-# Tact(N)    = Tnow - IretZ - Lcsk + Dreg = now - 38h - 4464h + 168h
-#            = now - 4334h
-# Tret(N)    = Tnow - IretZ + Dreg = now - 38h + 168h = now + 130h
-# Trem(N)    = Tnow - IretZ + Dreg + Iret = now + 130h + 3h = now + 133h
+# Tret(N)    = Tnow - IretZ = now - 38h
+# Trem(N)    = Tnow - IretZ + Iret = now - 38h + 170h = now + 132h
 # Tpub(N+1)  = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h
-# Tsbm(N+1)  = TretZ(N)
-# TactZ(N+1) = TretZ(N)
-# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d
-#            = now + 4426h
+# Tsbm(N+1)  = Tret(N)
 # Tact(N+1)  = Tret(N)
-# Tret(N+1)  = Tnow - IretZ + Dreg + Lcsk = now - 38h + 168h + 4464h
-#            = now + 4594h
-# Trem(N+1)  = Tnow - IretZ + Dreg + Lcsk + Iret
-#            = now + 4594h + 3h = now + 4597h
-TactZN="now-4502h"
-TretZN="now-38h"
-TactN="now-4334h"
-TretN="now+130h"
-TremN="now+133h"
+# Tret(N+1)  = Tnow - IretZ + Lcsk = now - 38h + 186d
+#            = now + 4426h
+# Trem(N+1)  = Tnow - IretZ + Lcsk + Iret
+#            = now + 4426h + 3h = now + 4429h
+TactN="now-4502h"
+TretN="now-38h"
+TremN="now+132h"
 TpubN1="now-41h"
-TsbmN1="${TretZN}"
-TactZN1="${TretZN}"
-TretZN1="now+4426h"
+TsbmN1="${TretN}"
 TactN1="${TretN}"
-TretN1="now+4594h"
-TremN1="now+4597h"
-csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
-newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
+TretN1="now+4426h"
+TremN1="now+4429h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TretZN  "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TsbmN1 -z $U $TretN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
@@ -1174,37 +1094,29 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # Some time later the DS can be swapped and the old DNSKEY can be removed from
 # the zone.
 setup step5.csk-roll2.autosign
-# Subtract Dreg + Iret (171h) - IretZ (38h) = 133h.
-#
-# TactZ(N)   = now - 4502h - 133h = now - 4635h
-# TretZ(N)   = now - 38h - 133h = now - 171h
-# Tact(N)    = now - 4334h = 133h = now - 4467h
-# Tret(N)    = now + 130h - 133h = now - 3h
-# Trem(N)    = now + 133h - 133h = now
-# Tpub(N+1)  = now - 41h - 133h = now - 174h
-# Tsbm(N+1)  = TretZ(N)
-# TactZ(N+1) = TretZ(N)
-# TretZ(N+1) = now + 4426h - 133h = now + 4293h
-# Tact(N+1)  = Tret(N)
-# Tret(N+1)  = now + 4594h - 133h = now + 4461h
-# Trem(N+1)  = now + 4597h - 133h = now + 4464h = now + 186d
-TactZN="now-4635h"
-TretZN="now-171h"
-TactN="now-4467h"
-TretN="now-3h"
+# Subtract Iret (170h) - IretZ (38h) = 132h.
+#
+# Tact(N)   = now - 4502h - 132h = now - 4634h
+# Tret(N)   = now - 38h - 132h = now - 170h
+# Trem(N)   = now + 132h - 132h = now
+# Tpub(N+1) = now - 41h - 132h = now - 173h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4426h - 132h = now + 4294h
+# Trem(N+1) = now + 4492h - 132h = now + 4360h
+TactN="now-4634h"
+TretN="now-170h"
 TremN="now"
-TpubN1="now-174h"
-TsbmN1="${TretZN}"
-TactZN1="${TretZN}"
-TretZN1="now+4293h"
+TpubN1="now-173h"
+TsbmN1="${TretN}"
 TactN1="${TretN}"
-TretN1="now+4461h"
-TremN1="now+186d"
-csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
-newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
+TretN1="now+4294h"
+TremN1="now+4360h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $H now-133h "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TsbmN1 -z $H now-133h "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $O now-133h "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
@@ -1219,32 +1131,24 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 setup step6.csk-roll2.autosign
 # Subtract DNSKEY TTL plus zone propagation delay (2h).
 #
-# TactZ(N)   = now - 4635h - 2h = now - 4637h
-# TretZ(N)   = now - 171h - 2h = now - 173h
-# Tact(N)    = now - 4467h - 2h = now - 4469h
-# Tret(N)    = now - 3h - 2h = now - 5h
-# Trem(N)    = now - 2h
-# Tpub(N+1)  = now - 174h - 2h = now - 176h
-# Tsbm(N+1)  = TretZ(N)
-# TactZ(N+1) = TretZ(N)
-# TretZ(N+1) = now + 4293h - 2h = now + 4291h
-# Tact(N+1)  = Tret(N)
-# Tret(N+1)  = now + 4461h - 2h = now + 4459h
-# Trem(N+1)  = now + 4464h - 2h = now + 4462h
-TactZN="now-4637h"
-TretZN="now-173h"
-TactN="now-4469h"
-TretN="now-5h"
+# Tact(N)   = now - 4634h - 2h = now - 4636h
+# Tret(N)   = now - 170h - 2h = now - 172h
+# Trem(N)   = now - 2h
+# Tpub(N+1) = now - 173h - 2h = now - 175h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4294h - 2h = now + 4292h
+# Trem(N+1) = now + 4360h - 2h = now + 4358h
+TactN="now-4636h"
+TretN="now-172h"
 TremN="now-2h"
-TpubN1="now-176h"
-TsbmN1="${TretZN}"
-TactZN1="${TretZN}"
-TretZN1="now+4291h"
+TpubN1="now-175h"
+TsbmN1="${TretN}"
 TactN1="${TretN}"
-TretN1="now+4459h"
-TremN1="now+4462h"
-csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
-newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
+TretN1="now+4292h"
+TremN1="now+4358h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
 $SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index a2dbda682d2f650fa4d56bdf69691793f37d8afc..ce53559052b3e9081e1f4abd99651fcdfb77f03c 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -928,19 +928,20 @@ check_keys()
 # DNSSEC records.
 check_dnssecstatus() {
        _server=$1
-       _zone=$2
-       _view=$3
+       _policy=$2
+       _zone=$3
+       _view=$4
 
        n=$((n+1))
-       echo_i "check rndc dnssec -status output for ${_zone} ($n)"
+       echo_i "check rndc dnssec -status output for ${_zone} (policy: $_policy) ($n)"
        ret=0
 
        rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || log_error "rndc dnssec -status zone ${_zone} failed"
 
-       if [ "$POLICY" = "none" ]; then
-               grep "zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for zone ${_zone}"
+       if [ "$_policy" = "none" ]; then
+               grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for unsigned zone ${_zone}"
        else
-               grep "dnssec-policy: ${POLICY}" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for zone ${_zone}"
+               grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for signed zone ${_zone}"
                if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
                        grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY1 ID) from dnssec status"
                fi
@@ -959,6 +960,35 @@ check_dnssecstatus() {
        status=$((status+ret))
 }
 
+_loadkeys_on() {
+       _server=$1
+       _dir=$2
+       _zone=$3
+
+       nextpart $_dir/named.run > /dev/null
+       rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n
+       wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1
+}
+
+# Tell named that the DS for the key in given zone has been seen in the
+# parent (this does not actually has to be true, we just issue the command
+# to make named believe it can continue with the rollover).
+rndc_checkds() {
+       _server=$1
+       _dir=$2
+       _keyid=$3
+       _when=$4
+       _what=$5
+       _zone=$6
+       _view=$7
+
+       echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)"
+
+       rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
+       _loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
+}
+
+
 # Check if RRset of type $1 in file $2 is signed with the right keys.
 # The right keys are the ones that expect a signature and matches the role $3.
 check_signatures() {
@@ -1205,7 +1235,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
 set_keystate "KEY1" "STATE_DS"     "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -1247,7 +1277,7 @@ set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -1280,7 +1310,7 @@ set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -1308,13 +1338,199 @@ set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
 check_subdomain
 dnssec_verify
 
+#
+# Zone: checkds-ksk.kasp.
+#
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_zone "checkds-ksk.kasp"
+set_policy "checkds-ksk" "2" "303"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+basefile=$(key_get KEY1 BASEFILE)
+
+n=$((n+1))
+echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
+rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE"
+grep "DSPublish: 20190102121314" "${basefile}.state" > /dev/null || log_error "DSPublish not set in ${basefile}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
+rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE"
+grep "DSRemoved: 20200102121314" "${basefile}.state" > /dev/null || log_error "DSRemoved not set in ${basefile}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Zone: checkds-doubleksk.kasp.
+#
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_zone "checkds-doubleksk.kasp"
+set_policy "checkds-doubleksk" "3" "303"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+set_keyrole      "KEY2" "ksk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY2" "yes"
+set_zonesigning  "KEY2" "no"
+
+set_keyrole      "KEY3" "zsk"
+set_keylifetime  "KEY3" "0"
+set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY3" "no"
+set_zonesigning  "KEY3" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY2" "STATE_DS"     "hidden"
+
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+basefile1=$(key_get KEY1 BASEFILE)
+basefile2=$(key_get KEY2 BASEFILE)
+
+n=$((n+1))
+echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)"
+rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE"
+grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)"
+rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE"
+grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)"
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "20190102121314" "published" "$ZONE"
+grep "DSPublish: 20190102121314" "${basefile1}.state" > /dev/null || log_error "DSPublish not set in ${basefile1}"
+grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)"
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY2 ID) "20200102121314" "withdrawn" "$ZONE"
+grep "DSRemoved: 20200102121314" "${basefile2}.state" > /dev/null || log_error "DSRemoved not set in ${basefile2}"
+grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Zone: checkds-csk.kasp.
+#
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_zone "checkds-csk.kasp"
+set_policy "checkds-csk" "1" "303"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+basefile=$(key_get KEY1 BASEFILE)
+
+n=$((n+1))
+echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
+rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE"
+grep "DSPublish: 20190102121314" "${basefile}.state" || log_error "DSPublish not set in ${basefile}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
+rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE"
+grep "DSRemoved: 20200102121314" "${basefile}.state" || log_error "DSRemoved not set in ${basefile}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 # Set keytimes for dnssec-policy with various algorithms.
 # These all use the same time values.
 set_keytimes_algorithm_policy() {
@@ -1434,7 +1650,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
 key_clear "KEY4"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 check_keytimes
 check_apex
@@ -1454,7 +1670,7 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -1478,7 +1694,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
 set_keystate "KEY1" "STATE_DS"     "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -1531,7 +1747,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
 key_clear "KEY4"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 check_keytimes
 check_apex
@@ -1547,7 +1763,7 @@ set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 check_keytimes
 check_apex
@@ -1563,7 +1779,7 @@ set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy "pregenerated"
 check_keytimes
 check_apex
@@ -1579,7 +1795,7 @@ set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 check_keytimes
 check_apex
@@ -1597,7 +1813,7 @@ set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy "pregenerated"
 check_keytimes
 check_apex
@@ -1614,7 +1830,7 @@ set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 # Activation date is a day later.
 set_addkeytime "KEY1" "ACTIVE"   $(key_get KEY1 ACTIVE)  86400
@@ -1640,7 +1856,7 @@ set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 check_keytimes
 check_apex
@@ -1689,7 +1905,7 @@ set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
 # Key timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 check_keytimes
 check_apex
@@ -1709,7 +1925,7 @@ set_keyalgorithm "KEY3" "8" "RSASHA256" "2000"
 # Key timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 check_keytimes
 check_apex
@@ -1729,7 +1945,7 @@ set_keyalgorithm "KEY3" "10" "RSASHA512" "2000"
 # Key timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 check_keytimes
 check_apex
@@ -1749,7 +1965,7 @@ set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
 # Key timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 check_keytimes
 check_apex
@@ -1769,7 +1985,7 @@ set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384"
 # Key timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_algorithm_policy
 check_keytimes
 check_apex
@@ -1846,7 +2062,7 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_autosign_policy
 check_keytimes
 check_apex
@@ -1904,7 +2120,7 @@ set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_autosign_policy
 check_keytimes
 check_apex
@@ -1962,7 +2178,7 @@ set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_autosign_policy
 check_keytimes
 check_apex
@@ -2003,7 +2219,7 @@ set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
 set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_autosign_policy
 
 # The old ZSK is retired.
@@ -2058,7 +2274,7 @@ set_policy "none" "0" "0"
 set_server "ns2" "10.53.0.2"
 TSIG=""
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -2067,7 +2283,7 @@ set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -2076,7 +2292,7 @@ set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -2085,7 +2301,7 @@ set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -2094,7 +2310,7 @@ set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -2103,7 +2319,7 @@ set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -2112,7 +2328,7 @@ set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -2121,7 +2337,7 @@ set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -2130,7 +2346,7 @@ set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -2139,7 +2355,7 @@ set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_apex
 check_subdomain
 
@@ -2166,7 +2382,7 @@ set_policy "default" "1" "3600"
 set_server "ns2" "10.53.0.2"
 TSIG=""
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2178,7 +2394,7 @@ set_policy "default" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2190,7 +2406,7 @@ set_policy "default" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2202,7 +2418,7 @@ set_policy "default" "1" "3600"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2214,7 +2430,7 @@ set_policy "default" "1" "3600"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2240,7 +2456,7 @@ set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 wait_for_nsec
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2253,7 +2469,7 @@ set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 wait_for_nsec
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2266,7 +2482,7 @@ set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 wait_for_nsec
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2279,7 +2495,7 @@ set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 wait_for_nsec
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2292,7 +2508,7 @@ set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 wait_for_nsec
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2304,7 +2520,7 @@ set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:keyforview1:$VIEW1"
 wait_for_nsec
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE" "example1"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example1"
 set_keytimes_csk_policy
 check_keytimes
 check_apex
@@ -2323,7 +2539,7 @@ status=$((status+ret))
 TSIG="hmac-sha1:keyforview2:$VIEW2"
 wait_for_nsec
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE" "example2"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
 check_apex
 dnssec_verify
 n=$((n+1))
@@ -2369,7 +2585,7 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The first key is immediately published and activated.
 created=$(key_get KEY1 CREATED)
@@ -2426,7 +2642,7 @@ set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
 set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The key was published and activated 900 seconds ago (with settime).
 created=$(key_get KEY1 CREATED)
@@ -2450,18 +2666,25 @@ check_next_key_event 43800
 set_zone "step3.enable-dnssec.autosign"
 set_policy "enable-dnssec" "1" "300"
 set_server "ns3" "10.53.0.3"
-# The DS can be introduced.
+# All signatures should be omnipresent.
 set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS"     "rumoured"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The key was published and activated 44700 seconds ago (with settime).
 created=$(key_get KEY1 CREATED)
 set_addkeytime  "KEY1" "PUBLISHED"   "${created}" -44700
 set_addkeytime  "KEY1" "ACTIVE"      "${created}" -44700
 set_keytime     "KEY1" "SYNCPUBLISH" "${created}"
+check_keytimes
+
+# The DS can be introduced. We ignore any parent registration delay, so set
+# the DS publish time to now ($created).
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "published" "$ZONE"
+set_keystate "KEY1" "STATE_DS" "rumoured"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 check_keytimes
 check_apex
@@ -2469,9 +2692,9 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the DS can move to the OMNIPRESENT state.  This occurs
-# when the parent registration and propagation delay have passed, plus the
-# DS TTL and retire safety delay: 1d + 1h + 2h + 20m = 27h20m = 98400 seconds
-check_next_key_event 98400
+# when the parent propagation delay have passed, plus the DS TTL and retire
+# safety delay:  1h + 2h + 20m = 3h20m = 12000 seconds
+check_next_key_event 12000
 
 #
 # Zone: step4.enable-dnssec.autosign.
@@ -2483,13 +2706,13 @@ set_server "ns3" "10.53.0.3"
 set_keystate "KEY1" "STATE_DS" "omnipresent"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# The key was published and activated 143100 seconds ago (with settime).
+# The key was published and activated 56700 seconds ago (with settime).
 created=$(key_get KEY1 CREATED)
-set_addkeytime  "KEY1" "PUBLISHED"   "${created}" -143100
-set_addkeytime  "KEY1" "ACTIVE"      "${created}" -143100
-set_addkeytime  "KEY1" "SYNCPUBLISH" "${created}" -98400
+set_addkeytime  "KEY1" "PUBLISHED"   "${created}" -56700
+set_addkeytime  "KEY1" "ACTIVE"      "${created}" -56700
+set_addkeytime  "KEY1" "SYNCPUBLISH" "${created}" -12000
 
 check_keytimes
 check_apex
@@ -2576,7 +2799,7 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # These keys are immediately published and activated.
 rollover_predecessor_keytimes 0
@@ -2611,7 +2834,7 @@ set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
 set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys were activated 694 hours ago (2498400 seconds).
 rollover_predecessor_keytimes -2498400
@@ -2649,7 +2872,7 @@ set_keystate     "KEY3" "STATE_DNSKEY" "omnipresent"
 set_keystate     "KEY3" "STATE_ZRRSIG" "rumoured"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys are activated 30 days ago (2592000 seconds).
 rollover_predecessor_keytimes -2592000
@@ -2691,7 +2914,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
 set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys are activated 961 hours ago (3459600 seconds).
 rollover_predecessor_keytimes -3459600
@@ -2721,7 +2944,7 @@ set_server "ns3" "10.53.0.3"
 set_keystate "KEY2" "STATE_DNSKEY" "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys are activated 962 hours ago (3463200 seconds).
 rollover_predecessor_keytimes -3463200
@@ -2791,7 +3014,7 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # These keys are immediately published and activated.
 rollover_predecessor_keytimes 0
@@ -2801,11 +3024,10 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the successor KSK needs to be published.  That is
-# the KSK lifetime - prepublication time - DS registration delay.  The
-# prepublication time is DNSKEY TTL plus publish safety plus the zone
-# propagation delay.  For the ksk-doubleksk policy that means:
-# 60d - (1d3h) - (1d) = 5000400 seconds.
-check_next_key_event 5000400
+# the KSK lifetime - prepublication time.  The prepublication time is
+# DNSKEY TTL plus publish safety plus the zone propagation delay.
+# For the ksk-doubleksk policy that means: 60d - (1d3h) = 5086800 seconds.
+check_next_key_event 5086800
 
 #
 # Zone: step2.ksk-doubleksk.autosign.
@@ -2828,7 +3050,7 @@ set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
 set_keystate "KEY3" "STATE_DS"     "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys were activated 1413 hours ago (5086800 seconds).
 rollover_predecessor_keytimes -5086800
@@ -2842,11 +3064,7 @@ set_keytime    "KEY3" "PUBLISHED"   "${created}"
 # IpubC:          27h (97200 seconds)
 IpubC=97200
 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}"
-# The new KSK becomes active after the registration delay.
-# Dreg:           1d (86400 seconds)
-Dreg=86400
-syncpub=$(key_get KEY3 SYNCPUBLISH)
-set_addkeytime "KEY3" "ACTIVE"      "${syncpub}" "${Dreg}"
+set_addkeytime "KEY3" "ACTIVE"      "${created}" "${IpubC}"
 set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
 check_keytimes
 check_apex
@@ -2864,26 +3082,33 @@ check_next_key_event 97200
 set_zone "step3.ksk-doubleksk.autosign"
 set_policy "ksk-doubleksk" "3" "7200"
 set_server "ns3" "10.53.0.3"
-# KSK (KEY1) DS will be removed, so it is UNRETENTIVE.
-set_keystate "KEY1" "STATE_DS"     "unretentive"
-# New KSK (KEY3) has its DS submitted.
+
+# The DNSKEY RRset has become omnipresent.
+# Check keys before we tell named that we saw the DS has been replaced.
 set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
 set_keystate "KEY3" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY3" "STATE_DS"     "rumoured"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
+# The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced.
+# We ignore any parent registration delay, so set the DS publish time to now
+# ($created).
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "withdrawn" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY3 ID) "${created}" "published"  "$ZONE"
+set_keystate "KEY1" "STATE_DS"     "unretentive"
+set_keystate "KEY3" "STATE_DS"     "rumoured"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# The old keys were activated 59 days ago (5097600 seconds).
-rollover_predecessor_keytimes -5097600
+# The old keys were activated 60 days ago (5184000 seconds).
+rollover_predecessor_keytimes -5184000
 # The new KSK is published 27 hours ago (97200 seconds).
 created=$(key_get KEY3 CREATED)
 set_addkeytime "KEY3" "PUBLISHED"   "${created}" -97200
 # The new KSK CDS is published now.
 set_keytime    "KEY3" "SYNCPUBLISH" "${created}"
-# The new KSK becomes active Dreg (1d) later.
 syncpub=$(key_get KEY3 SYNCPUBLISH)
-set_addkeytime "KEY3" "ACTIVE"      "${syncpub}" "${Dreg}"
+set_keytime "KEY3" "ACTIVE" "${syncpub}"
 set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
 check_keytimes
 check_apex
@@ -2893,11 +3118,10 @@ dnssec_verify
 # Next key event is when the predecessor DS has been replaced with the
 # successor DS and enough time has passed such that the all validators that
 # have this DS RRset cached only know about the successor DS.  This is the
-# registration delay plus the retire interval, which is the parent
-# propagation delay plus the DS TTL plus the retire-safety.  For the
-# ksk-double-ksk policy this means: 1d + 1h + 3600s + 2d = 3d2h =
-# 266400 seconds.
-check_next_key_event 266400
+# the retire interval, which is the parent propagation delay plus the DS TTL
+# plus the retire-safety.  For the ksk-double-ksk policy this means:
+# 1h + 3600s + 2d = 2d2h = 180000 seconds.
+check_next_key_event 180000
 
 #
 # Zone: step4.ksk-doubleksk.autosign.
@@ -2914,17 +3138,17 @@ set_keystate   "KEY1" "STATE_DS"     "hidden"
 set_keystate   "KEY3" "STATE_DS"     "omnipresent"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys were activated 1490 hours ago (5364000 seconds).
 rollover_predecessor_keytimes -5364000
-# The new KSK is published 101 hours ago (363600 seconds).
+# The new KSK is published 77 hours ago (277200 seconds).
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED"   "${created}"   -363600
+set_addkeytime "KEY3" "PUBLISHED"   "${created}"   -277200
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}"
 syncpub=$(key_get KEY3 SYNCPUBLISH)
-set_addkeytime "KEY3" "ACTIVE"      "${syncpub}"    "${Dreg}"
+set_keytime "KEY3" "ACTIVE" "${syncpub}"
 set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
 check_keytimes
 check_apex
@@ -2947,17 +3171,17 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden"
 set_keystate "KEY1" "STATE_KRRSIG" "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old KSK is activated 1492 hours ago (5371200 seconds).
 rollover_predecessor_keytimes -5371200
-# The new KSK is published 103 hours ago (370800 seconds).
+# The new KSK is published 79 hours ago (284400 seconds).
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED"   "${created}"   -370800
+set_addkeytime "KEY3" "PUBLISHED"   "${created}"   -284400
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}"
 syncpub=$(key_get KEY3 SYNCPUBLISH)
-set_addkeytime "KEY3" "ACTIVE"      "${syncpub}"   "${Dreg}"
+set_keytime "KEY3" "ACTIVE" "${syncpub}"
 set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
 check_keytimes
 check_apex
@@ -2965,10 +3189,10 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the new successor needs to be published.  This is the
-# KSK lifetime minus Ipub minus Dreg minus Iret minus DNSKEY TTL.  For the
+# KSK lifetime minus Ipub minus Iret minus DNSKEY TTL.  For the
 # ksk-doubleksk this is: 60d - 1d3h - 1d - 2d2h - 2h =
-# 5184000 - 97200 - 86400 - 180000 - 7200 = 4813200 seconds.
-check_next_key_event 4813200
+# 5184000 - 97200 - 180000 - 7200 = 4813200 seconds.
+check_next_key_event 4899600
 
 #
 # Testing CSK key rollover (1).
@@ -2986,13 +3210,12 @@ IretZSK=2257200
 IretCSK=$IretZSK
 
 csk_rollover_predecessor_keytimes() {
-       _addksktime=$1
-       _addzsktime=$2
+       _addtime=$1
 
        _created=$(key_get KEY1 CREATED)
-       set_addkeytime      "KEY1" "PUBLISHED"   "${_created}" "${_addksktime}"
-       set_addkeytime      "KEY1" "SYNCPUBLISH" "${_created}" "${_addzsktime}"
-       set_addkeytime      "KEY1" "ACTIVE"      "${_created}" "${_addzsktime}"
+       set_addkeytime      "KEY1" "PUBLISHED"   "${_created}" "${_addtime}"
+       set_addkeytime      "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+       set_addkeytime      "KEY1" "ACTIVE"      "${_created}" "${_addtime}"
        [ "$Lcsk" == 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}"
 }
 
@@ -3021,10 +3244,10 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # This key is immediately published and activated.
-csk_rollover_predecessor_keytimes 0 0
+csk_rollover_predecessor_keytimes 0
 check_keytimes
 check_apex
 check_subdomain
@@ -3058,11 +3281,10 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
 set_keystate "KEY2" "STATE_DS"     "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# This key was activated 4437 hours ago (15973200 seconds)
-# and started signing 4461 hours ago (16059600 seconds).
-csk_rollover_predecessor_keytimes -15973200 -16059600
+# This key was activated 4461 hours ago (16059600 seconds).
+csk_rollover_predecessor_keytimes -16059600
 # The new CSK is published now.
 created=$(key_get KEY2 CREATED)
 set_keytime    "KEY2" "PUBLISHED"   "${created}"
@@ -3091,22 +3313,27 @@ set_server "ns3" "10.53.0.3"
 # Swap zone signing role.
 set_zonesigning  "KEY1" "no"
 set_zonesigning  "KEY2" "yes"
-# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE.
+# CSK (KEY1) will be removed, so moving to UNRETENTIVE.
 set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS"     "unretentive"
-# New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG
-# are in RUMOURED state.
+# New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED.
 set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
 set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
 set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY2" "STATE_DS"     "rumoured"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
+# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
+# We ignore any parent registration delay, so set the DS publish time to now
+# ($created).
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "withdrawn" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "published"  "$ZONE"
+set_keystate "KEY1" "STATE_DS"     "unretentive"
+set_keystate "KEY2" "STATE_DS"     "rumoured"
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# This key was activated 185 days ago (15984000 seconds)
-# and started signing 186 days ago (16070400 seconds).
-csk_rollover_predecessor_keytimes -15984000 -16070400
+# This key was activated 186 days ago (16070400 seconds).
+csk_rollover_predecessor_keytimes -16070400
 # The new CSK is published three hours ago, CDS must be published now.
 # Also signatures are being introduced now.
 created=$(key_get KEY2 CREATED)
@@ -3130,10 +3357,10 @@ dnssec_verify
 # Next key event is when the predecessor DS has been replaced with the
 # successor DS and enough time has passed such that the all validators that
 # have this DS RRset cached only know about the successor DS.  This is the
-# registration delay plus the retire interval, which is the parent
-# propagation delay plus the DS TTL plus the retire-safety.  For the
-# csk-roll policy this means: 1d + 1h + 1h + 2h = 1d4h = 100800 seconds.
-check_next_key_event 100800
+# the retire interval, which is the parent propagation delay plus the DS TTL
+# plus the retire-safety.  For the csk-roll policy this means:
+# 1h + 1h + 2h = 4h = 14400 seconds.
+check_next_key_event 14400
 
 #
 # Zone: step4.csk-roll.autosign.
@@ -3151,15 +3378,14 @@ set_keystate "KEY1" "STATE_DS"     "hidden"
 set_keystate "KEY2" "STATE_DS"     "omnipresent"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # This key was activated 4468 hours ago (16084800 seconds)
-# and started signing 4492 hours ago (16171200 seconds).
-csk_rollover_predecessor_keytimes -16084800 -16171200
-# The new CSK started signing 1d4h ago (100800 seconds).
+csk_rollover_predecessor_keytimes -16084800
+# The new CSK started signing 4h ago (14400 seconds).
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "ACTIVE"      "${created}" -100800
-set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -100800
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -14400
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400
 syncpub=$(key_get KEY2 SYNCPUBLISH)
 set_addkeytime "KEY2" "PUBLISHED"   "${syncpub}" "-${Ipub}"
 set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
@@ -3183,15 +3409,14 @@ set_server "ns3" "10.53.0.3"
 set_keystate "KEY1" "STATE_KRRSIG" "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# This key was activated 4470 hours ago (16092000 seconds)
-# and started signing 4494 hours ago (16178400 seconds).
-csk_rollover_predecessor_keytimes -16092000 -16178400
-# The new CSK started signing 1d6h ago (108000 seconds).
+# This key was activated 4470 hours ago (16092000 seconds).
+csk_rollover_predecessor_keytimes -16092000
+# The new CSK started signing 6h ago (21600 seconds).
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "ACTIVE"      "${created}" -108000
-set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -108000
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -21600
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600
 syncpub=$(key_get KEY2 SYNCPUBLISH)
 set_addkeytime "KEY2" "PUBLISHED"   "${syncpub}" "-${Ipub}"
 set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
@@ -3202,10 +3427,10 @@ dnssec_verify
 
 # Next key event is when the DNSKEY can be removed.  This is when all ZRRSIG
 # records have been replaced with signatures of the new CSK.  We have
-# calculated the interval to be 26d3h of which 1d4h (Dreg + Iret(KSK)) plus
+# calculated the interval to be 26d3h of which 4h (Iret(KSK)) plus
 # 2h (DNSKEY TTL + Dprp) have already passed.  So next key event is in
-# 26d3h - 1d4h - 2h = 597h = 2149200 seconds.
-check_next_key_event 2149200
+# 26d3h - 4h - 2h = 621h = 2235600 seconds.
+check_next_key_event 2235600
 
 #
 # Zone: step6.csk-roll.autosign.
@@ -3221,11 +3446,10 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# This key was activated 5067 hours ago (18241200 seconds)
-# and started signing 5091 hours ago (18327600 seconds).
-csk_rollover_predecessor_keytimes -18241200 -18327600
+# This key was activated 5091 hours ago (18327600 seconds).
+csk_rollover_predecessor_keytimes -18327600
 # The new CSK is activated 627 hours ago (2257200 seconds).
 created=$(key_get KEY2 CREATED)
 set_addkeytime "KEY2" "ACTIVE"      "${created}" -2257200
@@ -3253,11 +3477,10 @@ set_server "ns3" "10.53.0.3"
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# This key was activated 5069 hours ago (18248400 seconds)
-# and started signing 5093 hours ago (18334800 seconds).
-csk_rollover_predecessor_keytimes -18248400 -18334800
+# This key was activated 5093 hours ago (18334800 seconds).
+csk_rollover_predecessor_keytimes -18334800
 # The new CSK is activated 629 hours ago (2264400 seconds).
 created=$(key_get KEY2 CREATED)
 set_addkeytime "KEY2" "ACTIVE"      "${created}" -2264400
@@ -3284,16 +3507,15 @@ check_next_key_event 13795200
 
 # Policy parameters.
 # Lcsk:      186 days (16070400 seconds)
-# Dreg:    : 1w (604800 seconds)
-# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (1h)
-# Iret(KSK): 3h (10800 seconds)
+# Dreg:      N/A
+# Iret(KSK): DS TTL (1h) + DprpP (1w) + retire-safety (1h)
+# Iret(KSK): 170h (61200 seconds)
 # Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h)
 # Iret(ZSK): 38h (136800 seconds)
 Lcsk=16070400
-Dreg=604800
-IretKSK=10800
+IretKSK=612000
 IretZSK=136800
-IretCSK=$((Dreg+IretKSK))
+IretCSK=$IretKSK
 
 #
 # Zone: step1.csk-roll2.autosign.
@@ -3320,19 +3542,20 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # This key is immediately published and activated.
-csk_rollover_predecessor_keytimes 0 0
+csk_rollover_predecessor_keytimes 0
 check_keytimes
 check_apex
 check_subdomain
 dnssec_verify
 
 # Next key event is when the successor CSK needs to be published.
-# This is Lcsk - Ipub - Dreg.
-# Lcsk: 186d (16070400 seconds)
-# Ipub: 3h   (10800 seconds)
+# This is Lcsk - Ipub.
+# Lcsk:  186d   (16070400 seconds)
+# Ipub:  3h     (10800 seconds)
+# Total: 186d3h (16059600 seconds)
 check_next_key_event 16059600
 
 #
@@ -3357,11 +3580,10 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
 set_keystate "KEY2" "STATE_DS"     "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# This key was activated 4293 hours ago (15454800 seconds)
-# and started signing 4461 hours ago (16059600 seconds).
-csk_rollover_predecessor_keytimes -15454800 -16059600
+# This key was activated 4461 hours ago (16059600 seconds).
+csk_rollover_predecessor_keytimes -16059600
 # The new CSK is published now.
 created=$(key_get KEY2 CREATED)
 set_keytime    "KEY2" "PUBLISHED"   "${created}"
@@ -3378,7 +3600,7 @@ dnssec_verify
 
 # Next key event is when the successor CSK becomes OMNIPRESENT.  That is the
 # DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For
-# the csk-roll2 policy, this means 3 hours = 10800 seconds.
+# the csk-roll2 policy, this means 3h hours = 10800 seconds.
 check_next_key_event 10800
 
 #
@@ -3387,24 +3609,29 @@ check_next_key_event 10800
 set_zone "step3.csk-roll2.autosign"
 set_policy "csk-roll2" "2" "3600"
 set_server "ns3" "10.53.0.3"
-# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE.
+# CSK (KEY1) can be removed, so move to UNRETENTIVE.
 set_zonesigning  "KEY1" "no"
 set_keystate     "KEY1" "STATE_ZRRSIG" "unretentive"
-set_keystate     "KEY1" "STATE_DS"     "unretentive"
-# New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG
-# are in RUMOURED state.
+# New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state.
 set_zonesigning  "KEY2" "yes"
 set_keystate     "KEY2" "STATE_DNSKEY" "omnipresent"
 set_keystate     "KEY2" "STATE_KRRSIG" "omnipresent"
 set_keystate     "KEY2" "STATE_ZRRSIG" "rumoured"
-set_keystate     "KEY2" "STATE_DS"     "rumoured"
-
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
+# We ignore any parent registration delay, so set the DS publish time to now
+# ($created).
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "withdrawn" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "published"  "$ZONE"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY2" "STATE_DS" "rumoured"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# This key was activated 179 days ago (15465600 seconds)
-# and started signing 186 days ago (16070400 seconds).
-csk_rollover_predecessor_keytimes -15465600 -16070400
+# This key was activated 186 days ago (16070400 seconds).
+csk_rollover_predecessor_keytimes -16070400
 # The new CSK is published three hours ago, CDS must be published now.
 # Also signatures are being introduced now.
 created=$(key_get KEY2 CREATED)
@@ -3446,11 +3673,10 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# This key was activated 4334 hours ago (15602400 seconds)
-# and started signing 4502 hours ago (16207200 seconds).
-csk_rollover_predecessor_keytimes -15602400 -16207200
+# This key was activated 4502 hours ago (16207200 seconds).
+csk_rollover_predecessor_keytimes -16207200
 # The new CSK was published 41 hours (147600 seconds) ago.
 created=$(key_get KEY2 CREATED)
 set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -147600
@@ -3468,9 +3694,9 @@ dnssec_verify
 # have this DS RRset cached only know about the successor DS.  This is the
 # registration delay plus the retire interval, which is the parent
 # propagation delay plus the DS TTL plus the retire-safety.  For the
-# csk-roll2 policy this means: 1w + 1h + 1h + 1h = 171h = 615600 seconds.
+# csk-roll2 policy this means: 1w + 1h + 1h = 170h = 612000 seconds.
 # However, 136800 seconds have passed already, so 478800 seconds left.
-check_next_key_event 478800
+check_next_key_event 475200
 
 #
 # Zone: step5.csk-roll2.autosign.
@@ -3487,14 +3713,13 @@ set_keystate     "KEY1" "STATE_DS"     "hidden"
 set_keystate     "KEY2" "STATE_DS"     "omnipresent"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# This key was activated 4467 hours ago (16081200 seconds)
-# and started signing 4635 hours ago (16686000 seconds).
-csk_rollover_predecessor_keytimes -16081200 -16686000
-# The new CSK was published 174 hours (626400 seconds) ago.
+# This key was activated 4634 hours ago (16682400 seconds).
+csk_rollover_predecessor_keytimes -16682400
+# The new CSK was published 173 hours (622800 seconds) ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -626400
+set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -622800
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
 set_addkeytime "KEY2" "ACTIVE"      "${published}" "${Ipub}"
@@ -3520,14 +3745,13 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden"
 set_keystate "KEY1" "STATE_KRRSIG" "hidden"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# This key was activated 4469 hours ago (16088400 seconds)
-# and started signing 4637 hours ago (16693200 seconds).
-csk_rollover_predecessor_keytimes -16088400 -16693200
-# The new CSK was published 176 hours (633600 seconds) ago.
+# This key was activated 4636 hours ago (16689600 seconds).
+csk_rollover_predecessor_keytimes -16689600
+# The new CSK was published 175 hours (630000 seconds) ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -633600
+set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -630000
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
 set_addkeytime "KEY2" "ACTIVE"      "${published}" "${Ipub}"
@@ -3540,8 +3764,8 @@ dnssec_verify
 # Next key event is when the new successor needs to be published.
 # This is the Lcsk, minus time passed since the key was published.
 # Lcsk:        186d (16070400 seconds)
-# Time passed: 176h (633600 seconds)
-check_next_key_event 15436800
+# Time passed: 175h (630000 seconds)
+check_next_key_event 15440400
 
 #
 # Testing algorithm rollover.
@@ -3581,7 +3805,7 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # These keys are immediately published and activated.
 Lksk=0
@@ -3623,12 +3847,12 @@ set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
 set_keystate "KEY1" "STATE_DS"     "omnipresent"
 
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # This key is immediately published and activated.
 Lcsk=0
 IretCSK=0
-csk_rollover_predecessor_keytimes 0 0
+csk_rollover_predecessor_keytimes 0
 check_keytimes
 check_apex
 check_subdomain
@@ -3679,7 +3903,7 @@ init_migration_match
 
 # Make sure the zone is signed with legacy keys.
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # These keys are immediately published and activated.
 rollover_predecessor_keytimes 0
@@ -3730,7 +3954,7 @@ init_migration_nomatch_algnum
 
 # Make sure the zone is signed with legacy keys.
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The KSK is immediately published and activated.
 # -P     : now-3900s
@@ -3793,7 +4017,7 @@ init_migration_nomatch_alglen
 
 # Make sure the zone is signed with legacy keys.
 check_keys
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The KSK is immediately published and activated.
 # -P     : now-3900s
@@ -3882,7 +4106,7 @@ key_set     "KEY2" "LEGACY"  "no"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 rollover_predecessor_keytimes 0
 # Key now has lifetime of 60 days (5184000 seconds).
@@ -3949,7 +4173,7 @@ set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # KSK must be retired since it no longer matches the policy.
 # -P     : now-3900s
@@ -4066,7 +4290,7 @@ set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # KSK must be retired since it no longer matches the policy.
 # -P     : now-3900s
@@ -4208,7 +4432,7 @@ set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys are published and activated.
 rollover_predecessor_keytimes 0
@@ -4288,7 +4512,7 @@ set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys were activated three hours ago (10800 seconds).
 rollover_predecessor_keytimes -10800
@@ -4335,19 +4559,25 @@ check_next_key_event $next_time
 set_zone "step3.algorithm-roll.kasp"
 set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
-# The RSAHSHA1 keys are outroducing, and it is time to swap the DS.
+# The ECDSAP256SHA256 keys are introducing.
+set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# It is time to swap the DS.
+set_keystate "KEY1" "STATE_DS"     "unretentive"
+set_keystate "KEY3" "STATE_DS"     "rumoured"
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "withdrawn" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY3 ID) "${created}" "published"  "$ZONE"
 set_keystate "KEY1" "STATE_DS"     "unretentive"
-# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset and all signatures
-# are now omnipresent, so the DS can be introduced.
 set_keystate "KEY3" "STATE_DS"     "rumoured"
-set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# The old keys were activated 9 hours ago (32400 seconds)
-# and retired 6 hours ago (21600 seconds).
+# The old keys were activated 9 hours ago (32400 seconds).
 rollover_predecessor_keytimes -32400
 
 created=$(key_get KEY1 CREATED)
@@ -4377,9 +4607,9 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent registration delay, parent propagation delay, retire safety delay,
-# and DS TTL: 24h + 1h + 2h + 2h = 29h = 104400 seconds.
-check_next_key_event 104400
+# parent propagation delay, retire safety delay, and DS TTL:
+# 1h + 2h + 2h = 5h = 18000 seconds.
+check_next_key_event 18000
 
 #
 # Zone: step4.algorithm-roll.kasp
@@ -4402,10 +4632,9 @@ set_keystate     "KEY3" "STATE_DS"     "omnipresent"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# The old keys were activated 38 hours ago (136800 seconds)
-# and retired 35 hours ago (126000 seconds).
+# The old keys were activated 38 hours ago (136800 seconds).
 rollover_predecessor_keytimes -136800
 
 created=$(key_get KEY1 CREATED)
@@ -4451,7 +4680,7 @@ set_keystate "KEY2" "STATE_DNSKEY" "hidden"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys were activated 40 hours ago (144000 seconds)
 # and retired 35 hours ago (133200 seconds).
@@ -4503,7 +4732,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys were activated 47 hours ago (169200 seconds)
 # and retired 34 hours ago (158400 seconds).
@@ -4584,10 +4813,10 @@ set_keystate "KEY2" "STATE_DS"     "hidden"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # CSK must be retired since it no longer matches the policy.
-csk_rollover_predecessor_keytimes 0 0
+csk_rollover_predecessor_keytimes 0
 keyfile=$(key_get KEY1 BASEFILE)
 grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
 retired=$(awk '{print $3}' < retired.test${n}.ksk)
@@ -4642,10 +4871,10 @@ set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old key was activated three hours ago (10800 seconds).
-csk_rollover_predecessor_keytimes -10800 -10800
+csk_rollover_predecessor_keytimes -10800
 
 # CSK must be retired since it no longer matches the policy.
 created=$(key_get KEY1 CREATED)
@@ -4681,19 +4910,27 @@ set_zone "step3.csk-algorithm-roll.kasp"
 set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The RSAHSHA1 key is outroducing, and it is time to swap the DS.
-set_keystate "KEY1" "STATE_DS"     "unretentive"
 # The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures
 # are now omnipresent, so the DS can be introduced.
 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY2" "STATE_DS"     "rumoured"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
+# We ignore any parent registration delay, so set the DS publish time to now
+# ($created).
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "withdrawn" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "published"  "$ZONE"
+set_keystate "KEY1" "STATE_DS"     "unretentive"
+set_keystate "KEY2" "STATE_DS"     "rumoured"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
-# The old key was activated 9 hours ago (10800 seconds)
-# and retired 6 hours ago (21600 seconds).
-csk_rollover_predecessor_keytimes -32400 -32400
+# The old key was activated 9 hours ago (32400 seconds)
+# and was retired 6 hours ago (21600 seconds).
+csk_rollover_predecessor_keytimes -32400
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "RETIRED"     "${created}"   -21600
 retired=$(key_get KEY1 RETIRED)
@@ -4712,9 +4949,9 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent registration delay, parent propagation delay, retire safety delay,
-# and DS TTL: 24h + 1h + 2h + 2h = 29h = 104400 seconds.
-check_next_key_event 104400
+# parent propagation delay, retire safety delay, and DS TTL:
+# 1h + 2h + 2h = 5h = 18000 seconds.
+check_next_key_event 18000
 
 #
 # Zone: step4.csk-algorithm-roll.kasp
@@ -4734,11 +4971,11 @@ set_keystate     "KEY2" "STATE_DS"     "omnipresent"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old key was activated 38 hours ago (136800 seconds)
 # and retired 35 hours ago (126000 seconds).
-csk_rollover_predecessor_keytimes -136800 -136800
+csk_rollover_predecessor_keytimes -136800
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "RETIRED"     "${created}"   -126000
 retired=$(key_get KEY1 RETIRED)
@@ -4772,11 +5009,11 @@ set_keystate "KEY1" "STATE_KRRSIG" "hidden"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old key was activated 40 hours ago (144000 seconds)
 # and retired 37 hours ago (133200 seconds).
-csk_rollover_predecessor_keytimes -144000 -144000
+csk_rollover_predecessor_keytimes -144000
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "RETIRED"     "${created}"   -133200
 retired=$(key_get KEY1 RETIRED)
@@ -4814,11 +5051,11 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
 
 check_keys
 wait_for_done_signing
-check_dnssecstatus "$SERVER" "$ZONE"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The old keys were activated 47 hours ago (169200 seconds)
 # and retired 44 hours ago (158400 seconds).
-csk_rollover_predecessor_keytimes -169200 -169200
+csk_rollover_predecessor_keytimes -169200
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "RETIRED"     "${created}"   -158400
 retired=$(key_get KEY1 RETIRED)