Add test case for #3486

Add two scenarios where we change the dnssec-policy from using RSASHA1
to something with NSEC3.

The first case should work, as the DS is still in hidden state and we
can basically do anything with DNSSEC.

The second case should fail, because the DS of the predecessor is
published and we can't immediately remove the predecessor DNSKEY. So
in this case we should keep the NSEC chain for a bit longer.

Add two more scenarios where we change the dnssec-policy from using
NSEC3 to something NSEC only. Both should work because there are no
restrictions on using NSEC when it comes to algorithms, but in the
cases where the DS is published we can't bluntly remove the predecessor.

Extend the nsec3 system test by also checking the DNSKEY RRset for the
expected DNSKEY records. This requires some "kasp system"-style setup
for each test (setting key properties and key states). Also move the
dnssec-verify check inside the check_nsec/check_nsec3 functions because
we will have to do that every time.

diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh
index 6383f29beaea7e997f150eba04f71f0853f3e3ee..d6b11e749b65329ca62594d3b195885cb5f27441 100644 (file)
--- a/bin/tests/system/nsec3/clean.sh
+++ b/bin/tests/system/nsec3/clean.sh
@@ -13,9 +13,10 @@
 
 set -e
 
-rm -f dig.out.* rndc.signing.*
+rm -f dig.out.* rndc.signing.* verify.out.*
 rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
 rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
 rm -f ns*/K*.private ns*/K*.key ns*/K*.state
 rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
-
+rm -f ns*/keygen.out.* ns*/settime.out.*
+rm -f created.key-* *.created unused.key-*

diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
index 36c217ad3ceb5ea630036f4184a77b4600184a74..c94fa5d67915e73b79d38d85183672da16600cef 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named.conf.in
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -18,6 +18,12 @@ dnssec-policy "nsec" {
        // NSEC will be used;
 };
 
+dnssec-policy "rsasha1" {
+       keys {
+               csk lifetime unlimited algorithm rsasha1;
+       };
+};
+
 dnssec-policy "nsec3" {
        nsec3param;
 };
@@ -59,6 +65,56 @@ zone "nsec-to-nsec3.kasp" {
        dnssec-policy "nsec";
 };
 
+/*
+ * This zone starts with NSEC, but will be reconfigured to use NSEC3.
+ * This should work despite the incompatible RSAHSHA1 algorithm,
+ * because the DS is still in hidden state.
+ */
+zone "rsasha1-to-nsec3.kasp" {
+       type primary;
+       file "rsasha1-to-nsec3.kasp.db";
+       inline-signing yes;
+       dnssec-policy "rsasha1";
+};
+
+/*
+ * This zone starts with NSEC, but will be reconfigured to use NSEC3.
+ * This should block because RSASHA1 is not compatible with NSEC3,
+ * and the DS is published.
+ */
+zone "rsasha1-to-nsec3-wait.kasp" {
+       type primary;
+       file "rsasha1-to-nsec3-wait.kasp.db";
+       inline-signing yes;
+       dnssec-policy "rsasha1";
+};
+
+/*
+ * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
+ * NSEC only algorithm. This should work despite the incompatible RSAHSHA1
+ * algorithm, because the DS is still in hidden state.
+ */
+zone "nsec3-to-rsasha1.kasp" {
+       type primary;
+       file "nsec3-to-rsasha1.kasp.db";
+       inline-signing yes;
+       dnssec-policy "nsec3";
+};
+
+/*
+ * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
+ * NSEC only algorithm. This should also be fine because we are allowed
+ * to change to NSEC with any algorithm, then we can also publish the new
+ * DNSKEY and signatures of the RSASHA1 algorithm.
+ */
+zone "nsec3-to-rsasha1-ds.kasp" {
+       type primary;
+       file "nsec3-to-rsasha1-ds.kasp.db";
+       inline-signing yes;
+       dnssec-policy "nsec3";
+};
+
+
 /* These zones use the default NSEC3 settings. */
 zone "nsec3.kasp" {
        type primary;

diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in
index c81cd700491e70880c52638aaf8bf056dfbbcbde..d9764abcad6dea54341f189d806e3e002c41788a 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named2.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -18,6 +18,12 @@ dnssec-policy "nsec" {
        // NSEC will be used;
 };
 
+dnssec-policy "rsasha1" {
+       keys {
+               csk lifetime unlimited algorithm rsasha1;
+       };
+};
+
 dnssec-policy "nsec3" {
        nsec3param;
 };
@@ -60,6 +66,59 @@ zone "nsec-to-nsec3.kasp" {
        dnssec-policy "nsec3";
 };
 
+/*
+ * This zone starts with NSEC, but will be reconfigured to use NSEC3.
+ * This should work despite the incompatible RSAHSHA1 algorithm,
+ * because the DS is still in hidden state.
+ */
+zone "rsasha1-to-nsec3.kasp" {
+       type primary;
+       file "rsasha1-to-nsec3.kasp.db";
+       inline-signing yes;
+       //dnssec-policy "rsasha1";
+       dnssec-policy "nsec3";
+};
+
+/*
+ * This zone starts with NSEC, but will be reconfigured to use NSEC3.
+ * This should block because RSASHA1 is not compatible with NSEC3,
+ * and the DS is published.
+ */
+zone "rsasha1-to-nsec3-wait.kasp" {
+       type primary;
+       file "rsasha1-to-nsec3-wait.kasp.db";
+       inline-signing yes;
+       //dnssec-policy "rsasha1";
+       dnssec-policy "nsec3";
+};
+
+/*
+ * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
+ * NSEC only algorithm. This should work despite the incompatible RSAHSHA1
+ * algorithm, because the DS is still in hidden state.
+ */
+zone "nsec3-to-rsasha1.kasp" {
+       type primary;
+       file "nsec3-to-rsasha1.kasp.db";
+       inline-signing yes;
+       //dnssec-policy "nsec3";
+       dnssec-policy "rsasha1";
+};
+
+/*
+ * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
+ * NSEC only algorithm. This should also be fine because we are allowed
+ * to change to NSEC with any algorithm, then we can also publish the new
+ * DNSKEY and signatures of the RSASHA1 algorithm.
+ */
+zone "nsec3-to-rsasha1-ds.kasp" {
+       type primary;
+       file "nsec3-to-rsasha1-ds.kasp.db";
+       inline-signing yes;
+       //dnssec-policy "nsec3";
+       dnssec-policy "rsasha1";
+};
+
 /* These zones use the default NSEC3 settings. */
 zone "nsec3.kasp" {
        type primary;

diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
index cbaf84ce8d456c331e18b735bdecb39fdfbffcf0..e2478ac3df171fec4f2c1975491b904a2b394aa4 100644 (file)
--- a/bin/tests/system/nsec3/ns3/setup.sh
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -30,4 +30,29 @@ do
        setup "${zn}.kasp"
 done
 
+if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
+then
+       for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \
+                 nsec3-to-rsasha1-ds
+       do
+               setup "${zn}.kasp"
+       done
+
+       longago="now-1y"
+       keytimes="-P ${longago} -A ${longago}"
+       O="omnipresent"
+
+       zone="rsasha1-to-nsec3-wait.kasp"
+       CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2> keygen.out.$zone)
+       echo_i "Created key file $CSK"
+       $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1
+
+       zone="nsec3-to-rsasha1-ds.kasp"
+       CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2> keygen.out.$zone)
+       echo_i "Created key file $CSK"
+       $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1
+else
+       echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported"
+fi
+
 cp nsec3-fails-to-load.kasp.db.in nsec3-fails-to-load.kasp.db

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index d9c2b83d174013ae7151dddb847e87572d222412..f5865d5ab176ce866ffd7c598d8d81e88d31a357 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -36,6 +36,8 @@ rndccmd() {
 set_zone_policy() {
        ZONE=$1
        POLICY=$2
+       NUM_KEYS=$3
+       DNSKEY_TTL=$4
 }
 # Set expected NSEC3 parameters: flags ($1), iterations ($2), and
 # salt length ($3).
@@ -47,6 +49,49 @@ set_nsec3param() {
        SALT=""
 }
 
+# Set expected default dnssec-policy keys values.
+set_key_default_values() {
+       key_clear $1
+
+       set_keyrole      $1 "csk"
+       set_keylifetime  $1 "0"
+       set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256"
+       set_keysigning   $1 "yes"
+       set_zonesigning  $1 "yes"
+
+       set_keystate $1 "GOAL"         "omnipresent"
+       set_keystate $1 "STATE_DNSKEY" "rumoured"
+       set_keystate $1 "STATE_KRRSIG" "rumoured"
+       set_keystate $1 "STATE_ZRRSIG" "rumoured"
+       set_keystate $1 "STATE_DS"     "hidden"
+}
+
+# Set expected rsasha1 dnssec-policy keys values.
+set_key_rsasha1_values() {
+       key_clear $1
+
+       set_keyrole      $1 "csk"
+       set_keylifetime  $1 "0"
+       set_keyalgorithm $1 "5" "RSASHA1" "2048"
+       set_keysigning   $1 "yes"
+       set_zonesigning  $1 "yes"
+
+       set_keystate $1 "GOAL"         "omnipresent"
+       set_keystate $1 "STATE_DNSKEY" "rumoured"
+       set_keystate $1 "STATE_KRRSIG" "rumoured"
+       set_keystate $1 "STATE_ZRRSIG" "rumoured"
+       set_keystate $1 "STATE_DS"     "hidden"
+}
+
+# Update the key states.
+set_key_states() {
+       set_keystate $1 "GOAL"         "$2"
+       set_keystate $1 "STATE_DNSKEY" "$3"
+       set_keystate $1 "STATE_KRRSIG" "$4"
+       set_keystate $1 "STATE_ZRRSIG" "$5"
+       set_keystate $1 "STATE_DS"     "$6"
+}
+
 # The apex NSEC3PARAM record indicates that it is signed.
 _wait_for_nsec3param() {
        dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1
@@ -79,24 +124,43 @@ wait_for_zone_is_signed() {
        status=$((status+ret))
 }
 
+# Test: check DNSSEC verify
+_check_dnssec_verify() {
+        dig_with_opts @$SERVER "${ZONE}" AXFR > "dig.out.test$n.axfr.$ZONE" || return 1
+        $VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" > "verify.out.test$n.$ZONE" 2>&1 || return 1
+       return 0
+}
+
 # Test: check NSEC in answers
-_check_nsec_nsec3param()
-{
+_check_nsec_nsec3param() {
        dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
        grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1
        return 0
 }
 
-_check_nsec_nxdomain()
-{
+_check_nsec_nxdomain() {
        dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
        grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
        grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1
        return 0
 }
 
-check_nsec()
-{
+check_nsec() {
+       n=$((n+1))
+       echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)"
+       ret=0
+       check_keys
+       retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}"
+       test "$ret" -eq 0 || echo_i "failed"
+       status=$((status+ret))
+
+       n=$((n+1))
+       echo_i "verify DNSSEC for zone ${ZONE} ($n)"
+       ret=0
+       retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}"
+       test "$ret" -eq 0 || echo_i "failed"
+       status=$((status+ret))
+
        n=$((n+1))
        echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
        ret=0
@@ -113,8 +177,7 @@ check_nsec()
 }
 
 # Test: check NSEC3 parameters in answers
-_check_nsec3_nsec3param()
-{
+_check_nsec3_nsec3param() {
        dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
        grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1
 
@@ -124,15 +187,13 @@ _check_nsec3_nsec3param()
        return 0
 }
 
-_check_nsec3_nxdomain()
-{
+_check_nsec3_nxdomain() {
        dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
        grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
        return 0
 }
 
-check_nsec3()
-{
+check_nsec3() {
        n=$((n+1))
        echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)"
        ret=0
@@ -146,74 +207,119 @@ check_nsec3()
        retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
        test "$ret" -eq 0 || echo_i "failed"
        status=$((status+ret))
+
+       n=$((n+1))
+       echo_i "verify DNSSEC for zone ${ZONE} ($n)"
+       ret=0
+       retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}"
+       test "$ret" -eq 0 || echo_i "failed"
+       status=$((status+ret))
 }
 
 start_time="$(TZ=UTC date +%s)"
 status=0
 n=0
 
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
 # Zone: nsec-to-nsec3.kasp.
-set_zone_policy "nsec-to-nsec3.kasp" "nsec"
+set_zone_policy "nsec-to-nsec3.kasp" "nsec" 1 3600
 set_server "ns3" "10.53.0.3"
+set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec
-dnssec_verify
+
+if ($SHELL ../testcrypto.sh -q RSASHA1)
+then
+       # Zone: rsasha1-to-nsec3.kasp.
+       set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600
+       set_server "ns3" "10.53.0.3"
+       set_key_rsasha1_values "KEY1"
+       echo_i "initial check zone ${ZONE}"
+       check_nsec
+
+       # Zone: rsasha1-to-nsec3-wait.kasp.
+       set_zone_policy "rsasha1-to-nsec3-wait.kasp" "rsasha1" 1 3600
+       set_server "ns3" "10.53.0.3"
+       set_key_rsasha1_values "KEY1"
+       set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+       echo_i "initial check zone ${ZONE}"
+       check_nsec
+
+       # Zone: nsec3-to-rsasha1.kasp.
+       set_zone_policy "nsec3-to-rsasha1.kasp" "nsec3" 1 3600
+       set_server "ns3" "10.53.0.3"
+       set_key_rsasha1_values "KEY1"
+       echo_i "initial check zone ${ZONE}"
+       check_nsec3
+
+       # Zone: nsec3-to-rsasha1-ds.kasp.
+       set_zone_policy "nsec3-to-rsasha1-ds.kasp" "nsec3" 1 3600
+       set_server "ns3" "10.53.0.3"
+       set_key_rsasha1_values "KEY1"
+       set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+       echo_i "initial check zone ${ZONE}"
+       check_nsec3
+fi
 
 # Zone: nsec3.kasp.
-set_zone_policy "nsec3.kasp" "nsec3"
+set_zone_policy "nsec3.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-dynamic.kasp.
-set_zone_policy "nsec3-dynamic.kasp" "nsec3"
+set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-change.kasp.
-set_zone_policy "nsec3-change.kasp" "nsec3"
+set_zone_policy "nsec3-change.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-dynamic-change.kasp.
-set_zone_policy "nsec3-dynamic-change.kasp" "nsec3"
+set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-to-nsec.kasp.
-set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
+set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-to-optout.kasp.
-set_zone_policy "nsec3-to-optout.kasp" "nsec3"
+set_zone_policy "nsec3-to-optout.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-from-optout.kasp.
-set_zone_policy "nsec3-from-optout.kasp" "optout"
+set_zone_policy "nsec3-from-optout.kasp" "optout" 1 3600
 set_nsec3param "1" "0" "0"
+set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-other.kasp.
-set_zone_policy "nsec3-other.kasp" "nsec3-other"
+set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600
 set_nsec3param "1" "11" "8"
+set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
-dnssec_verify
 
 # Reconfig named.
 echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
@@ -221,88 +327,139 @@ copy_setports ns3/named2.conf.in ns3/named.conf
 rndc_reconfig ns3 10.53.0.3
 
 # Zone: nsec-to-nsec3.kasp. (reconfigured)
-set_zone_policy "nsec-to-nsec3.kasp" "nsec3"
+set_zone_policy "nsec-to-nsec3.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
-dnssec_verify
+
+if ($SHELL ../testcrypto.sh -q RSASHA1)
+then
+       # Zone: rsasha1-to-nsec3.kasp.
+       set_zone_policy "rsasha1-to-nsec3.kasp" "nsec3" 2 3600
+       set_server "ns3" "10.53.0.3"
+       set_key_rsasha1_values "KEY1"
+       set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden"
+       set_keysigning  "KEY1" "no"
+       set_zonesigning "KEY1" "no"
+       set_key_default_values "KEY2"
+       echo_i "check zone ${ZONE} after reconfig"
+       check_nsec3
+
+       # Zone: rsasha1-to-nsec3-wait.kasp.
+       set_zone_policy "rsasha1-to-nsec3-wait.kasp" "nsec3" 2 3600
+       set_server "ns3" "10.53.0.3"
+       set_key_rsasha1_values "KEY1"
+       set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+       set_key_default_values "KEY2"
+       echo_i "check zone ${ZONE} after reconfig"
+
+       ret=0
+       wait_for_log 10 "zone $ZONE/IN (signed): wait building NSEC3 chain until NSEC only DNSKEYs are removed" ns3/named.run || ret=1
+       test "$ret" -eq 0 || echo_i "failed"
+       status=$((status+ret))
+
+       check_nsec
+
+       # Zone: nsec3-to-rsasha1.kasp.
+       set_zone_policy "nsec3-to-rsasha1.kasp" "rsasha1" 2 3600
+       set_server "ns3" "10.53.0.3"
+       set_key_default_values "KEY1"
+       set_key_states  "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden"
+       set_keysigning  "KEY1" "no"
+       set_zonesigning "KEY1" "no"
+       set_key_rsasha1_values "KEY2"
+       echo_i "check zone ${ZONE} after reconfig"
+       check_nsec
+
+       # Zone: nsec3-to-rsasha1-ds.kasp.
+       set_zone_policy "nsec3-to-rsasha1-ds.kasp" "rsasha1" 2 3600
+       set_server "ns3" "10.53.0.3"
+       set_key_default_values "KEY1"
+       set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+       set_key_rsasha1_values "KEY2"
+       echo_i "check zone ${ZONE} after reconfig"
+       check_nsec
+
+       key_clear "KEY1"
+       key_clear "KEY2"
+fi
 
 # Zone: nsec3.kasp. (same)
-set_zone_policy "nsec3.kasp" "nsec3"
+set_zone_policy "nsec3.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-dyamic.kasp. (same)
-set_zone_policy "nsec3-dynamic.kasp" "nsec3"
+set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-change.kasp. (reconfigured)
-set_zone_policy "nsec3-change.kasp" "nsec3-other"
+set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600
 set_nsec3param "1" "11" "8"
+set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-dynamic-change.kasp. (reconfigured)
-set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other"
+set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600
 set_nsec3param "1" "11" "8"
+set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-to-nsec.kasp. (reconfigured)
-set_zone_policy "nsec3-to-nsec.kasp" "nsec"
+set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
 set_nsec3param "1" "11" "8"
+set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec
-dnssec_verify
 
 # Zone: nsec3-to-optout.kasp. (reconfigured)
 # DISABLED:
 # There is a bug in the nsec3param building code that thinks when the
 # optout bit is changed, the chain already exists. [GL #2216]
-#set_zone_policy "nsec3-to-optout.kasp" "optout"
+#set_zone_policy "nsec3-to-optout.kasp" "optout" 1 3600
 #set_nsec3param "1" "0" "0"
+#set_key_default_values "KEY1"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3
-#dnssec_verify
 
 # Zone: nsec3-from-optout.kasp. (reconfigured)
 # DISABLED:
 # There is a bug in the nsec3param building code that thinks when the
 # optout bit is changed, the chain already exists. [GL #2216]
-#set_zone_policy "nsec3-from-optout.kasp" "nsec3"
+#set_zone_policy "nsec3-from-optout.kasp" "nsec3" 1 3600
 #set_nsec3param "0" "0" "0"
+#set_key_default_values "KEY1"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3
-#dnssec_verify
 
 # Zone: nsec3-other.kasp. (same)
-set_zone_policy "nsec3-other.kasp" "nsec3-other"
+set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600
 set_nsec3param "1" "11" "8"
+set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
-dnssec_verify
 
 # Using rndc signing -nsec3param (should fail)
-set_zone_policy "nsec3-change.kasp" "nsec3-other"
+set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600
 echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
 rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
 grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail"
 check_nsec3
-dnssec_verify
 
 # Test NSEC3 and NSEC3PARAM is the same after restart
-set_zone_policy "nsec3.kasp" "nsec3"
+set_zone_policy "nsec3.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} before restart"
 check_nsec3
-dnssec_verify
 
 # Restart named, NSEC3 should stay the same.
 ret=0
@@ -318,22 +475,22 @@ test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
 prevsalt="${SALT}"
-set_zone_policy "nsec3.kasp" "nsec3"
+set_zone_policy "nsec3.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 SALT="${prevsalt}"
 echo_i "check zone ${ZONE} after restart has salt ${SALT}"
 check_nsec3
-dnssec_verify
 
 # Zone: nsec3-fails-to-load.kasp. (should be fixed after reload)
 cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db
 rndc_reload ns3 10.53.0.3
 
-set_zone_policy "nsec3-fails-to-load.kasp" "nsec3"
+set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reload"
 check_nsec3
-dnssec_verify
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1