From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 31 Jul 2025 15:41:11 +0000 (+0200)
Subject: Fix autosign system test
X-Git-Tag: v9.21.17~60^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c756b8a505ca1975e967f59477370287077c1f12;p=thirdparty%2Fbind9.git

Fix autosign system test

When creating keys, set Publish and Activate times so that keys will
be initialized as omnipresent. This way we start with a safe DNSSEC
state. In most cases at least, because some tests depend on special
key timings.

The ttl[1-4].example cases have become incorrect. With dnssec-policy
we require the TTL to match the dnskey-ttl from the policy.

The delzsk.example will have a ZSK removed from the zone. It also
requires that the DNSKEY RRset is already published. This means
that for the existing keys the, no longer "is now published"
messages will be logged.

The nsec-only.example and reconf.example zones are fixed to have a
correct matching policy.

This all means the expected count of log messages changes slightly.
---

diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
index 54f53a46c82..5834dc1e2fa 100644
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -31,10 +31,13 @@ setup() {
 
 mkdir inactive
 
+T="now-7d"
+keytimes="-P $T -A $T"
+
 setup secure.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -42,8 +45,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup secure.nsec3.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -51,8 +54,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup nsec3.nsec3.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -74,8 +77,8 @@ done
 #
 setup optout.nsec3.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -83,8 +86,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup nsec3.example
 cat $infile dsset-*.${zone}. >$zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -92,9 +95,9 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup autonsec3.example
 cat $infile >$zonefile
-ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
 echo $ksk >../autoksk.key
-zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone 2>kg.out) || dumpit kg.out
 echo $zsk >../autozsk.key
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
@@ -103,8 +106,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup secure.optout.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -112,8 +115,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup nsec3.optout.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -121,8 +124,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup optout.optout.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -130,8 +133,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup optout.example
 cat $infile dsset-*.${zone}. >$zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -139,8 +142,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup rsasha256.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a RSASHA256 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a RSASHA256 -b 2048 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -148,8 +151,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup rsasha512.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a RSASHA512 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a RSASHA512 -b 2048 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -160,8 +163,8 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 if [ $RSASHA1_SUPPORTED = 1 ]; then
   setup nsec-only.example
   cp $infile $zonefile
-  ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out
-  $KEYGEN -q -a RSASHA1 $zone >kg.out 2>&1 || dumpit kg.out
+  ksk=$($KEYGEN -q -a RSASHA1 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+  $KEYGEN -q -a RSASHA1 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
   $DSFROMKEY $ksk.key >dsset-${zone}.
 else
   echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
@@ -178,8 +181,8 @@ while [ $count -le 1000 ]; do
   echo "label${count} IN TXT label${count}" >>$zonefile
   count=$((count + 1))
 done
-$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $SIGNER -PS -x -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile >s.out || dumpit s.out
 cp $zonefile.signed $zonefile.bak
 mv $zonefile.signed $zonefile
@@ -188,16 +191,16 @@ mv $zonefile.signed $zonefile
 # NSEC3->NSEC transition test zone.
 #
 setup nsec3-to-nsec.example
-$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
 
 #
 # NSEC3->NSEC3 transition test zone.
 #
 setup nsec3-to-nsec3.example
-$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
 
 #
@@ -205,8 +208,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
 #
 setup prepub.example
 infile="prepub.example.db.in"
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
-zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
+zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone 2>kg.out) || dumpit kg.out
 echo $zsk >../prepub.key
 $SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
 
@@ -214,29 +217,29 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
 # Key TTL tests.
 #
 
-# no default key TTL; DNSKEY should get SOA TTL
+# no default key TTL; DNSKEY should get default dnskey-ttl
 setup ttl1.example
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 
-# default key TTL should be used
+# default dnskey-ttl should be used
 setup ttl2.example
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone >kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 
-# mismatched key TTLs, should use shortest
+# mismatched key TTLs, should use default dnskey-ttl
 setup ttl3.example
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone >kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 
-# existing DNSKEY RRset, should retain TTL
+# existing DNSKEY RRset, should update to use dnksey-ttl
 setup ttl4.example
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone >kg.out 2>&1 || dumpit kg.out
-cat ${infile} K${zone}.+*.key >$zonefile
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
+cp $infile $zonefile
 
 #
 # A zone with a DNSKEY RRset that is published before it's activated
@@ -253,8 +256,8 @@ cp delay.example.db.in delay.example.db
 # is missing.
 #
 setup noksk.example
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone 2>kg.out) || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
 echo $ksk >../noksk-ksk.key
 rm -f ${ksk}.private
@@ -264,8 +267,8 @@ rm -f ${ksk}.private
 # is missing.
 #
 setup nozsk.example
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone 2>kg.out) || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
 echo $ksk >../nozsk-ksk.key
 echo $zsk >../nozsk-zsk.key
@@ -276,8 +279,8 @@ rm -f ${zsk}.private
 # is inactive.
 #
 setup inaczsk.example
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone 2>kg.out) || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
 echo $ksk >../inaczsk-ksk.key
 echo $zsk >../inaczsk-zsk.key
@@ -288,16 +291,16 @@ $SETTIME -I now $zsk >st.out 2>&1 || dumpit st.out
 #
 setup reconf.example
 cp secure.example.db.in $zonefile
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone >kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 
 #
 # A zone which generates CDS and CDNSEY RRsets automatically (with an additional CSK)
 #
 setup sync.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 echo ns3/$ksk >../sync.key
 
@@ -306,8 +309,8 @@ echo ns3/$ksk >../sync.key
 #
 setup kskonly.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
@@ -315,7 +318,7 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup inaczsk2.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $keytimes $zone 2>kg.out) || dumpit kg.out
 $KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
 
@@ -325,19 +328,19 @@ $DSFROMKEY $ksk.key >dsset-${zone}.
 #
 setup delzsk.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
-zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out
-cat $zsk.key >>$zonefile
-mv $zsk.key inactive/
-mv $zsk.private inactive/
-echo $zsk >../delzsk.key
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now-7d $keytimes $zone 2>kg.out) || dumpit kg.out
+zsk1=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes $zone >kg.out 2>&1) || dumpit kg.out
+zsk2=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $keytimes -I now-1d $zone 2>kg.out) || dumpit kg.out
+cat $ksk.key $zsk2.key >>$zonefile
+cp $zsk2.key inactive/
+cp $zsk2.private inactive/
+echo $zsk2 >../delzsk.key
 
 #
 # Check that NSEC3 are correctly signed and returned from below a DNAME
 #
 setup dname-at-apex-nsec3.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $keytimes $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $keytimes $zone >kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key >dsset-${zone}.
diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
index 3707a2c7c9d..f6d061bb0ad 100644
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -250,14 +250,6 @@ zone "rsasha512.example" {
 	dnssec-policy rsasha512;
 };
 
-zone "nsec-only.example" {
-	type primary;
-	file "nsec-only.example.db";
-	allow-update { any; };
-	inline-signing no;
-	dnssec-policy autosign;
-};
-
 zone "nsec3-to-nsec.example" {
 	type primary;
 	file "nsec3-to-nsec.example.db";
@@ -394,4 +386,6 @@ zone "dname-at-apex-nsec3.example" {
 	dnssec-policy nsec3;
 };
 
+include "nsec-only.conf";
+
 include "trusted.conf";
diff --git a/bin/tests/system/autosign/ns3/nsec-only.conf.in b/bin/tests/system/autosign/ns3/nsec-only.conf.in
new file mode 100644
index 00000000000..37eb30d629d
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nsec-only.conf.in
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "nsec-only" {
+	keys {
+		ksk key-directory lifetime unlimited algorithm rsasha1;
+		zsk key-directory lifetime unlimited algorithm rsasha1;
+	};
+};
+
+zone "nsec-only.example" {
+	type primary;
+	file "nsec-only.example.db";
+	allow-update { any; };
+	inline-signing no;
+	dnssec-policy nsec-only;
+};
diff --git a/bin/tests/system/autosign/setup.sh b/bin/tests/system/autosign/setup.sh
index e029fdf8aa6..2c785ac245c 100644
--- a/bin/tests/system/autosign/setup.sh
+++ b/bin/tests/system/autosign/setup.sh
@@ -15,6 +15,11 @@
 
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
+if [ $RSASHA1_SUPPORTED = 1 ]; then
+  cp ns3/nsec-only.conf.in ns3/nsec-only.conf
+else
+  : >ns3/nsec-only.conf
+fi
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 298de9196c9..afc847b935f 100755
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -1087,7 +1087,7 @@ ret=0
 rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l)
 [ "$rekey_calls" -eq 0 ] || ret=1
 # ...then we add dnssec-policy and reconfigure
-($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; dnssec-policy default; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; dnssec-policy autosign; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 rndc_reconfig ns3 10.53.0.3
 for i in 0 1 2 3 4 5 6 7 8 9; do
   lret=0
@@ -1256,17 +1256,19 @@ act=$(grep "DNSKEY .* is now active" ns3/named.run | wc -l)
 if [ $RSASHA1_SUPPORTED = 1 ]; then
   # Include two log lines for nsec-only zone.
   [ "$pub" -eq 53 ] || ret=1
-  [ "$act" -eq 53 ] || ret=1
+  [ "$act" -eq 54 ] || ret=1
 else
   [ "$pub" -eq 51 ] || ret=1
-  [ "$act" -eq 51 ] || ret=1
+  [ "$act" -eq 52 ] || ret=1
 fi
 rev=$(grep "DNSKEY .* is now revoked" ns3/named.run | wc -l)
 [ "$rev" -eq 0 ] || ret=1
+# inaczsk.example
 inac=$(grep "DNSKEY .* is now inactive" ns3/named.run | wc -l)
-[ "$inac" -eq 0 ] || ret=1
+[ "$inac" -eq 1 ] || ret=1
+# delzsk.example
 del=$(grep "DNSKEY .* is now deleted" ns3/named.run | wc -l)
-[ "$del" -eq 3 ] || ret=1
+[ "$del" -eq 1 ] || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
diff --git a/bin/tests/system/autosign/tests_sh_autosign.py b/bin/tests/system/autosign/tests_sh_autosign.py
index ef11cbe21a4..5a4b2ed833d 100644
--- a/bin/tests/system/autosign/tests_sh_autosign.py
+++ b/bin/tests/system/autosign/tests_sh_autosign.py
@@ -114,6 +114,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/kskonly.example.db.jbk",
         "ns3/noksk.example.db",
         "ns3/nozsk.example.db",
+        "ns3/nsec-only.conf",
         "ns3/nsec-only.example.db",
         "ns3/nsec3-to-nsec.example.db",
         "ns3/nsec3-to-nsec3.example.db",