diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in
index 5cecb8c542..f9aa284ef4 100644
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@@ -46,9 +46,9 @@ zone "migrate.kasp" {
 	update-check-ksk yes;
 };
 
-zone "migrate-nomatch.kasp" {
+zone "migrate-nomatch-alglen.kasp" {
 	type master;
-	file "migrate-nomatch.kasp.db";
+	file "migrate-nomatch-alglen.kasp.db";
 	auto-dnssec maintain;
 	allow-update { any; };
 	dnssec-dnskey-kskonly yes;
diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in
index 0428dcbdf8..d63318c6ac 100644
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@@ -43,11 +43,11 @@ zone "migrate.kasp" {
 	dnssec-policy "migrate";
 };
 
-zone "migrate-nomatch.kasp" {
+zone "migrate-nomatch-alglen.kasp" {
 	type master;
-	file "migrate-nomatch.kasp.db";
+	file "migrate-nomatch-alglen.kasp.db";
 	allow-update { any; };
-	dnssec-policy "migrate-nomatch";
+	dnssec-policy "migrate-nomatch-alglen";
 };
 
 /*
diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf b/bin/tests/system/kasp/ns6/policies/kasp.conf
index 16fb3d60aa..ae36e0934f 100644
--- a/bin/tests/system/kasp/ns6/policies/kasp.conf
+++ b/bin/tests/system/kasp/ns6/policies/kasp.conf
@@ -58,7 +58,11 @@ dnssec-policy "migrate" {
 	};
 };
 
-dnssec-policy "migrate-nomatch" {
+/*
+ * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
+ * to 2048 bits RSASHA1 keys.
+ */
+dnssec-policy "migrate-nomatch-alglen" {
 	dnskey-ttl 300;
 
 	keys {
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index 5c489e774f..7a9ed929c1 100644
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -52,8 +52,10 @@ private_type_record $zone 5 "$ZSK" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
-# time the existing keys do not match the policy.
-setup migrate-nomatch.kasp
+# time the existing keys do not match the policy.  The existing keys are
+# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that
+# dictates 2048 bits RSASHA1 keys.
+setup migrate-nomatch-alglen.kasp
 echo "$zone" >> zones
 KSK=$($KEYGEN -a RSASHA1 -b 1024 -f KSK -L 300 $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2)
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index ed24aedf58..50de840ad6 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -2920,11 +2920,11 @@ _migrate_zsk=$(key_get KEY2 ID)
 #
 # Testing migration with unmatched existing keys.
 #
-set_zone "migrate-nomatch.kasp"
+set_zone "migrate-nomatch-alglen.kasp"
 set_policy "none" "2" "300"
 set_server "ns6" "10.53.0.6"
 
-init_migration_nomatch() {
+init_migration_nomatch_alglen() {
 	key_clear        "KEY1"
 	key_set          "KEY1" "LEGACY" "yes"
 	set_keyrole      "KEY1" "ksk"
@@ -2957,7 +2957,7 @@ init_migration_nomatch() {
 	set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
 	set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
 }
-init_migration_nomatch
+init_migration_nomatch_alglen
 
 # Make sure the zone is signed with legacy keys.
 check_keys
@@ -2966,8 +2966,8 @@ check_subdomain
 dnssec_verify
 
 # Remember legacy key tags.
-_migratenomatch_ksk=$(key_get KEY1 ID)
-_migratenomatch_zsk=$(key_get KEY2 ID)
+_migratenomatch_alglen_ksk=$(key_get KEY1 ID)
+_migratenomatch_alglen_zsk=$(key_get KEY2 ID)
 
 # Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
 # changes).
@@ -3033,13 +3033,13 @@ ret=0
 status=$((status+ret))
 
 # Test migration to dnssec-policy, existing keys do not match.
-set_zone "migrate-nomatch.kasp"
-set_policy "migrate-nomatch" "4" "300"
+set_zone "migrate-nomatch-alglen.kasp"
+set_policy "migrate-nomatch-alglen" "4" "300"
 set_server "ns6" "10.53.0.6"
 
 # The legacy keys need to be retired, but otherwise stay present until the
 # new keys are omnipresent, and can be used to construct a chain of trust.
-init_migration_nomatch
+init_migration_nomatch_alglen
 
 key_set      "KEY1" "LEGACY"  "no"
 set_keytime  "KEY1" "RETIRED" "yes"
@@ -3059,7 +3059,7 @@ set_keyrole      "KEY4" "zsk"
 set_keylifetime  "KEY4" "5184000"
 set_keyalgorithm "KEY4" "5" "RSASHA1" "2048"
 set_keysigning   "KEY4" "no"
-# This key is not active yet, first the DNSKEY needs to be omnipresent.
+# This key is considered to be prepublished, so it is not yet signing.
 set_zonesigning  "KEY4" "no"
 
 set_keytime  "KEY3" "PUBLISHED"    "yes"
@@ -3086,8 +3086,8 @@ dnssec_verify
 n=$((n+1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
 ret=0
-[ $_migratenomatch_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
-[ $_migratenomatch_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+[ $_migratenomatch_alglen_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migratenomatch_alglen_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
 status=$((status+ret))
 
 #
diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 268db30d2b..09ba4dc9c4 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1402,7 +1402,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 					      keystr, keymgr_keyrole(dkey->key),
 					      dns_kasp_getname(kasp));
 
-				/* Initialize lifetime and goal, if not set. */
+				/* Initialize lifetime if not set. */
 				uint32_t l;
 				if (dst_key_getnum(dkey->key, DST_NUM_LIFETIME,
 						   &l) != ISC_R_SUCCESS) {
@@ -1411,14 +1411,6 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 						       lifetime);
 				}
 
-				dst_key_state_t goal;
-				if (dst_key_getstate(dkey->key, DST_KEY_GOAL,
-						     &goal) != ISC_R_SUCCESS) {
-					dst_key_setstate(dkey->key,
-							 DST_KEY_GOAL,
-							 OMNIPRESENT);
-				}
-
 				if (active_key) {
 					/* We already have an active key that
 					 * matches the kasp policy.
@@ -1442,6 +1434,19 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 					continue;
 				}
 
+				/*
+				 * This is possibly an active key created
+				 * outside dnssec-policy.  Initialize goal,
+				 * if not set.
+				 */
+				dst_key_state_t goal;
+				if (dst_key_getstate(dkey->key, DST_KEY_GOAL,
+						     &goal) != ISC_R_SUCCESS) {
+					dst_key_setstate(dkey->key,
+							 DST_KEY_GOAL,
+							 OMNIPRESENT);
+				}
+
 				/*
 				 * Save the matched key only if it is active
 				 * or desires to be active.