dnssec-policy inheritance from options/view

'dnssec-policy' can now also be set on the options and view level and a zone that does not set 'dnssec-policy' explicitly will inherit it from the view or options level. This requires a new keyword to be introduced: 'none'. If set to 'none' the zone will not be DNSSEC maintained, in other words it will stay unsigned. You can use this to break the inheritance. Of course you can also break the inheritance by referring to a different policy. The keywords 'default' and 'none' are not allowed when configuring your own dnssec-policy statement. Add appropriate tests for checking the configuration (checkconf) and add tests to the kasp system test to verify the inheritance works. Edit the kasp system test such that it can deal with unsigned zones and views (so setting a TSIG on the query).
2025-08-22 18:19:42 +00:00 · 2019-11-05 17:22:35 +01:00 · 2019-11-05 17:22:35 +01:00 · 5f464d15a0
commit 5f464d15a0
parent ce1c1631b3
27 changed files with 895 additions and 103 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -58,6 +58,7 @@ options {\n\
 "\
 #	deallocate-on-exit <obsolete>;\n\
 #	directory <none>\n\
 	dnssec-policy \"none\";\n\
 	dump-file \"named_dump.db\";\n\
 	edns-udp-size 4096;\n\
 #	fake-iquery <obsolete>;\n"
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -6260,7 +6260,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	    ((cfg_map_get(zoptions, "inline-signing", &signing) ==
 	      ISC_R_SUCCESS && cfg_obj_asboolean(signing)) ||
 	     (cfg_map_get(zoptions, "dnssec-policy", &signing) ==
-	      ISC_R_SUCCESS  && signing != NULL)))
+	      ISC_R_SUCCESS && signing != NULL &&
 	      strcmp(cfg_obj_asstring(signing), "none") != 0)))
 	{
 		dns_zone_getraw(zone, &raw);
 		if (raw == NULL) {
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@ -1197,19 +1197,22 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
 	    ztype != dns_zone_redirect) {
 		obj = NULL;
-		result = cfg_map_get(zoptions, "dnssec-policy", &obj);
+		result = named_config_get(maps, "dnssec-policy", &obj);
 		if (result == ISC_R_SUCCESS) {
 			kaspname = cfg_obj_asstring(obj);
-			result = dns_kasplist_find(kasplist, kaspname, &kasp);
+			if (strcmp(kaspname, "none") != 0) {
 				result = dns_kasplist_find(kasplist, kaspname,
 							   &kasp);
 				if (result != ISC_R_SUCCESS) {
 					cfg_obj_log(obj, named_g_lctx,
 						    ISC_LOG_ERROR,
-					    "'dnssec-policy '%s' not found ",
+						    "'dnssec-policy '%s' not "
-					    kaspname);
+						    "found ", kaspname);
 					RETERR(result);
 				}
 				dns_zone_setkasp(zone, kasp);
 			}
 		}
 		obj = NULL;
 		result = named_config_get(maps, "notify", &obj);
--- a/bin/tests/system/checkconf/bad-kasp1.conf
+++ b/bin/tests/system/checkconf/bad-kasp1.conf
@ -9,12 +9,14 @@
 * information regarding copyright ownership.
 */
-options {
+// Using the keyword 'default' is not allowed.
-	dnssec-policy "notatzonelevel";
+dnssec-policy "default" {
 	signatures-refresh P5D;
 };
 zone "example.net" {
 	type master;
 	file "example.db";
 	dnssec-policy "default";
 };
--- a/bin/tests/system/checkconf/bad-kasp5.conf
+++ b/bin/tests/system/checkconf/bad-kasp5.conf
@ -0,0 +1,22 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 // Using the keyword 'none' is not allowed.
 dnssec-policy "none" {
 	signatures-refresh P5D;
 };
 zone "example.net" {
 	type master;
 	file "example.db";
 	dnssec-policy "none";
 };
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@ -35,13 +35,25 @@ dnssec-policy "test" {
 options {
 	dnssec-policy "default";
 };
 options {
 	dnssec-policy "default";
 };
 zone "example1" {
 	type master;
 	dnssec-policy "test";
 	file "example1.db";
 };
 zone "example2" {
 	type master;
 	dnssec-policy "default";
 	file "example2.db";
 	dnssec-policy "test";
 };
 zone "example3" {
 	type master;
 	file "example3.db";
 	dnssec-policy "default";
 };
 zone "example4" {
 	type master;
 	file "example4.db";
 	dnssec-policy "none";
 };
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@ -14,6 +14,24 @@
 */
 /* cut here */
 dnssec-policy "test" {
 	dnskey-ttl 3600;
 	keys {
 		ksk key-directory lifetime P1Y algorithm 13 256;
 		zsk key-directory lifetime P30D algorithm 13;
 		csk key-directory lifetime P30D algorithm 8 2048;
 	};
 	publish-safety PT3600S;
 	retire-safety PT3600S;
 	signatures-refresh P3D;
 	signatures-validity P2W;
 	signatures-validity-dnskey P14D;
 	zone-max-ttl 86400;
 	zone-propagation-delay PT5M;
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	parent-registration-delay P1D;
 };
 options {
 	avoid-v4-udp-ports {
 		100;
@ -60,6 +78,7 @@ options {
 	validate-except {
 		"corp";
 	};
 	dnssec-policy "test";
 	transfer-source 0.0.0.0 dscp 63;
 	zone-statistics none;
 };
@ -140,6 +159,28 @@ view "third" {
 		};
 	};
 };
 view "fourth" {
 	zone "dnssec-test" {
 		type master;
 		file "dnssec-test.db";
 		dnssec-policy "test";
 	};
 	zone "dnssec-default" {
 		type master;
 		file "dnssec-default.db";
 		dnssec-policy "default";
 	};
 	zone "dnssec-inherit" {
 		type master;
 		file "dnssec-inherit.db";
 	};
 	zone "dnssec-none" {
 		type master;
 		file "dnssec-none.db";
 		dnssec-policy "none";
 	};
 	dnssec-policy "default";
 };
 view "chaos" chaos {
 	zone "hostname.bind" chaos {
 		type master;
--- a/bin/tests/system/checkconf/good.zonelist
+++ b/bin/tests/system/checkconf/good.zonelist
@ -8,4 +8,8 @@ clone IN third in-view first
 dnssec IN third master
 p IN third primary
 s IN third secondary
 dnssec-test IN fourth master
 dnssec-default IN fourth master
 dnssec-inherit IN fourth master
 dnssec-none IN fourth master
 hostname.bind chaos chaos master
--- a/bin/tests/system/kasp/README
+++ b/bin/tests/system/kasp/README
@ -9,3 +9,5 @@ ns1 is reserved for the root server.
 ns2 is running primary service for ns3.
 ns3 is an authoritative server for the various test domains.
 ns4 and ns5 are authoritative servers for various test domains related to views.
--- a/bin/tests/system/kasp/clean.sh
+++ b/bin/tests/system/kasp/clean.sh
@ -21,5 +21,6 @@ rm -f ns*/K*.private ns*/K*.key ns*/K*.state
 rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
 rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
 rm -f ns*/managed-keys.bind
 rm -f ns*/*.mkeys
 # NS3 specific
 rm -f ns3/zones ns3/*.db.infile
--- a/bin/tests/system/kasp/ns2/named.conf.in
+++ b/bin/tests/system/kasp/ns2/named.conf.in
@ -21,6 +21,7 @@ options {
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-policy "none";
 };
 key rndc_key {
@ -32,6 +33,21 @@ controls {
 	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 /* Inherit dnssec-policy (which is none) */
 zone "unsigned.tld" {
 	type master;
 	file "unsigned.tld.db";
 };
 /* Override dnssec-policy */
 zone "signed.tld" {
 	type master;
 	dnssec-policy "default";
 	file "signed.tld.db";
 };
 /* Primary service for ns3 */
 zone "secondary.kasp" {
--- a/bin/tests/system/kasp/ns2/setup.sh
+++ b/bin/tests/system/kasp/ns2/setup.sh
@ -14,8 +14,20 @@
 echo_i "ns2/setup.sh"
 echo_i "setting up zone: $zone"
 zone="secondary.kasp"
 echo_i "setting up zone: $zone"
 zonefile="${zone}.db"
 infile="${zonefile}.in"
 cp $infile $zonefile
 zone="signed.tld"
 echo_i "setting up zone: $zone"
 zonefile="${zone}.db"
 infile="template.tld.db.in"
 cp $infile $zonefile
 zone="unsigned.tld"
 echo_i "setting up zone: $zone"
 zonefile="${zone}.db"
 infile="template.tld.db.in"
 cp $infile $zonefile
--- a/bin/tests/system/kasp/ns2/template.tld.db.in
+++ b/bin/tests/system/kasp/ns2/template.tld.db.in
@ -0,0 +1,25 @@
 ; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
 ; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 $TTL 300
@		IN	SOA  secondary.kasp. hostmaster.kasp. (
 			1       ; serial
 			20      ; refresh (20 seconds)
 			20      ; retry (20 seconds)
 			1814400 ; expire (3 weeks)
 			3600    ; minimum (1 hour)
 			)
 			NS	ns2
 ns2			A	10.53.0.2
 a			A	10.0.0.1
 b			A	10.0.0.2
 c			A	10.0.0.3
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@ -11,6 +11,9 @@
 // NS3
 include "policies/kasp.conf";
 include "policies/autosign.conf";
 options {
 	query-source address 10.53.0.3;
 	notify-source 10.53.0.3;
@ -21,6 +24,7 @@ options {
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-policy "rsasha1";
 };
 key rndc_key {
@ -32,9 +36,6 @@ controls {
        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 include "policies/kasp.conf";
 include "policies/autosign.conf";
 /* Zones that are getting initially signed */
 /* The default case: No keys created, using default policy. */
@ -51,6 +52,19 @@ zone "rsasha1.kasp" {
 	dnssec-policy "rsasha1";
 };
 /* A zone that inherits dnssec-policy. */
 zone "inherit.kasp" {
 	type master;
 	file "inherit.kasp.db";
 };
 /* A zone that overrides dnssec-policy. */
 zone "unsigned.kasp" {
 	type master;
 	file "unsigned.kasp.db";
 	dnssec-policy "none";
 };
 /* A master zone with dnssec-policy but keys already created. */
 zone "dnssec-keygen.kasp" {
 	type master;
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@ -43,12 +43,19 @@ U="UNRETENTIVE"
 # Set up zones that will be initially signed.
 #
 for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
-	  rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384
+	  rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 inherit
 do
 	setup "${zn}.kasp"
 	cp template.db.in $zonefile
 done
 # Set up zone that stays unsigned.
 zone="unsigned.kasp"
 echo_i "setting up zone: $zone"
 zonefile="${zone}.db"
 infile="${zone}.db.infile"
 cp template.db.in $zonefile
 # Some of these zones already have keys.
 zone="dnssec-keygen.kasp"
 $KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
--- a/bin/tests/system/kasp/ns4/named.conf.in
+++ b/bin/tests/system/kasp/ns4/named.conf.in
@ -0,0 +1,117 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 // NS4
 key "sha1" {
 	algorithm "hmac-sha1";
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
 };
 key "sha224" {
 	algorithm "hmac-sha224";
 	secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
 };
 key "sha256" {
 	algorithm "hmac-sha256";
 	secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
 };
 dnssec-policy "test" {
 	keys {
 		csk key-directory lifetime 0 algorithm 14;
 	};
 };
 options {
 	query-source address 10.53.0.4;
 	port @PORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion no;
 	dnssec-policy "test";
 };
 view "inherit" {
 	match-clients { key "sha1"; };
 	/* Inherit dnssec-policy 'test' */
 	zone "inherit.inherit.signed" {
 		type master;
 		file "inherit.inherit.signed.db";
 	};
 	/* Override dnssec-policy */
 	zone "override.inherit.signed" {
 		type master;
 		dnssec-policy "default";
 		file "override.inherit.signed.db";
 	};
 	/* Unset dnssec-policy */
 	zone "none.inherit.signed" {
 		type master;
 		dnssec-policy "none";
 		file "none.inherit.signed.db";
 	};
 };
 view "override" {
 	match-clients { key "sha224"; };
 	dnssec-policy "default";
 	/* Inherit dnssec-policy 'test' */
 	zone "inherit.override.signed" {
 		type master;
 		file "inherit.override.signed.db";
 	};
 	/* Override dnssec-policy */
 	zone "override.override.signed" {
 		type master;
 		dnssec-policy "test";
 		file "override.override.signed.db";
 	};
 	/* Unset dnssec-policy */
 	zone "none.override.signed" {
 		type master;
 		dnssec-policy "none";
 		file "none.override.signed.db";
 	};
 };
 view "none" {
 	match-clients { key "sha256"; };
 	dnssec-policy "none";
 	/* Inherit dnssec-policy 'none' */
 	zone "inherit.none.signed" {
 		type master;
 		file "inherit.none.signed.db";
 	};
 	/* Override dnssec-policy */
 	zone "override.none.signed" {
 		type master;
 		dnssec-policy "test";
 		file "override.none.signed.db";
 	};
 	/* Unset dnssec-policy */
 	zone "none.none.signed" {
 		type master;
 		dnssec-policy "none";
 		file "none.none.signed.db";
 	};
 };
--- a/bin/tests/system/kasp/ns4/setup.sh
+++ b/bin/tests/system/kasp/ns4/setup.sh
@ -0,0 +1,28 @@
 #!/bin/sh -e
 #
 # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 # shellcheck source=conf.sh
 . "$SYSTEMTESTTOP/conf.sh"
 echo_i "ns4/setup.sh"
 #
 # Set up zones that potentially will be initially signed.
 #
 for zn in inherit.inherit override.inherit none.inherit \
 	  inherit.override override.override none.override \
 	  inherit.none override.none none.none
 do
 	zone="$zn.signed"
 	echo_i "setting up zone: $zone"
 	zonefile="${zone}.db"
 	cp template.db.in $zonefile
 done
--- a/bin/tests/system/kasp/ns4/template.db.in
+++ b/bin/tests/system/kasp/ns4/template.db.in
@ -0,0 +1,25 @@
 ; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
 ; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 $TTL 300
@		IN	SOA  mname1. . (
 			1       ; serial
 			20      ; refresh (20 seconds)
 			20      ; retry (20 seconds)
 			1814400 ; expire (3 weeks)
 			3600    ; minimum (1 hour)
 			)
 			NS	ns4
 ns4			A	10.53.0.4
 a			A	10.0.0.1
 b			A	10.0.0.2
 c			A	10.0.0.3
--- a/bin/tests/system/kasp/ns5/named.conf.in
+++ b/bin/tests/system/kasp/ns5/named.conf.in
@ -0,0 +1,117 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 // NS5
 key "sha1" {
 	algorithm "hmac-sha1";
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
 };
 key "sha224" {
 	algorithm "hmac-sha224";
 	secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
 };
 key "sha256" {
 	algorithm "hmac-sha256";
 	secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
 };
 dnssec-policy "test" {
 	keys {
 		csk key-directory lifetime 0 algorithm 14;
 	};
 };
 options {
 	query-source address 10.53.0.5;
 	port @PORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	recursion no;
 	dnssec-policy "none";
 };
 view "inherit" {
 	match-clients { key "sha1"; };
 	/* Inherit dnssec-policy 'none' */
 	zone "inherit.inherit.unsigned" {
 		type master;
 		file "inherit.inherit.unsigned.db";
 	};
 	/* Override dnssec-policy */
 	zone "override.inherit.unsigned" {
 		type master;
 		dnssec-policy "default";
 		file "override.inherit.unsigned.db";
 	};
 	/* Unset dnssec-policy */
 	zone "none.inherit.unsigned" {
 		type master;
 		dnssec-policy "none";
 		file "none.inherit.unsigned.db";
 	};
 };
 view "override" {
 	match-clients { key "sha224"; };
 	dnssec-policy "default";
 	/* Inherit dnssec-policy 'default' */
 	zone "inherit.override.unsigned" {
 		type master;
 		file "inherit.override.unsigned.db";
 	};
 	/* Override dnssec-policy */
 	zone "override.override.unsigned" {
 		type master;
 		dnssec-policy "test";
 		file "override.override.unsigned.db";
 	};
 	/* Unset dnssec-policy */
 	zone "none.override.unsigned" {
 		type master;
 		dnssec-policy "none";
 		file "none.override.unsigned.db";
 	};
 };
 view "none" {
 	match-clients { key "sha256"; };
 	dnssec-policy "none";
 	/* Inherit dnssec-policy 'none' */
 	zone "inherit.none.unsigned" {
 		type master;
 		file "inherit.none.unsigned.db";
 	};
 	/* Override dnssec-policy */
 	zone "override.none.unsigned" {
 		type master;
 		dnssec-policy "test";
 		file "override.none.unsigned.db";
 	};
 	/* Unset dnssec-policy */
 	zone "none.none.unsigned" {
 		type master;
 		dnssec-policy "none";
 		file "none.none.unsigned.db";
 	};
 };
--- a/bin/tests/system/kasp/ns5/setup.sh
+++ b/bin/tests/system/kasp/ns5/setup.sh
@ -0,0 +1,28 @@
 #!/bin/sh -e
 #
 # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 # shellcheck source=conf.sh
 . "$SYSTEMTESTTOP/conf.sh"
 echo_i "ns5/setup.sh"
 #
 # Set up zones that potentially will be initially signed.
 #
 for zn in inherit.inherit override.inherit none.inherit \
 	  inherit.override override.override none.override \
 	  inherit.none override.none none.none
 do
 	zone="$zn.unsigned"
 	echo_i "setting up zone: $zone"
 	zonefile="${zone}.db"
 	cp template.db.in $zonefile
 done
--- a/bin/tests/system/kasp/ns5/template.db.in
+++ b/bin/tests/system/kasp/ns5/template.db.in
@ -0,0 +1,25 @@
 ; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
 ; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 $TTL 300
@		IN	SOA  mname1. . (
 			1       ; serial
 			20      ; refresh (20 seconds)
 			20      ; retry (20 seconds)
 			1814400 ; expire (3 weeks)
 			3600    ; minimum (1 hour)
 			)
 			NS	ns5
 ns5			A	10.53.0.5
 a			A	10.0.0.1
 b			A	10.0.0.2
 c			A	10.0.0.3
--- a/bin/tests/system/kasp/setup.sh
+++ b/bin/tests/system/kasp/setup.sh
@ -20,14 +20,23 @@ mkdir keys
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
-# ns2: Setup zones
+# Setup zones
 (
 	cd ns2
 	$SHELL setup.sh
 )
 # ns3: Setup zones
 (
 	cd ns3
 	$SHELL setup.sh
 )
 (
 	cd ns4
 	$SHELL setup.sh
 )
 (
 	cd ns5
 	$SHELL setup.sh
 )
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@ -21,6 +21,14 @@ n=0
 ###############################################################################
 DEFAULT_TTL=300
 ###############################################################################
 # Query properties                                                            #
 ###############################################################################
 TSIG=""
 SHA1="FrSt77yPTFx6hTs4i2tKLB9LmE0="
 SHA224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="
 SHA256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="
 ###############################################################################
 # Key properties                                                              #
 ###############################################################################
@ -82,7 +90,12 @@ key_clear "KEY3"
 # Call dig with default options.
 dig_with_opts() {
-	"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+	_tsig=""
 	if [ -n "$TSIG" ]; then
 		_tsig="-y $TSIG"
 	fi
 	"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p $PORT $_tsig "$@"
 }
 # RNDC.
@ -108,7 +121,9 @@ get_keyids() {
 	_start="${_dir}/K${_zone}.+${_algorithm}+"
 	_end=".key"
 	if [ $_algorithm -ne 0 ]; then
 		ls ${_start}*${_end} | sed "s/$_dir\/K${_zone}.+${_algorithm}+\([0-9]\{5\}\)${_end}/\1/"
 	fi
 }
 # By default log errors and don't quit immediately.
@ -124,15 +139,17 @@ log_error() {
 # $3: Policy name
 # $4: DNSKEY TTL
 # $5: Number of keys
 # $6: Name server
 #
 # This will set the following environment variables for testing:
-# DIR, ZONE, POLICY, DNSKEY_TTL, NUM_KEYS
+# DIR, ZONE, POLICY, DNSKEY_TTL, NUM_KEYS, SERVER
 zone_properties() {
 	DIR=$1
 	ZONE=$2
 	POLICY=$3
 	DNSKEY_TTL=$4
 	NUM_KEYS=$5
 	SERVER=$6
 }
 # Set key properties for testing keys.
@ -492,7 +509,7 @@ dnssec_verify()
 	n=$((n+1))
 	echo_i "dnssec-verify zone ${ZONE} ($n)"
 	ret=0
-	dig_with_opts $ZONE @10.53.0.3 AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed"
+	dig_with_opts $ZONE @${SERVER} AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed"
 	$VERIFY -z -o $ZONE dig.out.axfr.test$n > /dev/null || log_error "dnssec verify zone $ZONE failed"
 	test "$ret" -eq 0 || echo_i "failed"
 	status=$((status+ret))
@ -505,7 +522,7 @@ dnssec_verify()
 #
 # dnssec-keygen
 #
-zone_properties "keys" "kasp" "kasp" "200"
+zone_properties "keys" "kasp" "kasp" "200" "10.53.0.1"
 n=$((n+1))
 echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)"
@ -557,7 +574,7 @@ _log=1
 n=$((n+1))
 echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
 ret=0
-zone_properties "." "kasp" "default" "3600"
+zone_properties "." "kasp" "default" "3600" "10.53.0.1"
 key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
 key_timings "KEY1" "none" "none" "none" "none" "none"
 key_states "KEY1" "none" "none" "none" "none" "none"
@ -572,7 +589,7 @@ status=$((status+ret))
 n=$((n+1))
 echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
 ret=0
-zone_properties "." "kasp" "default" "3600"
+zone_properties "." "kasp" "default" "3600" "10.53.0.1"
 key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
 key_timings "KEY1" "none" "none" "none" "none" "none"
 key_states "KEY1" "none" "none" "none" "none" "none"
@ -672,7 +689,7 @@ status=$((status+ret))
 #
 # Check the zone with default kasp policy has loaded and is signed.
-zone_properties "ns3" "default.kasp" "_default" "3600"
+zone_properties "ns3" "default.kasp" "default" "3600" "1" "10.53.0.3"
 key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
 # The first key is immediately published and activated.
 key_timings "KEY1" "published" "active" "none" "none" "none" "none"
@ -695,7 +712,7 @@ qtype="DNSKEY"
 n=$((n+1))
 echo_i "check ${qtype} rrset is signed correctly for zone ${ZONE} ($n)"
 ret=0
-dig_with_opts $ZONE @10.53.0.3 $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed"
+dig_with_opts $ZONE @${SERVER} $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed"
 grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
 grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${qtype}.*257.*.3.*${KEY1[$ALG_NUM]}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${qtype} record in response"
 lines=$(get_keys_which_signed $qtype dig.out.$DIR.test$n | wc -l)
@ -709,7 +726,7 @@ qtype="SOA"
 n=$((n+1))
 echo_i "check ${qtype} rrset is signed correctly for zone ${ZONE} ($n)"
 ret=0
-dig_with_opts $ZONE @10.53.0.3 $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed"
+dig_with_opts $ZONE @${SERVER} $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed"
 grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
 grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${qtype}.*mname1\..*\." dig.out.$DIR.test$n > /dev/null || log_error "missing ${qtype} record in response"
 lines=$(get_keys_which_signed $qtype dig.out.$DIR.test$n | wc -l)
@ -730,14 +747,14 @@ while [ $i -lt 5 ]
 do
 	ret=0
-	dig_with_opts "a.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed"
+	dig_with_opts "a.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed"
 	grep "status: NOERROR" dig.out.$DIR.test$n.a > /dev/null || log_error "mismatch status in DNS response"
 	grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" dig.out.$DIR.test$n.a > /dev/null || log_error "missing a.${ZONE} A record in response"
 	lines=$(get_keys_which_signed A dig.out.$DIR.test$n.a | wc -l)
 	test "$lines" -eq 1 || log_error "bad number ($lines) of RRSIG records in DNS response"
 	get_keys_which_signed A dig.out.$DIR.test$n.a | grep "^${KEY_ID}$" > /dev/null || log_error "A RRset not signed with key ${KEY_ID}"
-	dig_with_opts "d.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed"
+	dig_with_opts "d.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed"
 	grep "status: NOERROR" dig.out.$DIR.test$n.d > /dev/null || log_error "mismatch status in DNS response"
 	grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" dig.out.$DIR.test$n.d > /dev/null || log_error "missing d.${ZONE} A record in response"
 	lines=$(get_keys_which_signed A dig.out.$DIR.test$n.d | wc -l)
@ -756,7 +773,7 @@ status=$((status+ret))
 #
 # Zone: rsasha1.kasp.
 #
-zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3"
+zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
 key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
@ -895,7 +912,7 @@ check_cds() {
 	n=$((n+1))
 	echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)"
 	ret=0
-	dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
+	dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
 	grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
 	if [ "${KEY1[$STATE_DS]}" == "rumoured" ] || [ "${KEY1[$STATE_DS]}" == "omnipresent" ]; then
@ -933,9 +950,33 @@ check_apex() {
 	n=$((n+1))
 	echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)"
 	ret=0
-	dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
+	dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
 	grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
-	grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response"
+
 	if [ "${KEY1[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY1[$STATE_DNSKEY]}" == "omnipresent" ]; then
 		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY1[$ID]}"
 		check_signatures $_qtype dig.out.$DIR.test$n $KSK
 		numkeys=$((numkeys+1))
 	elif [ "${KEY1[$EXPECT]}" == "yes" ]; then
 		grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY1[$ID]}"
 	fi
 	if [ "${KEY2[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY2[$STATE_DNSKEY]}" == "omnipresent" ]; then
 		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY2[$ID]}"
 		check_signatures $_qtype dig.out.$DIR.test$n $KSK
 		numkeys=$((numkeys+1))
 	elif [ "${KEY2[$EXPECT]}" == "yes" ]; then
 		grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY2[$ID]}"
 	fi
 	if [ "${KEY3[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY3[$STATE_DNSKEY]}" == "omnipresent" ]; then
 		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY3[$ID]}"
 		check_signatures $_qtype dig.out.$DIR.test$n $KSK
 		numkeys=$((numkeys+1))
 	elif [ "${KEY3[$EXPECT]}" == "yes" ]; then
 		grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY3[$ID]}"
 	fi
 	lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l)
 	check_signatures $_qtype dig.out.$DIR.test$n $KSK
 	test "$ret" -eq 0 || echo_i "failed"
@ -946,7 +987,7 @@ check_apex() {
 	n=$((n+1))
 	echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)"
 	ret=0
-	dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
+	dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
 	grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
 	grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response"
 	lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l)
@ -964,7 +1005,7 @@ check_subdomain() {
 	n=$((n+1))
 	echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)"
 	ret=0
-	dig_with_opts a.$ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig a.${ZONE} ${_qtype} failed"
+	dig_with_opts a.$ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig a.${ZONE} ${_qtype} failed"
 	grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
 	grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" dig.out.$DIR.test$n > /dev/null || log_error "missing a.${ZONE} ${_qtype} record in response"
 	lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l)
@ -978,10 +1019,43 @@ check_apex
 check_subdomain
 dnssec_verify
 #
 # Zone: unsigned.kasp.
 #
 zone_properties "ns3" "unsigned.kasp" "none" "0" "0" "10.53.0.3"
 key_clear "KEY1"
 key_clear "KEY2"
 key_clear "KEY3"
 check_keys
 check_apex
 check_subdomain
 #
 # Zone: inherit.kasp.
 #
 zone_properties "ns3" "inherit.kasp" "rsasha1" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
 key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
 # The first keys are immediately published and activated.
 # Because lifetime > 0, retired timing is also set.
 key_timings "KEY1" "published" "active" "retired" "none" "none"
 key_timings "KEY2" "published" "active" "retired" "none" "none"
 key_timings "KEY3" "published" "active" "retired" "none" "none"
 # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
 # ZSK: DNSKEY, RRSIG (zsk) published.
 key_states "KEY1" "omnipresent" "rumoured" "none" "rumoured" "hidden"
 key_states "KEY2" "omnipresent" "rumoured" "rumoured" "none" "none"
 key_states "KEY3" "omnipresent" "rumoured" "rumoured" "none" "none"
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 #
 # Zone: dnssec-keygen.kasp.
 #
-zone_properties "ns3" "dnssec-keygen.kasp" "rsasha1" "1234" "3"
+zone_properties "ns3" "dnssec-keygen.kasp" "rsasha1" "1234" "3" "10.53.0.3"
 # key_properties, key_timings and key_states same as above.
 check_keys
 check_apex
@ -991,7 +1065,7 @@ dnssec_verify
 #
 # Zone: some-keys.kasp.
 #
-zone_properties "ns3" "some-keys.kasp" "rsasha1" "1234" "3"
+zone_properties "ns3" "some-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3"
 # key_properties, key_timings and key_states same as above.
 check_keys
 check_apex
@ -1001,7 +1075,7 @@ dnssec_verify
 #
 # Zone: legacy-keys.kasp.
 #
-zone_properties "ns3" "legacy-keys.kasp" "rsasha1" "1234" "3"
+zone_properties "ns3" "legacy-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3"
 # key_properties, key_timings and key_states same as above.
 check_keys
 check_apex
@ -1013,7 +1087,7 @@ dnssec_verify
 #
 # There are more pregenerated keys than needed, hence the number of keys is
 # six, not three.
-zone_properties "ns3" "pregenerated.kasp" "rsasha1" "1234" "6"
+zone_properties "ns3" "pregenerated.kasp" "rsasha1" "1234" "6" "10.53.0.3"
 # key_properties, key_timings and key_states same as above.
 check_keys
 check_apex
@ -1023,7 +1097,7 @@ dnssec_verify
 #
 # Zone: secondary.kasp.
 #
-zone_properties "ns3" "secondary.kasp" "rsasha1" "1234" "3"
+zone_properties "ns3" "secondary.kasp" "rsasha1" "1234" "3" "10.53.0.3"
 # KSK properties, timings and states same as above.
 check_keys
 check_apex
@ -1042,12 +1116,12 @@ while [ $i -lt 5 ]
 do
 	ret=0
-	dig_with_opts "a.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed"
+	dig_with_opts "a.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed"
 	grep "status: NOERROR" dig.out.$DIR.test$n.a > /dev/null || log_error "mismatch status in DNS response"
 	grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" dig.out.$DIR.test$n.a > /dev/null || log_error "missing a.${ZONE} A record in response"
 	check_signatures $_qtype dig.out.$DIR.test$n.a $ZSK
-	dig_with_opts "d.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed"
+	dig_with_opts "d.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed"
 	grep "status: NOERROR" dig.out.$DIR.test$n.d > /dev/null || log_error "mismatch status in DNS response"
 	grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" dig.out.$DIR.test$n.d > /dev/null || log_error "missing d.${ZONE} A record in response"
 	lines=$(get_keys_which_signed A dig.out.$DIR.test$n.d | wc -l)
@ -1069,7 +1143,7 @@ status=$((status+ret))
 #
 # Zone: rsasha1-nsec3.kasp.
 #
-zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3"
+zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes"
 key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "1024" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no"
@ -1082,7 +1156,7 @@ dnssec_verify
 #
 # Zone: rsasha256.kasp.
 #
-zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3"
+zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes"
 key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "1024" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no"
@ -1095,7 +1169,7 @@ dnssec_verify
 #
 # Zone: rsasha512.kasp.
 #
-zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3"
+zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes"
 key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "1024" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no"
@ -1108,7 +1182,7 @@ dnssec_verify
 #
 # Zone: ecdsa256.kasp.
 #
-zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3"
+zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "13" "ECDSAP256SHA256" "256" "no" "yes"
 key_properties "KEY2" "zsk" "157680000" "13" "ECDSAP256SHA256" "256" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no"
@ -1121,7 +1195,7 @@ dnssec_verify
 #
 # Zone: ecdsa512.kasp.
 #
-zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3"
+zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "14" "ECDSAP384SHA384" "384" "no" "yes"
 key_properties "KEY2" "zsk" "157680000" "14" "ECDSAP384SHA384" "384" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "14" "ECDSAP384SHA384" "384" "yes" "no"
@ -1136,7 +1210,7 @@ dnssec_verify
 #
 # Zone: expired-sigs.autosign.
 #
-zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2"
+zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2" "10.53.0.3"
 # Both KSK and ZSK stay OMNIPRESENT.
 key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
 key_timings "KEY1" "published" "active" "retired" "none" "none"
@ -1161,7 +1235,7 @@ check_rrsig_refresh() {
 		n=$((n+1))
 		echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
 		ret=0
-		dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
+		dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
 		grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
 		grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response"
 		# If this exact RRSIG is also in the zone file it is not refreshed.
@ -1181,7 +1255,7 @@ check_rrsig_refresh() {
 			n=$((n+1))
 			echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
 			ret=0
-			dig_with_opts "${_label}.${ZONE}" @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
+			dig_with_opts "${_label}.${ZONE}" @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
 			grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
 			grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response"
 			_rrsig=`cat rrsig.out.$ZONE.$_qtype`
@ -1197,7 +1271,7 @@ check_rrsig_refresh
 #
 # Zone: fresh-sigs.autosign.
 #
-zone_properties "ns3" "fresh-sigs.autosign" "autosign" "300" "2"
+zone_properties "ns3" "fresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3"
 # key_properties, key_timings and key_states same as above.
 check_keys
 check_apex
@ -1213,7 +1287,7 @@ check_rrsig_reuse() {
 		n=$((n+1))
 		echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
 		ret=0
-		dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
+		dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
 		grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
 		grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response"
 		# If this exact RRSIG is also in the zone file it is not refreshed.
@ -1233,7 +1307,7 @@ check_rrsig_reuse() {
 			n=$((n+1))
 			echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
 			ret=0
-			dig_with_opts "${_label}.${ZONE}" @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
+			dig_with_opts "${_label}.${ZONE}" @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
 			grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
 			grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response"
 			_rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < rrsig.out.$ZONE.$_qtype)
@ -1249,7 +1323,7 @@ check_rrsig_reuse
 #
 # Zone: unfresh-sigs.autosign.
 #
-zone_properties "ns3" "unfresh-sigs.autosign" "autosign" "300" "2"
+zone_properties "ns3" "unfresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3"
 # key_properties, key_timings and key_states same as above.
 check_keys
 check_apex
@ -1260,7 +1334,7 @@ check_rrsig_refresh
 #
 # Zone: zsk-missing.autosign.
 #
-zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2"
+zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2" "10.53.0.3"
 # KSK stays OMNIPRESENT.
 key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
 key_timings "KEY1" "published" "active" "retired" "none" "none"
@ -1271,7 +1345,7 @@ key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent"
 #
 # Zone: zsk-retired.autosign.
 #
-zone_properties "ns3" "zsk-retired.autosign" "autosign" "300" "3"
+zone_properties "ns3" "zsk-retired.autosign" "autosign" "300" "3" "10.53.0.3"
 # KSK properties, timings and states same as above.
 # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK
 # is active.
@ -1284,6 +1358,178 @@ key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "no" "no"
 key_timings "KEY3" "published" "active" "retired" "none" "none"
 key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none"
 #
 # Test dnssec-policy inheritance.
 #
 # These zones should be unsigned:
 # ns2/unsigned.tld
 # ns4/none.inherit.signed
 # ns4/none.override.signed
 # ns4/inherit.none.signed
 # ns4/none.none.signed
 # ns5/inherit.inherit.unsigned
 # ns5/none.inherit.unsigned
 # ns5/none.override.unsigned
 # ns5/inherit.none.unsigned
 # ns5/none.none.unsigned
 key_clear "KEY1"
 key_clear "KEY2"
 key_clear "KEY3"
 zone_properties "ns2" "unsigned.tld" "none" "0" "0" "10.53.0.2"
 TSIG=""
 check_keys
 check_apex
 check_subdomain
 zone_properties "ns4" "none.inherit.signed" "none" "0" "0" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
 check_apex
 check_subdomain
 zone_properties "ns4" "none.override.signed" "none" "0" "0" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
 check_apex
 check_subdomain
 zone_properties "ns4" "inherit.none.signed" "none" "0" "0" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
 check_apex
 check_subdomain
 zone_properties "ns4" "none.none.signed" "none" "0" "0" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
 check_apex
 check_subdomain
 zone_properties "ns5" "inherit.inherit.unsigned" "none" "0" "0" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
 check_apex
 check_subdomain
 zone_properties "ns5" "none.inherit.unsigned" "none" "0" "0" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
 check_apex
 check_subdomain
 zone_properties "ns5" "none.override.unsigned" "none" "0" "0" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
 check_apex
 check_subdomain
 zone_properties "ns5" "inherit.none.unsigned" "none" "0" "0" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
 check_apex
 check_subdomain
 zone_properties "ns5" "none.none.unsigned" "none" "0" "0" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
 check_apex
 check_subdomain
 # These zones should be signed with the default policy:
 # ns2/signed.tld
 # ns4/override.inherit.signed
 # ns4/inherit.override.signed
 # ns5/override.inherit.signed
 # ns5/inherit.override.signed
 key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
 key_timings "KEY1" "published" "active" "none" "none" "none" "none"
 key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden"
 zone_properties "ns2" "signed.tld" "default" "3600" "1" "10.53.0.2"
 TSIG=""
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 zone_properties "ns4" "override.inherit.signed" "default" "3600" "1" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 zone_properties "ns4" "inherit.override.signed" "default" "3600" "1" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 zone_properties "ns5" "override.inherit.unsigned" "default" "3600" "1" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 zone_properties "ns5" "inherit.override.unsigned" "default" "3600" "1" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 # These zones should be signed with the test policy:
 # ns4/inherit.inherit.signed
 # ns4/override.override.signed
 # ns4/override.none.signed
 # ns5/override.override.unsigned
 # ns5/override.none.unsigned
 key_properties "KEY1" "csk" "0" "14" "ECDSAP384SHA384" "384" "yes" "yes"
 key_timings "KEY1" "published" "active" "none" "none" "none" "none"
 key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden"
 zone_properties "ns4" "inherit.inherit.signed" "test" "3600" "1" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 zone_properties "ns4" "override.override.signed" "test" "3600" "1" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 zone_properties "ns4" "override.none.signed" "test" "3600" "1" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 zone_properties "ns5" "override.override.unsigned" "test" "3600" "1" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 zone_properties "ns5" "override.none.unsigned" "test" "3600" "1" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
 check_apex
 check_subdomain
 dnssec_verify
 # Clear TSIG.
 TSIG=""
 #
 # Testing ZSK Pre-Publication rollover.
 #
@ -1291,7 +1537,7 @@ key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none"
 #
 # Zone: step1.zsk-prepub.autosign.
 #
-zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2"
+zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2" "10.53.0.3"
 # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
 key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
 key_timings "KEY1" "published" "active" "retired" "none" "none"
@ -1337,7 +1583,7 @@ check_next_key_event 2498400
 #
 # Zone: step2.zsk-prepub.autosign.
 #
-zone_properties "ns3" "step2.zsk-prepub.autosign" "zsk-prepub" "3600" "3"
+zone_properties "ns3" "step2.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
 # KSK (KEY1) doesn't change.
 # ZSK (KEY2) remains active, no change in properties/timings/states.
 # New ZSK (KEY3) is prepublished.
@ -1357,7 +1603,7 @@ check_next_key_event 93600
 #
 # Zone: step3.zsk-prepub.autosign.
 #
-zone_properties "ns3" "step3.zsk-prepub.autosign" "zsk-prepub" "3600" "3"
+zone_properties "ns3" "step3.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
 # KSK (KEY1) doesn't change.
 # ZSK (KEY2) properties and timing metadata same as above.
 # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE.
@ -1385,7 +1631,7 @@ check_next_key_event 867600
 #
 # Zone: step4.zsk-prepub.autosign.
 #
-zone_properties "ns3" "step4.zsk-prepub.autosign" "zsk-prepub" "3600" "3"
+zone_properties "ns3" "step4.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
 # KSK (KEY1) doesn't change.
 # ZSK (KEY2) properties and timing metadata same as above.
 # ZSK (KEY2) DNSKEY is no longer needed.
@ -1407,7 +1653,7 @@ check_next_key_event 7200
 #
 # Zone: step5.zsk-prepub.autosign.
 #
-zone_properties "ns3" "step5.zsk-prepub.autosign" "zsk-prepub" "3600" "3"
+zone_properties "ns3" "step5.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
 # KSK (KEY1) doesn't change.
 # ZSK (KEY2) properties and timing metadata same as above.
 # ZSK (KEY3) DNSKEY is now completely HIDDEN and removed.
@ -1431,7 +1677,7 @@ check_next_key_event 1627200
 #
 # Zone: step1.ksk-doubleksk.autosign.
 #
-zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2"
+zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2" "10.53.0.3"
 # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
 key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "yes"
 key_timings "KEY1" "published" "active" "retired" "none" "none"
@ -1456,7 +1702,7 @@ check_next_key_event 5000400
 #
 # Zone: step2.ksk-doubleksk.autosign.
 #
-zone_properties "ns3" "step2.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3"
+zone_properties "ns3" "step2.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
 # ZSK (KEY2) doesn't change.
 # KSK (KEY1) remains active, no change in properties/timings/states.
 # New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
@ -1476,7 +1722,7 @@ check_next_key_event 97200
 #
 # Zone: step3.ksk-doubleksk.autosign.
 #
-zone_properties "ns3" "step3.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3"
+zone_properties "ns3" "step3.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
 # ZSK (KEY2) doesn't change.
 # KSK (KEY1) DS will be removed, so it is UNRETENTIVE.
 key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive"
@ -1499,7 +1745,7 @@ check_next_key_event 266400
 #
 # Zone: step4.ksk-doubleksk.autosign.
 #
-zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3"
+zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
 # ZSK (KEY2) doesn't change.
 # KSK (KEY1) DNSKEY can be removed.
 key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "no"
@ -1519,7 +1765,7 @@ check_next_key_event 10800
 #
 # Zone: step5.ksk-doubleksk.autosign.
 #
-zone_properties "ns3" "step5.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3"
+zone_properties "ns3" "step5.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
 # ZSK (KEY2) doesn't change.
 # KSK (KEY1) DNSKEY is now HIDDEN.
 key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden"
@ -1542,7 +1788,7 @@ check_next_key_event 4813200
 #
 # Zone: step1.csk-roll.autosign.
 #
-zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1"
+zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1" "10.53.0.3"
 # The CSK (KEY1) starts in OMNIPRESENT.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
 key_timings "KEY1" "published" "active" "retired" "none" "none"
@ -1566,7 +1812,7 @@ check_next_key_event 15973200
 # Zone: step2.csk-roll.autosign.
 #
 # Set key properties for testing keys.
-zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2"
+zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
 # CSK (KEY1) remains active, no change in properties/timings/states.
 # New CSK (KEY2) is prepublished (and signs DNSKEY RRset).
 key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
@ -1586,7 +1832,7 @@ check_next_key_event 10800
 # Zone: step3.csk-roll.autosign.
 #
 # Set key properties for testing keys.
-zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2"
+zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
 # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
 key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive"
@ -1613,7 +1859,7 @@ check_next_key_event 100800
 #
 # Zone: step4.csk-roll.autosign.
 #
-zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2"
+zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
 # The old CSK (KEY1) DS is hidden.  We still need to keep the DNSKEY public
 # but can remove the KRRSIG records.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
@ -1634,7 +1880,7 @@ check_next_key_event 7200
 #
 # Zone: step5.csk-roll.autosign.
 #
-zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2"
+zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
 # The old CSK (KEY1) KRRSIG records are now all hidden.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
 key_states "KEY1" "hidden" "omnipresent" "unretentive" "hidden" "hidden"
@ -1654,7 +1900,7 @@ check_next_key_event 2149200
 #
 # Zone: step6.csk-roll.autosign.
 #
-zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2"
+zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
 # The old CSK (KEY1) DNSKEY can be removed.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
 key_states "KEY1" "hidden" "unretentive" "hidden" "hidden" "hidden"
@ -1674,7 +1920,7 @@ check_next_key_event 7200
 #
 # Zone: step7.csk-roll.autosign.
 #
-zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2"
+zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
 # The old CSK (KEY1) is now completely HIDDEN.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
 key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden"
@ -1699,7 +1945,7 @@ check_next_key_event 13708800
 #
 # Zone: step1.csk-roll2.autosign.
 #
-zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1"
+zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1" "10.53.0.3"
 # The CSK (KEY1) starts in OMNIPRESENT.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
 key_timings "KEY1" "published" "active" "retired" "none" "none"
@ -1723,7 +1969,7 @@ check_next_key_event 15454800
 # Zone: step2.csk-roll2.autosign.
 #
 # Set key properties for testing keys.
-zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2"
+zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
 # CSK (KEY1) remains active, no change in properties/timings/states.
 # New CSK (KEY2) is prepublished (and signs DNSKEY RRset).
 key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
@ -1743,7 +1989,7 @@ check_next_key_event 10800
 # Zone: step3.csk-roll2.autosign.
 #
 # Set key properties for testing keys.
-zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2"
+zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
 # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
 key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive"
@ -1771,7 +2017,7 @@ check_next_key_event 136800
 #
 # Zone: step4.csk-roll2.autosign.
 #
-zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2"
+zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
 # The old CSK (KEY1) ZRRSIG is now HIDDEN.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
 key_states "KEY1" "hidden" "omnipresent" "hidden" "omnipresent" "unretentive"
@ -1795,7 +2041,7 @@ check_next_key_event 478800
 #
 # Zone: step5.csk-roll2.autosign.
 #
-zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2"
+zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
 # The old CSK (KEY1) DNSKEY can be removed.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
 key_states "KEY1" "hidden" "unretentive" "hidden" "unretentive" "hidden"
@ -1815,7 +2061,7 @@ check_next_key_event 7200
 #
 # Zone: step6.csk-roll2.autosign.
 #
-zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2"
+zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2" "10.53.0.3"
 # The old CSK (KEY1) is now completely HIDDEN.
 key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
 key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden"
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@ -842,6 +842,21 @@ check_name(const char *str) {
 	return (dns_name_fromstring(dns_fixedname_name(&fixed), str, 0, NULL));
 }
 static bool
 kasp_name_allowed(const cfg_listelt_t *element)
 {
 	const char* name = cfg_obj_asstring(cfg_tuple_get(
 		cfg_listelt_value(element), "name"));
 	if (strcmp("none", name) == 0) {
 		return false;
 	}
 	if (strcmp("default", name) == 0) {
 		return false;
 	}
 	return true;
 }
 static isc_result_t
 check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 	      optlevel_t optlevel)
@ -950,14 +965,15 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 	}
 	/*
-	 * Check dnssec-policy at the view/options level
+	 * Check dnssec-policy.
 	 */
 	obj = NULL;
 	(void)cfg_map_get(options, "dnssec-policy", &obj);
 	if (obj != NULL) {
-		bool bad_kasp = true;
+		bool bad_kasp = false;
-		if (optlevel == optlevel_zone && cfg_obj_isstring(obj)) {
+		bool bad_name = false;
-			bad_kasp = false;
+		if (optlevel != optlevel_config && !cfg_obj_isstring(obj)) {
 			bad_kasp = true;
 		} else if (optlevel == optlevel_config) {
 			if (cfg_obj_islist(obj)) {
 				for (element = cfg_list_first(obj);
@ -967,18 +983,29 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 					if (!cfg_obj_istuple(
 						    cfg_listelt_value(element)))
 					{
-						break;
+						bad_kasp = true;
 					}
 					if (!kasp_name_allowed(element)) {
 						bad_name = true;
 					}
 				}
 				bad_kasp = false;
 			}
 		}
 		if (bad_kasp) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "dnssec-policy may only be activated at "
+				    "dnssec-policy may only be configured at "
-				    "the top level and referenced to at the "
+				    "the top level, please use name reference "
-				    "zone level");
+				    "at the zone level");
 			if (result == ISC_R_SUCCESS) {
 				result = ISC_R_FAILURE;
 			}
 		}
 		if (bad_name) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "dnssec-policy name may not be 'none' or "
 				    "'default' (which is the built-in policy)");
 			if (result == ISC_R_SUCCESS) {
 				result = ISC_R_FAILURE;
 			}
@ -2135,6 +2162,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		if (strcmp(kaspname, "default") == 0) {
 			has_dnssecpolicy = true;
 		} else if (strcmp(kaspname, "none") == 0) {
 			has_dnssecpolicy = false;
 		} else {
 			(void)cfg_map_get(config, "dnssec-policy", &kasps);
 			for (element = cfg_list_first(kasps); element != NULL;
@ -2147,18 +2176,19 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 					has_dnssecpolicy = true;
 				}
 			}
 		}
 			if (!has_dnssecpolicy) {
 				cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-				    "zone '%s': option 'dnssec-policy %s' "
+					    "zone '%s': option "
-				    "has no matching dnssec-policy config",
+					    "'dnssec-policy %s' has no "
 					    "matching dnssec-policy config",
 					    znamestr, kaspname);
 				if (result == ISC_R_SUCCESS) {
 					result = ISC_R_FAILURE;
 				}
 			}
 		}
 	}
 	/*
 	 * Check validity of the zone options.
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@ -126,6 +126,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx,
 		    cfg_obj_asstring(cfg_tuple_get(config, "name")) :
 		    "default";
 	REQUIRE(strcmp(kaspname, "none") != 0);
 	result = dns_kasplist_find(kasplist, kaspname, &kasp);
 	if (result == ISC_R_SUCCESS) {
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -2165,6 +2165,9 @@ zone_clauses[] = {
 	{ "dnssec-loadkeys-interval", &cfg_type_uint32,
 		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
 	},
 	{ "dnssec-policy", &cfg_type_astring,
 		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
 	},
 	{ "dnssec-secure-to-insecure", &cfg_type_boolean,
 		CFG_ZONE_MASTER
 	},
@ -2335,9 +2338,6 @@ zone_only_clauses[] = {
 	{ "dlz", &cfg_type_astring,
 		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_REDIRECT
 	},
 	{ "dnssec-policy", &cfg_type_astring,
 		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
 	},
 	{ "file", &cfg_type_qstring,
 		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR |
 		CFG_ZONE_STUB | CFG_ZONE_HINT | CFG_ZONE_REDIRECT
--- a/util/copyrights
+++ b/util/copyrights
@ -698,6 +698,8 @@
 ./bin/tests/system/kasp/clean.sh		SH	2019
 ./bin/tests/system/kasp/ns2/setup.sh		SH	2019
 ./bin/tests/system/kasp/ns3/setup.sh		SH	2019
 ./bin/tests/system/kasp/ns4/setup.sh		SH	2019
 ./bin/tests/system/kasp/ns5/setup.sh		SH	2019
 ./bin/tests/system/kasp/setup.sh		SH	2019
 ./bin/tests/system/kasp/tests.sh		SH	2019
 ./bin/tests/system/keepalive/clean.sh		SH	2017,2018,2019