From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 19 Mar 2025 15:28:33 +0000 (+0100)
Subject: Convert algorithm rollover tests to pytest
X-Git-Tag: v9.21.10~48^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80992c7b96d0fe1cc10130963766225780dd6ed1;p=thirdparty%2Fbind9.git

Convert algorithm rollover tests to pytest

Roll the algorithm rollover test cases over to the rollover directory
and rewrite using pytest.
---

diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in
index df02890922a..2bee0a04b92 100644
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@@ -44,19 +44,6 @@ zone "." {
 	file "../../_common/root.hint.blackhole";
 };
 
-/* These are alorithm rollover test zones. */
-zone "step1.algorithm-roll.kasp" {
-	type primary;
-	file "step1.algorithm-roll.kasp.db";
-	dnssec-policy "rsasha256";
-};
-
-zone "step1.csk-algorithm-roll.kasp" {
-	type primary;
-	file "step1.csk-algorithm-roll.kasp.db";
-	dnssec-policy "csk-algoroll";
-};
-
 zone example {
 	type primary;
 	file "example.db";
diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in
index 83af019480d..85af830a3c2 100644
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@@ -43,84 +43,6 @@ zone "." {
 	file "../../_common/root.hint.blackhole";
 };
 
-/*
- * Zones for testing KSK/ZSK algorithm roll.
- */
-zone "step1.algorithm-roll.kasp" {
-	type primary;
-	file "step1.algorithm-roll.kasp.db";
-	dnssec-policy "ecdsa256";
-};
-
-zone "step2.algorithm-roll.kasp" {
-	type primary;
-	file "step2.algorithm-roll.kasp.db";
-	dnssec-policy "ecdsa256";
-};
-
-zone "step3.algorithm-roll.kasp" {
-	type primary;
-	file "step3.algorithm-roll.kasp.db";
-	dnssec-policy "ecdsa256";
-};
-
-zone "step4.algorithm-roll.kasp" {
-	type primary;
-	file "step4.algorithm-roll.kasp.db";
-	dnssec-policy "ecdsa256";
-};
-
-zone "step5.algorithm-roll.kasp" {
-	type primary;
-	file "step5.algorithm-roll.kasp.db";
-	dnssec-policy "ecdsa256";
-};
-
-zone "step6.algorithm-roll.kasp" {
-	type primary;
-	file "step6.algorithm-roll.kasp.db";
-	dnssec-policy "ecdsa256";
-};
-
-/*
- * Zones for testing CSK algorithm roll.
- */
-zone "step1.csk-algorithm-roll.kasp" {
-	type primary;
-	file "step1.csk-algorithm-roll.kasp.db";
-	dnssec-policy "csk-algoroll";
-};
-
-zone "step2.csk-algorithm-roll.kasp" {
-	type primary;
-	file "step2.csk-algorithm-roll.kasp.db";
-	dnssec-policy "csk-algoroll";
-};
-
-zone "step3.csk-algorithm-roll.kasp" {
-	type primary;
-	file "step3.csk-algorithm-roll.kasp.db";
-	dnssec-policy "csk-algoroll";
-};
-
-zone "step4.csk-algorithm-roll.kasp" {
-	type primary;
-	file "step4.csk-algorithm-roll.kasp.db";
-	dnssec-policy "csk-algoroll";
-};
-
-zone "step5.csk-algorithm-roll.kasp" {
-	type primary;
-	file "step5.csk-algorithm-roll.kasp.db";
-	dnssec-policy "csk-algoroll";
-};
-
-zone "step6.csk-algorithm-roll.kasp" {
-	type primary;
-	file "step6.csk-algorithm-roll.kasp.db";
-	dnssec-policy "csk-algoroll";
-};
-
 zone example {
 	type primary;
 	file "example.db";
diff --git a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
index 4f7db5ad517..b217aa68cc0 100644
--- a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
+++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
@@ -37,41 +37,3 @@ dnssec-policy "long-lifetime" {
 		csk lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
 	};
 };
-
-dnssec-policy "rsasha256" {
-	signatures-refresh P5D;
-	signatures-validity 30d;
-	signatures-validity-dnskey 30d;
-
-	keys {
-		ksk lifetime unlimited algorithm rsasha256;
-		zsk lifetime unlimited algorithm rsasha256;
-	};
-
-	dnskey-ttl 1h;
-	publish-safety PT1H;
-	retire-safety 2h;
-	zone-propagation-delay 3600;
-	max-zone-ttl 6h;
-	parent-propagation-delay pt1h;
-	parent-ds-ttl 7200;
-};
-
-dnssec-policy "ecdsa256" {
-	signatures-refresh P5D;
-	signatures-validity 30d;
-	signatures-validity-dnskey 30d;
-
-	keys {
-		ksk lifetime unlimited algorithm ecdsa256;
-		zsk lifetime unlimited algorithm ecdsa256;
-	};
-
-	dnskey-ttl 1h;
-	publish-safety PT1H;
-	retire-safety 2h;
-	zone-propagation-delay 3600;
-	max-zone-ttl 6h;
-	parent-propagation-delay pt1h;
-	parent-ds-ttl 7200;
-};
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index 306178c7b32..e094e7efdd0 100644
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -16,335 +16,6 @@
 
 echo_i "ns6/setup.sh"
 
-setup() {
-  zone="$1"
-  echo_i "setting up zone: $zone"
-  zonefile="${zone}.db"
-  infile="${zone}.db.infile"
-}
-
-# Make lines shorter by storing key states in environment variables.
-H="HIDDEN"
-R="RUMOURED"
-O="OMNIPRESENT"
-U="UNRETENTIVE"
-
-#
-# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
-# algorithm rollover.
-#
-
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.algorithm-roll.kasp
-echo "$zone" >>zones
-TactN="now"
-ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
-zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone 8 "$KSK" >>"$infile"
-private_type_record $zone 8 "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 2:
-# After the publication interval has passed the DNSKEY is OMNIPRESENT.
-setup step2.algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 3 hours.
-TactN="now-3h"
-TpubN1="now-3h"
-# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp =
-# now - 3h + 6h + 1h = now + 4h
-TsbmN1="now+4h"
-ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I now"
-zsk1times="-P ${TactN}  -A ${TactN}                    -I now"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 3:
-# The zone signatures are also OMNIPRESENT.
-setup step3.algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 7 hours.
-TactN="now-7h"
-TretN="now-3h"
-TpubN1="now-7h"
-TsbmN1="now"
-ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
-zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 4:
-# The DS is swapped and can become OMNIPRESENT.
-setup step4.algorithm-roll.kasp
-# The time passed since the DS has been swapped is 29 hours.
-TactN="now-36h"
-TretN="now-33h"
-TpubN1="now-36h"
-TsbmN1="now-29h"
-TactN1="now-27h"
-ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
-zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 5:
-# The DNSKEY is removed long enough to be HIDDEN.
-setup step5.algorithm-roll.kasp
-# The time passed since the DNSKEY has been removed is 2 hours.
-TactN="now-38h"
-TretN="now-35h"
-TremN="now-2h"
-TpubN1="now-38h"
-TsbmN1="now-31h"
-TactN1="now-29h"
-ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
-zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 6:
-# The RRSIGs have been removed long enough to be HIDDEN.
-setup step6.algorithm-roll.kasp
-# Additional time passed: 7h.
-TactN="now-45h"
-TretN="now-42h"
-TremN="now-7h"
-TpubN1="now-45h"
-TsbmN1="now-38h"
-TactN1="now-36h"
-TdeaN="now-7h"
-ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
-zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-#
-# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
-# algorithm rollover.
-#
-
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.csk-algorithm-roll.kasp
-echo "$zone" >>zones
-TactN="now"
-csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone 5 "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 2:
-# After the publication interval has passed the DNSKEY is OMNIPRESENT.
-setup step2.csk-algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 3 hours.
-TactN="now-3h"
-TpubN1="now-3h"
-csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I now"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 3:
-# The zone signatures are also OMNIPRESENT.
-setup step3.csk-algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 7 hours.
-TactN="now-7h"
-TretN="now-3h"
-TpubN1="now-7h"
-TactN1="now-3h"
-csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 4:
-# The DS is swapped and can become OMNIPRESENT.
-setup step4.csk-algorithm-roll.kasp
-# The time passed since the DS has been swapped is 29 hours.
-TactN="now-36h"
-TretN="now-33h"
-TpubN1="now-36h"
-TactN1="now-33h"
-TsubN1="now-29h"
-csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 5:
-# The DNSKEY is removed long enough to be HIDDEN.
-setup step5.csk-algorithm-roll.kasp
-# The time passed since the DNSKEY has been removed is 2 hours.
-TactN="now-38h"
-TretN="now-35h"
-TremN="now-2h"
-TpubN1="now-38h"
-TactN1="now-35h"
-TsubN1="now-31h"
-csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 6:
-# The RRSIGs have been removed long enough to be HIDDEN.
-setup step6.csk-algorithm-roll.kasp
-# Additional time passed: 7h.
-TactN="now-45h"
-TretN="now-42h"
-TdeaN="now-9h"
-TremN="now-7h"
-TpubN1="now-45h"
-TactN1="now-42h"
-TsubN1="now-38h"
-csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
 #
 # Reload testing
 #
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 2dc7957c7b1..2114fd08cf0 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -85,1059 +85,5 @@ retry_quiet 30 _wait_for_done_apexnsec || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
-set_keytimes_csk_policy() {
-  # The first key is immediately published and activated.
-  created=$(key_get KEY1 CREATED)
-  set_keytime "KEY1" "PUBLISHED" "${created}"
-  set_keytime "KEY1" "ACTIVE" "${created}"
-  # The DS can be published if the DNSKEY and RRSIG records are
-  # OMNIPRESENT.  This happens after max-zone-ttl (1d) plus
-  # zone-propagation-delay (300s) = 86400 + 300 = 86700.
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 86700
-  # Key lifetime is unlimited, so not setting RETIRED and REMOVED.
-}
-
-# Set keytimes for dnssec-policy with various algorithms.
-# These all use the same time values.
-set_keytimes_algorithm_policy() {
-  # The first KSK is immediately published and activated.
-  created=$(key_get KEY1 CREATED)
-  set_keytime "KEY1" "PUBLISHED" "${created}"
-  set_keytime "KEY1" "ACTIVE" "${created}"
-  # Key was pregenerated.
-  if [ "$1" = "pregenerated" ]; then
-    keyfile=$(key_get KEY1 BASEFILE)
-    grep "; Publish:" "${keyfile}.key" >published.test${n}.key1
-    published=$(awk '{print $3}' <published.test${n}.key1)
-    set_keytime "KEY1" "PUBLISHED" "${published}"
-    set_keytime "KEY1" "ACTIVE" "${published}"
-  fi
-  published=$(key_get KEY1 PUBLISHED)
-
-  # The DS can be published if the DNSKEY and RRSIG records are
-  # OMNIPRESENT.  This happens after max-zone-ttl (1d) plus
-  # zone-propagation-delay (300s) = 86400 + 300 = 86700.
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
-  # Key lifetime is 10 years, 315360000 seconds.
-  set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
-  # The key is removed after the retire time plus DS TTL (1d),
-  # parent propagation delay (1h), and retire safety (1h) =
-  # 86400 + 3600 + 3600 = 93600.
-  retired=$(key_get KEY1 RETIRED)
-  set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
-
-  # The first ZSKs are immediately published and activated.
-  created=$(key_get KEY2 CREATED)
-  set_keytime "KEY2" "PUBLISHED" "${created}"
-  set_keytime "KEY2" "ACTIVE" "${created}"
-  # Key was pregenerated.
-  if [ "$1" = "pregenerated" ]; then
-    keyfile=$(key_get KEY2 BASEFILE)
-    grep "; Publish:" "${keyfile}.key" >published.test${n}.key2
-    published=$(awk '{print $3}' <published.test${n}.key2)
-    set_keytime "KEY2" "PUBLISHED" "${published}"
-    set_keytime "KEY2" "ACTIVE" "${published}"
-  fi
-  published=$(key_get KEY2 PUBLISHED)
-
-  # Key lifetime for KSK2 is 5 years, 157680000 seconds.
-  set_addkeytime "KEY2" "RETIRED" "${published}" 157680000
-  # The key is removed after the retire time plus max zone ttl (1d), zone
-  # propagation delay (300s), retire safety (1h), and sign delay
-  # (signature validity minus refresh, 9d) =
-  # 86400 + 300 + 3600 + 777600 = 867900.
-  retired=$(key_get KEY2 RETIRED)
-  set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
-
-  # Second ZSK (KEY3).
-  created=$(key_get KEY3 CREATED)
-  set_keytime "KEY3" "PUBLISHED" "${created}"
-  set_keytime "KEY3" "ACTIVE" "${created}"
-  # Key was pregenerated.
-  if [ "$1" = "pregenerated" ]; then
-    keyfile=$(key_get KEY3 BASEFILE)
-    grep "; Publish:" "${keyfile}.key" >published.test${n}.key3
-    published=$(awk '{print $3}' <published.test${n}.key3)
-    set_keytime "KEY3" "PUBLISHED" "${published}"
-    set_keytime "KEY3" "ACTIVE" "${published}"
-  fi
-  published=$(key_get KEY3 PUBLISHED)
-
-  # Key lifetime for KSK3 is 1 year, 31536000 seconds.
-  set_addkeytime "KEY3" "RETIRED" "${published}" 31536000
-  retired=$(key_get KEY3 RETIRED)
-  set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
-}
-
-# TODO: we might want to test:
-# - configuring a zone with too many active keys (should trigger retire).
-# - configuring a zone with keys not matching the policy.
-
-# Set key times for 'autosign' policy.
-set_keytimes_autosign_policy() {
-  # The KSK was published six months ago (with settime).
-  created=$(key_get KEY1 CREATED)
-  set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000
-  set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000
-  # Key lifetime is 2 years, 63072000 seconds.
-  active=$(key_get KEY1 ACTIVE)
-  set_addkeytime "KEY1" "RETIRED" "${active}" 63072000
-  # The key is removed after the retire time plus DS TTL (1d),
-  # parent propagation delay (1h), retire safety (1h) =
-  # 86400 + 3600 + 3600 = 93600
-  retired=$(key_get KEY1 RETIRED)
-  set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
-
-  # The ZSK was published six months ago (with settime).
-  created=$(key_get KEY2 CREATED)
-  set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000
-  set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000
-  # Key lifetime for KSK2 is 1 year, 31536000 seconds.
-  active=$(key_get KEY2 ACTIVE)
-  set_addkeytime "KEY2" "RETIRED" "${active}" 31536000
-  # The key is removed after the retire time plus:
-  # TTLsig (RRSIG TTL):       1 day (86400 seconds)
-  # Dprp (propagation delay): 5 minutes (300 seconds)
-  # retire-safety:            1 hour (3600 seconds)
-  # Dsgn (sign delay):        7 days (604800 seconds)
-  # Iret:                     695100 seconds.
-  retired=$(key_get KEY2 RETIRED)
-  set_addkeytime "KEY2" "REMOVED" "${retired}" 695100
-}
-
-_check_next_key_event() {
-  _expect=$1
-
-  grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" >"keyevent.out.$ZONE.test$n" || return 1
-
-  # Get the latest next key event.
-  if [ "${DYNAMIC}" = "yes" ]; then
-    _time=$(awk '{print $8}' <"keyevent.out.$ZONE.test$n" | tail -1)
-  else
-    # inline-signing zone adds "(signed)"
-    _time=$(awk '{print $9}' <"keyevent.out.$ZONE.test$n" | tail -1)
-  fi
-
-  # The next key event time must within threshold of the
-  # expected time.
-  _expectmin=$((_expect - next_key_event_threshold))
-  _expectmax=$((_expect + next_key_event_threshold))
-
-  test $_expectmin -le "$_time" || return 1
-  test $_expectmax -ge "$_time" || return 1
-
-  return 0
-}
-
-check_next_key_event() {
-  n=$((n + 1))
-  echo_i "check next key event for zone ${ZONE} ($n)"
-  ret=0
-
-  retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})"
-  test "$ret" -eq 0 || echo_i "failed"
-  status=$((status + ret))
-
-}
-
-set_retired_removed() {
-  _Lkey=$2
-  _Iret=$3
-
-  _active=$(key_get $1 ACTIVE)
-  set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
-  _retired=$(key_get $1 RETIRED)
-  set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
-}
-
-rollover_predecessor_keytimes() {
-  _addtime=$1
-
-  _created=$(key_get KEY1 CREATED)
-  set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
-  set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
-  [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
-
-  _created=$(key_get KEY2 CREATED)
-  set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
-  set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
-  [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
-}
-
-csk_rollover_predecessor_keytimes() {
-  _addtime=$1
-
-  _created=$(key_get KEY1 CREATED)
-  set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
-  set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
-  [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}"
-}
-
-#
-# Testing algorithm rollover.
-#
-Lksk=0
-Lzsk=0
-IretKSK=0
-IretZSK=0
-
-#
-# Zone: step1.algorithm-roll.kasp
-#
-set_zone "step1.algorithm-roll.kasp"
-set_policy "rsasha256" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-key_clear "KEY3"
-key_clear "KEY4"
-
-# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# These keys are immediately published and activated.
-rollover_predecessor_keytimes 0
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the successor keys need to be published.
-# Since the lifetime of the keys are unlimited, so default to loadkeys
-# interval.
-check_next_key_event 3600
-
-#
-# Zone: step1.csk-algorithm-roll.kasp
-#
-set_zone "step1.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "1" "3600"
-set_server "ns6" "10.53.0.6"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
-key_clear "KEY2"
-key_clear "KEY3"
-key_clear "KEY4"
-# The CSK (KEY1) starts in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# This key is immediately published and activated.
-Lcsk=0
-IretCSK=0
-csk_rollover_predecessor_keytimes 0
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the successor keys need to be published.
-# Since the lifetime of the keys are unlimited, so default to loadkeys
-# interval.
-check_next_key_event 3600
-
-# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
-# changes).
-echo_i "reconfig dnssec-policy to trigger algorithm rollover"
-copy_setports ns6/named2.conf.in ns6/named.conf
-rndc_reconfig ns6 10.53.0.6
-
-# Calculate time passed to correctly check for next key events.
-now="$(TZ=UTC date +%s)"
-time_passed=$((now - start_time))
-echo_i "${time_passed} seconds passed between start of tests and reconfig"
-
-# Wait until we have seen "zone_rekey done:" message for this key.
-_wait_for_done_signing() {
-  _zone=$1
-
-  _ksk=$(key_get $2 KSK)
-  _zsk=$(key_get $2 ZSK)
-  if [ "$_ksk" = "yes" ]; then
-    _role="KSK"
-    _expect_type=EXPECT_KRRSIG
-  elif [ "$_zsk" = "yes" ]; then
-    _role="ZSK"
-    _expect_type=EXPECT_ZRRSIG
-  fi
-
-  if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
-    _keyid=$(key_get $2 ID)
-    _keyalg=$(key_get $2 ALG_STR)
-    echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
-    grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1
-  fi
-
-  return 0
-}
-
-wait_for_done_signing() {
-  n=$((n + 1))
-  echo_i "wait for zone ${ZONE} is done signing ($n)"
-  ret=0
-
-  retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
-  retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
-  retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
-  retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
-
-  test "$ret" -eq 0 || echo_i "failed"
-  status=$((status + ret))
-}
-
-#
-# Testing KSK/ZSK algorithm rollover.
-#
-
-# Policy parameters.
-# Lksk: unlimited
-# Lzsk: unlimited
-Lksk=0
-Lzsk=0
-
-#
-# Zone: step1.algorithm-roll.kasp
-#
-set_zone "step1.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# Old RSASHA1 keys.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-# New ECDSAP256SHA256 keys.
-key_clear "KEY3"
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "0"
-set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
-
-key_clear "KEY4"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "0"
-set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "yes"
-# The RSAHSHA1 keys are outroducing.
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "hidden"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-# The ECDSAP256SHA256 keys are introducing.
-set_keystate "KEY3" "GOAL" "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
-set_keystate "KEY4" "GOAL" "omnipresent"
-set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys are published and activated.
-rollover_predecessor_keytimes 0
-# - KSK must be retired since it no longer matches the policy.
-keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
-retired=$(awk '{print $3}' <retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
-# - The key is removed after the retire interval:
-#   IretKSK = TTLds + DprpP + retire-safety
-#   TTLds:         2h (7200 seconds)
-#   DprpP:         1h (3600 seconds)
-#   retire-safety: 2h (7200 seconds)
-#   IretKSK:       5h (18000 seconds)
-IretKSK=18000
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-# - ZSK must be retired since it no longer matches the policy.
-keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
-retired=$(awk '{print $3}' <retired.test${n}.zsk)
-set_keytime "KEY2" "RETIRED" "${retired}"
-# - The key is removed after the retire interval:
-#   IretZSK = TTLsig + Dprp + Dsgn + retire-safety
-#   TTLsig:        6h (21600 seconds)
-#   Dprp:          1h (3600 seconds)
-#   Dsgn:          25d (2160000 seconds)
-#   retire-safety: 2h (7200 seconds)
-#   IretZSK:       25d9h (2192400 seconds)
-IretZSK=2192400
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-# - The new KSK is published and activated.
-created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
-set_keytime "KEY3" "ACTIVE" "${created}"
-# - It takes TTLsig + Dprp to propagate the zone.
-#   TTLsig:         6h (39600 seconds)
-#   Dprp:           1h (3600 seconds)
-#   Ipub:           7h (25200 seconds)
-Ipub=25200
-set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
-# - The new ZSK is published and activated.
-created=$(key_get KEY4 CREATED)
-set_keytime "KEY4" "PUBLISHED" "${created}"
-set_keytime "KEY4" "ACTIVE" "${created}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the ecdsa256 keys have been propagated.
-# This is the DNSKEY TTL plus publish safety plus zone propagation delay:
-# 3 times an hour: 10800 seconds.
-check_next_key_event 10800
-
-#
-# Zone: step2.algorithm-roll.kasp
-#
-set_zone "step2.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# The RSAHSHA1 keys are outroducing, but need to stay present until the new
-# algorithm chain of trust has been established. Thus the properties, timings
-# and states of the KEY1 and KEY2 are the same as above.
-
-# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent,
-# but the zone signatures are not.
-set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY3" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated three hours ago (10800 seconds).
-rollover_predecessor_keytimes -10800
-# - KSK must be retired since it no longer matches the policy.
-created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "RETIRED" "${created}"
-set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}"
-# - ZSK must be retired since it no longer matches the policy.
-created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "RETIRED" "${created}"
-set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}"
-# - The new keys are published 3 hours ago.
-created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -10800
-published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}"
-
-created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -10800
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when all zone signatures are signed with the new
-# algorithm.  This is the max-zone-ttl plus zone propagation delay
-# 6h + 1h.  But three hours have already passed (the time it took to
-# make the DNSKEY omnipresent), so the next event should be scheduled
-# in 4 hour: 14400 seconds.  Prevent intermittent
-# false positives on slow platforms by subtracting the number of seconds
-# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((14400 - time_passed))
-check_next_key_event $next_time
-
-#
-# Zone: step3.algorithm-roll.kasp
-#
-set_zone "step3.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# The ECDSAP256SHA256 keys are introducing.
-set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
-# The DS can be swapped.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY3" "STATE_DS" "rumoured"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# Check that CDS publication is logged.
-check_cdslog "$DIR" "$ZONE" KEY3
-
-# Set expected key times:
-# - The old keys were activated 7 hours ago (25200 seconds).
-rollover_predecessor_keytimes -25200
-# - And retired 3 hours ago (10800 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -10800
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -10800
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-# - The new keys are published 7 hours ago.
-created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -25200
-set_addkeytime "KEY3" "ACTIVE" "${created}" -25200
-published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
-
-created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -25200
-set_addkeytime "KEY4" "ACTIVE" "${created}" -25200
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Tell named we "saw" the parent swap the DS and see if the next key event is
-# scheduled at the correct time.
-rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
-rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
-# Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent propagation delay, and DS TTL:
-# 1h + 2h = 3h = 10800 seconds.
-check_next_key_event 10800
-
-#
-# Zone: step4.algorithm-roll.kasp
-#
-set_zone "step4.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
-set_keysigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_zonesigning "KEY2" "no"
-set_keystate "KEY2" "GOAL" "hidden"
-set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
-# The ECDSAP256SHA256 DS is now OMNIPRESENT.
-set_keystate "KEY3" "STATE_DS" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated 36 hours ago (129600 seconds).
-rollover_predecessor_keytimes -129600
-# - And retired 33 hours ago (118800 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -118800
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -118800
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-
-# - The new keys are published 36 hours ago.
-created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -129600
-set_addkeytime "KEY3" "ACTIVE" "${created}" -129600
-published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
-
-created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -129600
-set_addkeytime "KEY4" "ACTIVE" "${created}" -129600
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the old DNSKEY becomes HIDDEN.  This happens after the
-# DNSKEY TTL plus zone propagation delay (2h).
-check_next_key_event 7200
-
-#
-# Zone: step5.algorithm-roll.kasp
-#
-set_zone "step5.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# The DNSKEY becomes HIDDEN.
-set_keystate "KEY1" "STATE_DNSKEY" "hidden"
-set_keystate "KEY1" "STATE_KRRSIG" "hidden"
-set_keystate "KEY2" "STATE_DNSKEY" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated 38 hours ago (136800 seconds)
-rollover_predecessor_keytimes -136800
-# - And retired 35 hours ago (126000 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -126000
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-
-# The new keys are published 40 hours ago.
-created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
-published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
-
-created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the RSASHA1 signatures become HIDDEN.  This happens
-# after the max-zone-ttl plus zone propagation delay (6h + 1h)
-# minus the time already passed since the UNRETENTIVE state has
-# been reached (2h): 7h - 2h = 5h = 18000 seconds. Prevent intermittent
-# false positives on slow platforms by subtracting the number of seconds
-# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((18000 - time_passed))
-check_next_key_event $next_time
-
-#
-# Zone: step6.algorithm-roll.kasp
-#
-set_zone "step6.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# The old zone signatures (KEY2) should now also be HIDDEN.
-set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated 45 hours ago (162000 seconds)
-rollover_predecessor_keytimes -162000
-# - And retired 42 hours ago (151200 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -151200
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -151200
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-
-# The new keys are published 47 hours ago.
-created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -162000
-set_addkeytime "KEY3" "ACTIVE" "${created}" -162000
-published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
-
-created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -162000
-set_addkeytime "KEY4" "ACTIVE" "${created}" -162000
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is never since we established the policy and the keys have
-# an unlimited lifetime.  Fallback to the default loadkeys interval.
-check_next_key_event 3600
-
-#
-# Testing CSK algorithm rollover.
-#
-
-# Policy parameters.
-# Lcsk: unlimited
-Lcksk=0
-
-#
-# Zone: step1.csk-algorithm-roll.kasp
-#
-set_zone "step1.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# Old RSASHA1 key.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
-# New ECDSAP256SHA256 key.
-key_clear "KEY2"
-set_keyrole "KEY2" "csk"
-set_keylifetime "KEY2" "0"
-set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "yes"
-key_clear "KEY3"
-key_clear "KEY4"
-# The RSAHSHA1 key is outroducing.
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-# The ECDSAP256SHA256 key is introducing.
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY2" "STATE_DS" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - CSK must be retired since it no longer matches the policy.
-csk_rollover_predecessor_keytimes 0
-keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
-retired=$(awk '{print $3}' <retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
-# - The key is removed after the retire interval:
-#   IretZSK = TTLsig + Dprp + Dsgn + retire-safety
-#   TTLsig:        6h (21600 seconds)
-#   Dprp:          1h (3600 seconds)
-#   Dsgn:          25d (2160000 seconds)
-#   retire-safety: 2h (7200 seconds)
-#   IretZSK:       25d9h (2192400 seconds)
-IretCSK=2192400
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new CSK is published and activated.
-created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
-set_keytime "KEY2" "ACTIVE" "${created}"
-# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
-#   TTLsig:         6h (39600 seconds)
-#   Dprp:           1h (3600 seconds)
-#   Ipub:           7h (25200 seconds)
-Ipub=25200
-set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the new key has been propagated.
-# This is the DNSKEY TTL plus publish safety plus zone propagation delay:
-# 3 times an hour: 10800 seconds.
-check_next_key_event 10800
-
-#
-# Zone: step2.csk-algorithm-roll.kasp
-#
-set_zone "step2.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# The RSAHSHA1 key is outroducing, but need to stay present until the new
-# algorithm chain of trust has been established. Thus the properties, timings
-# and states of KEY1 is the same as above.
-#
-# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent,
-# but the zone signatures are not.
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old key was activated three hours ago (10800 seconds).
-csk_rollover_predecessor_keytimes -10800
-# - CSK must be retired since it no longer matches the policy.
-created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "RETIRED" "${created}"
-set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}"
-# - The new key was published 3 hours ago.
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -10800
-published=$(key_get KEY2 PUBLISHED)
-set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when all zone signatures are signed with the new algorithm.
-# This is the max-zone-ttl plus zone propagation delay: 6h + 1h.  But three
-# hours have already passed (the time it took to make the DNSKEY omnipresent),
-# so the next event should be scheduled in 4 hour: 14400 seconds.  Prevent
-# intermittent false positives on slow platforms by subtracting the number of
-# seconds which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((14400 - time_passed))
-check_next_key_event $next_time
-
-#
-# Zone: step3.csk-algorithm-roll.kasp
-#
-set_zone "step3.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# The RSAHSHA1 key is outroducing, and it is time to swap the DS.
-# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures
-# are now omnipresent, so the DS can be introduced.
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY2" "STATE_DS" "rumoured"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# Check that CDS publication is logged.
-check_cdslog "$DIR" "$ZONE" KEY2
-
-# Set expected key times:
-# - The old key was activated 7 hours ago (25200 seconds).
-csk_rollover_predecessor_keytimes -25200
-# - And was retired 3 hours ago (10800 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -10800
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 9 hours ago.
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -25200
-set_addkeytime "KEY2" "ACTIVE" "${created}" -25200
-published=$(key_get KEY2 PUBLISHED)
-set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# We ignore any parent registration delay, so set the DS publish time to now.
-rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
-rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
-# Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent propagation delay, and DS TTL:
-# 1h + 2h = 3h = 10800 seconds.
-check_next_key_event 10800
-
-#
-# Zone: step4.csk-algorithm-roll.kasp
-#
-set_zone "step4.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
-set_keysigning "KEY1" "no"
-set_zonesigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
-# The ECDSAP256SHA256 DS is now OMNIPRESENT.
-set_keystate "KEY2" "STATE_DS" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated 36 hours ago (129600 seconds).
-csk_rollover_predecessor_keytimes -129600
-# - And retired 33 hours ago (118800 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -118800
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 36 hours ago.
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -129600
-set_addkeytime "KEY2" "ACTIVE" "${created}" -129600
-published=$(key_get KEY2 PUBLISHED)
-set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the old DNSKEY becomes HIDDEN.  This happens after the
-# DNSKEY TTL plus zone propagation delay (2h).
-check_next_key_event 7200
-
-#
-# Zone: step5.csk-algorithm-roll.kasp
-#
-set_zone "step5.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# The DNSKEY becomes HIDDEN.
-set_keystate "KEY1" "STATE_DNSKEY" "hidden"
-set_keystate "KEY1" "STATE_KRRSIG" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old key was activated 38 hours ago (136800 seconds)
-csk_rollover_predecessor_keytimes -136800
-# - And retired 35 hours ago (126000 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 38 hours ago.
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
-published=$(key_get KEY2 PUBLISHED)
-set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the RSASHA1 signatures become HIDDEN.  This happens
-# after the max-zone-ttl plus zone propagation delay (6h + 1h) minus the
-# time already passed since the UNRETENTIVE state has been reached (2h):
-# 7h - 2h = 5h = 18000 seconds.  Prevent intermittent false positives on slow
-# platforms by subtracting the number of seconds which passed between key
-# creation and invoking 'rndc reconfig'.
-next_time=$((18000 - time_passed))
-check_next_key_event $next_time
-
-#
-# Zone: step6.csk-algorithm-roll.kasp
-#
-set_zone "step6.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# The zone signatures should now also be HIDDEN.
-set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated 45 hours ago (162000 seconds)
-csk_rollover_predecessor_keytimes -162000
-# - And retired 42 hours ago (151200 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -151200
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 47 hours ago.
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -162000
-set_addkeytime "KEY2" "ACTIVE" "${created}" -162000
-published=$(key_get KEY2 PUBLISHED)
-set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is never since we established the policy and the keys have
-# an unlimited lifetime.  Fallback to the default loadkeys interval.
-check_next_key_event 3600
-
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/rollover/ns6/kasp.conf.j2 b/bin/tests/system/rollover/ns6/kasp.conf.j2
index 73f0d5789a3..b2f36a95079 100644
--- a/bin/tests/system/rollover/ns6/kasp.conf.j2
+++ b/bin/tests/system/rollover/ns6/kasp.conf.j2
@@ -37,6 +37,44 @@ dnssec-policy "unsigning" {
 	};
 };
 
+dnssec-policy "rsasha256" {
+	signatures-refresh P5D;
+	signatures-validity 30d;
+	signatures-validity-dnskey 30d;
+
+	keys {
+		ksk lifetime unlimited algorithm rsasha256;
+		zsk lifetime unlimited algorithm rsasha256;
+	};
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 2h;
+	zone-propagation-delay 3600;
+	max-zone-ttl 6h;
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
+
+dnssec-policy "ecdsa256" {
+	signatures-refresh P5D;
+	signatures-validity 30d;
+	signatures-validity-dnskey 30d;
+
+	keys {
+		ksk lifetime unlimited algorithm ecdsa256;
+		zsk lifetime unlimited algorithm ecdsa256;
+	};
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 2h;
+	zone-propagation-delay 3600;
+	max-zone-ttl 6h;
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
+
 {% if RSASHA1_SUPPORTED == "1" %}
 dnssec-policy "rsasha1" {
 	signatures-refresh P5D;
diff --git a/bin/tests/system/rollover/ns6/named.conf.j2 b/bin/tests/system/rollover/ns6/named.conf.j2
index 917281ea847..85861a01009 100644
--- a/bin/tests/system/rollover/ns6/named.conf.j2
+++ b/bin/tests/system/rollover/ns6/named.conf.j2
@@ -105,3 +105,16 @@ zone "step1.going-straight-to-none-dynamic.kasp" {
 	dnssec-policy "default";
 	allow-update { any; };
 };
+
+/* These are alorithm rollover test zones. */
+zone "step1.algorithm-roll.kasp" {
+	type primary;
+	file "step1.algorithm-roll.kasp.db";
+	dnssec-policy "rsasha256";
+};
+
+zone "step1.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step1.csk-algorithm-roll.kasp.db";
+	dnssec-policy "csk-algoroll";
+};
diff --git a/bin/tests/system/rollover/ns6/named2.conf.j2 b/bin/tests/system/rollover/ns6/named2.conf.j2
index 21b721508ef..23511e886c0 100644
--- a/bin/tests/system/rollover/ns6/named2.conf.j2
+++ b/bin/tests/system/rollover/ns6/named2.conf.j2
@@ -118,3 +118,81 @@ zone "step1.going-straight-to-none-dynamic.kasp" {
         dnssec-policy "none";
         allow-update { any; };
 };
+
+/*
+ * Zones for testing KSK/ZSK algorithm roll.
+ */
+zone "step1.algorithm-roll.kasp" {
+	type primary;
+	file "step1.algorithm-roll.kasp.db";
+	dnssec-policy "ecdsa256";
+};
+
+zone "step2.algorithm-roll.kasp" {
+	type primary;
+	file "step2.algorithm-roll.kasp.db";
+	dnssec-policy "ecdsa256";
+};
+
+zone "step3.algorithm-roll.kasp" {
+	type primary;
+	file "step3.algorithm-roll.kasp.db";
+	dnssec-policy "ecdsa256";
+};
+
+zone "step4.algorithm-roll.kasp" {
+	type primary;
+	file "step4.algorithm-roll.kasp.db";
+	dnssec-policy "ecdsa256";
+};
+
+zone "step5.algorithm-roll.kasp" {
+	type primary;
+	file "step5.algorithm-roll.kasp.db";
+	dnssec-policy "ecdsa256";
+};
+
+zone "step6.algorithm-roll.kasp" {
+	type primary;
+	file "step6.algorithm-roll.kasp.db";
+	dnssec-policy "ecdsa256";
+};
+
+/*
+ * Zones for testing CSK algorithm roll.
+ */
+zone "step1.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step1.csk-algorithm-roll.kasp.db";
+	dnssec-policy "csk-algoroll";
+};
+
+zone "step2.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step2.csk-algorithm-roll.kasp.db";
+	dnssec-policy "csk-algoroll";
+};
+
+zone "step3.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step3.csk-algorithm-roll.kasp.db";
+	dnssec-policy "csk-algoroll";
+};
+
+zone "step4.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step4.csk-algorithm-roll.kasp.db";
+	dnssec-policy "csk-algoroll";
+};
+
+zone "step5.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step5.csk-algorithm-roll.kasp.db";
+	dnssec-policy "csk-algoroll";
+};
+
+zone "step6.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step6.csk-algorithm-roll.kasp.db";
+	dnssec-policy "csk-algoroll";
+};
diff --git a/bin/tests/system/rollover/ns6/setup.sh b/bin/tests/system/rollover/ns6/setup.sh
index 0f58df983c9..b06b3149213 100644
--- a/bin/tests/system/rollover/ns6/setup.sh
+++ b/bin/tests/system/rollover/ns6/setup.sh
@@ -99,3 +99,292 @@ cat template.db.in "${CSK}.key" >"$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
 cp $infile $zonefile
 $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+#
+# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
+# algorithm rollover.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.algorithm-roll.kasp
+echo "$zone" >>zones
+TactN="now-7d"
+TsbmN="now-161h"
+ksktimes="-P ${TactN} -A ${TactN}"
+zsktimes="-P ${TactN} -A ${TactN}"
+KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone 8 "$KSK" >>"$infile"
+private_type_record $zone 8 "$ZSK" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 2:
+# After the publication interval has passed the DNSKEY is OMNIPRESENT.
+setup step2.algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 3 hours.
+TpubN1="now-3h"
+# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
+TsbmN1="now+4h"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TsbmN} -I ${TsbmN1}"
+zsk1times="-P ${TactN}  -A ${TactN}  -I ${TsbmN1}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 3:
+# The zone signatures are also OMNIPRESENT.
+setup step3.algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 7 hours.
+TpubN1="now-7h"
+TsbmN1="now"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TsbmN}  -I ${TsbmN1}"
+zsk1times="-P ${TactN}  -A ${TactN}  -I ${TsbmN1}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 4:
+# The DS is swapped and can become OMNIPRESENT.
+setup step4.algorithm-roll.kasp
+# The time passed since the DS has been swapped is 3 hours.
+TpubN1="now-10h"
+TsbmN1="now-3h"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TsbmN}  -I ${TsbmN1}"
+zsk1times="-P ${TactN}  -A ${TactN}  -I ${TsbmN1}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 5:
+# The DNSKEY is removed long enough to be HIDDEN.
+setup step5.algorithm-roll.kasp
+# The time passed since the DNSKEY has been removed is 2 hours.
+TpubN1="now-12h"
+TsbmN1="now-5h"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TsbmN}  -I ${TsbmN1}"
+zsk1times="-P ${TactN}  -A ${TactN}  -I ${TsbmN1}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $U $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $U $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 6:
+# The RRSIGs have been removed long enough to be HIDDEN.
+setup step6.algorithm-roll.kasp
+# Additional time passed: 7h.
+TpubN1="now-19h"
+TsbmN1="now-12h"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TsbmN}  -I ${TsbmN1}"
+zsk1times="-P ${TactN}  -A ${TactN}  -I ${TsbmN1}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $H $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $H $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+#
+# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
+# algorithm rollover.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.csk-algorithm-roll.kasp
+echo "$zone" >>zones
+TactN="now-7d"
+TsbmN="now-161h"
+csktimes="-P ${TactN} -A ${TactN}"
+CSK=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone 5 "$CSK" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 2:
+# After the publication interval has passed the DNSKEY is OMNIPRESENT.
+setup step2.csk-algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 3 hours.
+TpubN1="now-3h"
+# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
+TsbmN1="now+4h"
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TsbmN} -I now"
+newtimes="-P ${TpubN1} -A ${TpubN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 3:
+# The zone signatures are also OMNIPRESENT.
+setup step3.csk-algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 7 hours.
+TpubN1="now-7h"
+TsbmN1="now"
+ckstimes="-P ${TactN}  -A ${TactN}  -P sync ${TsbmN} -I ${TsbmN1}"
+newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 4:
+# The DS is swapped and can become OMNIPRESENT.
+setup step4.csk-algorithm-roll.kasp
+# The time passed since the DS has been swapped is 3 hours.
+TpubN1="now-10h"
+TsbmN1="now-3h"
+csktimes="-P ${TactN}  -A ${TactN}  -P sync ${TsbmN} -I ${TsbmN1}"
+newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TsbmN1 -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 5:
+# The DNSKEY is removed long enough to be HIDDEN.
+setup step5.csk-algorithm-roll.kasp
+# The time passed since the DNSKEY has been removed is 2 hours.
+TpubN1="now-12h"
+TsbmN1="now-5h"
+csktimes="-P ${TactN}  -A ${TactN}  -P sync ${TsbmN} -I ${TsbmN1}"
+newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TactN -r $U $TactN -z $U $TsbmN1 -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 6:
+# The RRSIGs have been removed long enough to be HIDDEN.
+setup step6.csk-algorithm-roll.kasp
+# Additional time passed: 7h.
+TpubN1="now-19h"
+TsbmN1="now-12h"
+csktimes="-P ${TactN}  -A ${TactN}  -P sync ${TsbmN} -I ${TsbmN1}"
+newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $TactN -r $U $TactN -z $U $TactN -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
diff --git a/bin/tests/system/rollover/tests_rollover.py b/bin/tests/system/rollover/tests_rollover.py
index 1331591f533..f30eb2fad99 100644
--- a/bin/tests/system/rollover/tests_rollover.py
+++ b/bin/tests/system/rollover/tests_rollover.py
@@ -1297,6 +1297,19 @@ def test_rollover_policy_changes(servers):
     unsigning_config = default_config.copy()
     unsigning_config["dnskey-ttl"] = timedelta(seconds=7200)
 
+    algoroll_config = {
+        "dnskey-ttl": timedelta(hours=1),
+        "ds-ttl": timedelta(seconds=7200),
+        "max-zone-ttl": timedelta(hours=6),
+        "parent-propagation-delay": timedelta(hours=1),
+        "publish-safety": timedelta(hours=1),
+        "purge-keys": timedelta(days=90),
+        "retire-safety": timedelta(hours=2),
+        "signatures-refresh": timedelta(days=5),
+        "signatures-validity": timedelta(days=30),
+        "zone-propagation-delay": timedelta(seconds=3600),
+    }
+
     start_time = KeyTimingMetadata.now()
 
     # Test dynamic zones that switch to inline-signing.
@@ -1396,6 +1409,37 @@ def test_rollover_policy_changes(servers):
         }
         steps.append(step)
 
+    # Test algorithm rollover (KSK/ZSK split).
+    isctest.log.info("check algorithm rollover ksk/zsk split")
+    offset = -timedelta(days=7)
+    offval = int(offset.total_seconds())
+    step = {
+        "zone": "step1.algorithm-roll.kasp",
+        "cdss": cdss,
+        "config": algoroll_config,
+        "policy": "rsasha256",
+        "keyprops": [
+            f"ksk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offval}",
+            f"zsk 0 8 2048 goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offval}",
+        ],
+        "nextev": timedelta(hours=1),
+    }
+    steps.append(step)
+
+    # Test algorithm rollover (CSK).
+    isctest.log.info("check algorithm rollover csk")
+    step = {
+        "zone": "step1.csk-algorithm-roll.kasp",
+        "cdss": cdss,
+        "config": algoroll_config,
+        "policy": "csk-algoroll",
+        "keyprops": [
+            f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
+        ],
+        "nextev": timedelta(hours=1),
+    }
+    steps.append(step)
+
     for step in steps:
         check_rollover_step(server, step["config"], step["policy"], step)
 
@@ -1518,5 +1562,254 @@ def test_rollover_policy_changes(servers):
         }
         steps.append(step)
 
+    # Test algorithm rollover (KSK/ZSK split) (after reconfig).
+    isctest.log.info("check algorithm rollover ksk/zsk split (after reconfig)")
+    offset = -timedelta(days=7)
+    offval = int(offset.total_seconds())
+    ipub = Ipub(algoroll_config)
+    ipubc = IpubC(algoroll_config, rollover=False)
+    iret = Iret(algoroll_config, rollover=False)
+    iretKSK = Iret(algoroll_config, zsk=False, ksk=True, rollover=False)
+    keyttlprop = (
+        algoroll_config["dnskey-ttl"] + algoroll_config["zone-propagation-delay"]
+    )
+    offsets = {}
+    offsets["step2"] = -int(ipub.total_seconds())
+    offsets["step3"] = -int(iret.total_seconds())
+    offsets["step4"] = offsets["step3"] - int(iretKSK.total_seconds())
+    offsets["step5"] = offsets["step4"] - int(keyttlprop.total_seconds())
+    offsets["step6"] = offsets["step5"] - int(iret.total_seconds())
+    algo_steps = [
+        {
+            # Step 1.
+            "zone": "step1.algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "ecdsa256",
+            "keyprops": [
+                # The RSASHA keys are outroducing.
+                f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offval}",
+                f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{offval}",
+                # The ECDSAP256SHA256 keys are introducing.
+                f"ksk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+                f"zsk 0 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+            ],
+            # Next key event is when the ecdsa256 keys have been propagated.
+            "nextev": ipub,
+        },
+        {
+            # Step 2.
+            "zone": "step2.algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "ecdsa256",
+            "keyprops": [
+                # The RSASHA keys are outroducing, but need to stay present
+                # until the new algorithm chain of trust has been established.
+                # Thus the expected key states of these keys stay the same.
+                f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offval}",
+                f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{offval}",
+                # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
+                # omnipresent, but the zone signatures are not.
+                f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{offsets['step2']}",
+                f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{offsets['step2']}",
+            ],
+            # Next key event is when all zone signatures are signed with the new
+            # algorithm.  This is the max-zone-ttl plus zone propagation delay.  But
+            # the publication interval has already passed. Also, prevent intermittent
+            # false positives on slow platforms by subtracting the time passed between
+            # key creation and invoking 'rndc reconfig'.
+            "nextev": ipubc - ipub - time_passed,
+        },
+        {
+            # Step 3.
+            "zone": "step3.algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "ecdsa256",
+            "keyprops": [
+                # The DS can be swapped.
+                f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offval}",
+                f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{offval}",
+                f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offsets['step3']}",
+                f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step3']}",
+            ],
+            # Next key event is when the DS becomes OMNIPRESENT. This happens
+            # after the retire interval.
+            "nextev": iretKSK - time_passed,
+        },
+        {
+            # Step 4.
+            "zone": "step4.algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "ecdsa256",
+            "keyprops": [
+                # The old DS is HIDDEN, we can remove the old algorithm records.
+                f"ksk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{offval}",
+                f"zsk 0 8 2048 goal:hidden dnskey:unretentive zrrsig:unretentive offset:{offval}",
+                f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step4']}",
+                f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step4']}",
+            ],
+            # Next key event is when the old DNSKEY becomes HIDDEN.
+            # This happens after the DNSKEY TTL plus zone propagation delay.
+            "nextev": keyttlprop,
+        },
+        {
+            # Step 5.
+            "zone": "step5.algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "ecdsa256",
+            "keyprops": [
+                # The DNSKEY becomes HIDDEN.
+                f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{offval}",
+                f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:unretentive offset:{offval}",
+                f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step5']}",
+                f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step5']}",
+            ],
+            # Next key event is when the RSASHA signatures become HIDDEN.
+            # This happens after the max-zone-ttl plus zone propagation delay
+            # minus the time already passed since the UNRETENTIVE state has
+            # been reached. Prevent intermittent false positives on slow
+            # platforms by subtracting the number of seconds which passed
+            # between key creation and invoking 'rndc reconfig'.
+            "nextev": iret - iretKSK - keyttlprop - time_passed,
+        },
+        {
+            # Step 6.
+            "zone": "step6.algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "ecdsa256",
+            "keyprops": [
+                # The zone signatures are now HIDDEN.
+                f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{offval}",
+                f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:hidden offset:{offval}",
+                f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step6']}",
+                f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step6']}",
+            ],
+            # Next key event is never since we established the policy and the
+            # keys have an unlimited lifetime.  Fallback to the default
+            # loadkeys interval.
+            "nextev": timedelta(hours=1),
+        },
+    ]
+    steps = steps + algo_steps
+
+    # Test algorithm rollover (CSK) (after reconfig).
+    isctest.log.info("check algorithm rollover csk (after reconfig)")
+    offsets = {}
+    offsets["step2"] = -int(ipub.total_seconds())
+    offsets["step3"] = -int(iret.total_seconds())
+    offsets["step4"] = offsets["step3"] - int(iretKSK.total_seconds())
+    offsets["step5"] = offsets["step4"] - int(keyttlprop.total_seconds())
+    offsets["step6"] = offsets["step5"] - int(iret.total_seconds())
+    algo_steps = [
+        {
+            # Step 1.
+            "zone": "step1.csk-algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "csk-algoroll",
+            "keyprops": [
+                # The RSASHA keys are outroducing.
+                f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
+                # The ECDSAP256SHA256 keys are introducing.
+                f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+            ],
+            # Next key event is when the ecdsa256 keys have been propagated.
+            "nextev": ipub,
+        },
+        {
+            # Step 2.
+            "zone": "step2.csk-algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "csk-algoroll",
+            "keyprops": [
+                # The RSASHA keys are outroducing, but need to stay present
+                # until the new algorithm chain of trust has been established.
+                # Thus the expected key states of these keys stay the same.
+                f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
+                # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
+                # omnipresent, but the zone signatures are not.
+                f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{offsets['step2']}",
+            ],
+            # Next key event is when all zone signatures are signed with the
+            # new algorithm.  This is the child publication interval, minus
+            # the publication interval has already passed. Also, prevent
+            # intermittent false positives on slow platforms by subtracting
+            # the time passed between key creation and invoking 'rndc reconfig'.
+            "nextev": ipubc - ipub - time_passed,
+        },
+        {
+            # Step 3.
+            "zone": "step3.csk-algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "csk-algoroll",
+            "keyprops": [
+                # The DS can be swapped.
+                f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{offval}",
+                f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{offsets['step3']}",
+            ],
+            # Next key event is when the DS becomes OMNIPRESENT. This happens
+            # after the publication interval of the parent side.
+            "nextev": iretKSK - time_passed,
+        },
+        {
+            # Step 4.
+            "zone": "step4.csk-algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "csk-algoroll",
+            "keyprops": [
+                # The old DS is HIDDEN, we can remove the old algorithm records.
+                f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{offval}",
+                f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step4']}",
+            ],
+            # Next key event is when the old DNSKEY becomes HIDDEN.
+            # This happens after the DNSKEY TTL plus zone propagation delay.
+            "nextev": keyttlprop,
+        },
+        {
+            # Step 5.
+            "zone": "step5.csk-algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "csk-algoroll",
+            "keyprops": [
+                # The DNSKEY becomes HIDDEN.
+                f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{offval}",
+                f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step5']}",
+            ],
+            # Next key event is when the RSASHA signatures become HIDDEN.
+            # This happens after the max-zone-ttl plus zone propagation delay
+            # minus the time already passed since the UNRETENTIVE state has
+            # been reached. Prevent intermittent false positives on slow
+            # platforms by subtracting the number of seconds which passed
+            # between key creation and invoking 'rndc reconfig'.
+            "nextev": iret - iretKSK - keyttlprop - time_passed,
+        },
+        {
+            # Step 6.
+            "zone": "step6.csk-algorithm-roll.kasp",
+            "cdss": cdss,
+            "config": algoroll_config,
+            "policy": "csk-algoroll",
+            "keyprops": [
+                # The zone signatures are now HIDDEN.
+                f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{offval}",
+                f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step6']}",
+            ],
+            # Next key event is never since we established the policy and the
+            # keys have an unlimited lifetime.  Fallback to the default
+            # loadkeys interval.
+            "nextev": timedelta(hours=1),
+        },
+    ]
+    steps = steps + algo_steps
+
     for step in steps:
         check_rollover_step(server, step["config"], step["policy"], step)