diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 85a88f5856..bd7ee71ded 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -350,10 +350,9 @@ setup step2.enable-dnssec.autosign
 TpubN="now-900s"
 # RRSIG TTL:              12 hour (43200 seconds)
 # zone-propagation-delay: 5 minutes (300 seconds)
-# retire-safety:          20 minutes (1200 seconds)
 # Already passed time:    -900 seconds
-# Total:                  43800 seconds
-TsbmN="now+43800s"
+# Total:                  42600 seconds
+TsbmN="now+42600s"
 keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
 CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
 $SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
@@ -365,10 +364,10 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i
 # Step 3:
 # The zone signatures have been published long enough to become OMNIPRESENT.
 setup step3.enable-dnssec.autosign
-# Passed time since publications: 43800 + 900 = 44700 seconds.
-TpubN="now-44700s"
+# Passed time since publications: 42600 + 900 = 43500 seconds.
+TpubN="now-43500s"
 # The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT.
-TcotN="now-43800s"
+TcotN="now-42600s"
 # We can submit the DS now.
 TsbmN="now"
 keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index 312a70518b..fcdabad355 100644
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -127,9 +127,9 @@ setup step2.algorithm-roll.kasp
 # The time passed since the new algorithm keys have been introduced is 3 hours.
 TactN="now-3h"
 TpubN1="now-3h"
-# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety =
-# now - 3h + 6h + 1h + 1h = now + 5h
-TsbmN1="now+5h"
+# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp =
+# now - 3h + 6h + 1h = now + 4h
+TsbmN1="now+4h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I now"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I now"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@@ -156,11 +156,11 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # Step 3:
 # The zone signatures are also OMNIPRESENT.
 setup step3.algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 9 hours.
-TactN="now-9h"
-TretN="now-6h"
-TpubN1="now-9h"
-TsbmN1="now-1h"
+# The time passed since the new algorithm keys have been introduced is 7 hours.
+TactN="now-7h"
+TretN="now-3h"
+TpubN1="now-7h"
+TsbmN1="now"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@@ -188,11 +188,11 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # The DS is swapped and can become OMNIPRESENT.
 setup step4.algorithm-roll.kasp
 # The time passed since the DS has been swapped is 29 hours.
-TactN="now-38h"
-TretN="now-35h"
-TpubN1="now-38h"
-TsbmN1="now-30h"
-TactN1="now-29h"
+TactN="now-36h"
+TretN="now-33h"
+TpubN1="now-36h"
+TsbmN1="now-29h"
+TactN1="now-27h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@@ -220,12 +220,12 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # The DNSKEY is removed long enough to be HIDDEN.
 setup step5.algorithm-roll.kasp
 # The time passed since the DNSKEY has been removed is 2 hours.
-TactN="now-40h"
-TretN="now-37h"
+TactN="now-38h"
+TretN="now-35h"
 TremN="now-2h"
-TpubN1="now-40h"
-TsbmN1="now-32h"
-TactN1="now-31h"
+TpubN1="now-38h"
+TsbmN1="now-31h"
+TactN1="now-29h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@@ -253,13 +253,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # The RRSIGs have been removed long enough to be HIDDEN.
 setup step6.algorithm-roll.kasp
 # Additional time passed: 7h.
-TactN="now-47h"
-TretN="now-44h"
+TactN="now-45h"
+TretN="now-42h"
 TremN="now-7h"
-TpubN1="now-47h"
-TsbmN1="now-39h"
-TactN1="now-38h"
-TdeaN="now-9h"
+TpubN1="now-45h"
+TsbmN1="now-38h"
+TactN1="now-36h"
+TdeaN="now-7h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@@ -324,11 +324,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # Step 3:
 # The zone signatures are also OMNIPRESENT.
 setup step3.csk-algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 9 hours.
-TactN="now-9h"
-TretN="now-6h"
-TpubN1="now-9h"
-TactN1="now-6h"
+# The time passed since the new algorithm keys have been introduced is 7 hours.
+TactN="now-7h"
+TretN="now-3h"
+TpubN1="now-7h"
+TactN1="now-3h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
@@ -347,10 +347,10 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # The DS is swapped and can become OMNIPRESENT.
 setup step4.csk-algorithm-roll.kasp
 # The time passed since the DS has been swapped is 29 hours.
-TactN="now-38h"
-TretN="now-35h"
-TpubN1="now-38h"
-TactN1="now-35h"
+TactN="now-36h"
+TretN="now-33h"
+TpubN1="now-36h"
+TactN1="now-33h"
 TsubN1="now-29h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
@@ -370,11 +370,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # The DNSKEY is removed long enough to be HIDDEN.
 setup step5.csk-algorithm-roll.kasp
 # The time passed since the DNSKEY has been removed is 2 hours.
-TactN="now-40h"
-TretN="now-37h"
+TactN="now-38h"
+TretN="now-35h"
 TremN="now-2h"
-TpubN1="now-40h"
-TactN1="now-37h"
+TpubN1="now-38h"
+TactN1="now-35h"
 TsubN1="now-31h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
@@ -394,12 +394,12 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # The RRSIGs have been removed long enough to be HIDDEN.
 setup step6.csk-algorithm-roll.kasp
 # Additional time passed: 7h.
-TactN="now-47h"
-TretN="now-44h"
+TactN="now-45h"
+TretN="now-42h"
 TdeaN="now-9h"
 TremN="now-7h"
-TpubN1="now-47h"
-TactN1="now-44h"
+TpubN1="now-45h"
+TactN1="now-42h"
 TsubN1="now-38h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 2215666bb3..fa64c69f58 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -275,9 +275,8 @@ set_keytimes_csk_policy() {
   set_keytime "KEY1" "ACTIVE" "${created}"
   # The DS can be published if the DNSKEY and RRSIG records are
   # OMNIPRESENT.  This happens after max-zone-ttl (1d) plus
-  # publish-safety (1h) plus zone-propagation-delay (300s) =
-  # 86400 + 3600 + 300 = 90300.
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300
+  # zone-propagation-delay (300s) = 86400 + 300 = 86700.
+  set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 86700
   # Key lifetime is unlimited, so not setting RETIRED and REMOVED.
 }
 
@@ -769,9 +768,8 @@ set_keytimes_algorithm_policy() {
 
   # The DS can be published if the DNSKEY and RRSIG records are
   # OMNIPRESENT.  This happens after max-zone-ttl (1d) plus
-  # publish-safety (1h) plus zone-propagation-delay (300s) =
-  # 86400 + 3600 + 300 = 90300.
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
+  # zone-propagation-delay (300s) = 86400 + 300 = 86700.
+  set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
   # Key lifetime is 10 years, 315360000 seconds.
   set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
   # The key is removed after the retire time plus DS TTL (1d),
@@ -1720,10 +1718,10 @@ published=$(awk '{print $3}' <published.test${n}.key1)
 set_keytime "KEY1" "PUBLISHED" "${published}"
 set_keytime "KEY1" "ACTIVE" "${published}"
 published=$(key_get KEY1 PUBLISHED)
-# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT.
-#  This happens after max-zone-ttl (1d) plus publish-safety (1h) plus
-# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300.
-set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
+# The DS can be published if the zone is fully signed.
+# This happens after max-zone-ttl (1d) plus
+# zone-propagation-delay (300s) = 86400 + 300 = 86700.
+set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
 # Key lifetime is 6 months, 315360000 seconds.
 set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
 # The key is removed after the retire time plus DS TTL (1d), parent
@@ -2486,9 +2484,9 @@ set_keytime "KEY1" "PUBLISHED" "${created}"
 set_keytime "KEY1" "ACTIVE" "${created}"
 # - The DS can be published if the DNSKEY and RRSIG records are
 #   OMNIPRESENT.  This happens after max-zone-ttl (12h) plus
-#   publish-safety (5m) plus zone-propagation-delay (5m) =
-#   43200 + 300 + 300 = 43800.
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
+#   plus zone-propagation-delay (5m) =
+#   43200 + 300 = 43500.
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43500
 # - Key lifetime is unlimited, so not setting RETIRED and REMOVED.
 
 # Various signing policy checks.
@@ -2556,7 +2554,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "PUBLISHED" "${created}" -900
 set_addkeytime "KEY1" "ACTIVE" "${created}" -900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 42600
 
 # Continue signing policy checks.
 check_keytimes
@@ -2566,8 +2564,8 @@ dnssec_verify
 
 # Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl
 # plus zone propagation delay plus retire safety minus the already elapsed
-# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds
-check_next_key_event 43800
+# 900 seconds: 12h + 300s + 20m - 900 = 43500 - 900 = 42600 seconds
+check_next_key_event 42600
 
 #
 # Zone: step3.enable-dnssec.autosign.
@@ -2584,10 +2582,10 @@ check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The key was published and activated 44700 seconds ago (with settime).
+# - The key was published and activated 43500 seconds ago (with settime).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700
-set_addkeytime "KEY1" "ACTIVE" "${created}" -44700
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -43500
+set_addkeytime "KEY1" "ACTIVE" "${created}" -43500
 set_keytime "KEY1" "SYNCPUBLISH" "${created}"
 
 # Continue signing policy checks.
@@ -2603,8 +2601,8 @@ check_cdslog "$DIR" "$ZONE" KEY1
 rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE"
 # Next key event is when the DS can move to the OMNIPRESENT state.  This occurs
 # when the parent propagation delay have passed, plus the DS TTL and retire
-# safety delay:  1h + 2h + 20m = 3h20m = 12000 seconds
-check_next_key_event 12000
+# safety delay:  1h + 2h = 3h = 10800 seconds
+check_next_key_event 10800
 
 #
 # Zone: step4.enable-dnssec.autosign.
@@ -4388,9 +4386,9 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the DS becomes HIDDEN. This happens after the
-# parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 1h + 1d = 26h = 93600 seconds.
-check_next_key_event 93600
+# parent propagation delay, and DS TTL:
+# 1h + 1d = 25h = 90000 seconds.
+check_next_key_event 90000
 
 #
 # Zone: step2.going-insecure.kasp
@@ -4456,8 +4454,8 @@ dnssec_verify
 
 # Next key event is when the DS becomes HIDDEN. This happens after the
 # parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 1h + 1d = 26h = 93600 seconds.
-check_next_key_event 93600
+# 1h + 1d = 25h = 90000 seconds.
+check_next_key_event 90000
 
 #
 # Zone: step2.going-insecure-dynamic.kasp
@@ -4651,12 +4649,11 @@ set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 created=$(key_get KEY3 CREATED)
 set_keytime "KEY3" "PUBLISHED" "${created}"
 set_keytime "KEY3" "ACTIVE" "${created}"
-# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
+# - It takes TTLsig + Dprp to propagate the zone.
 #   TTLsig:         6h (39600 seconds)
 #   Dprp:           1h (3600 seconds)
-#   publish-safety: 1h (3600 seconds)
-#   Ipub:           8h (28800 seconds)
-Ipub=28800
+#   Ipub:           7h (25200 seconds)
+Ipub=25200
 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
 # - The new ZSK is published and activated.
 created=$(key_get KEY4 CREATED)
@@ -4725,12 +4722,12 @@ dnssec_verify
 
 # Next key event is when all zone signatures are signed with the new
 # algorithm.  This is the max-zone-ttl plus zone propagation delay
-# plus retire safety: 6h + 1h + 2h.  But three hours have already passed
-# (the time it took to make the DNSKEY omnipresent), so the next event
-# should be scheduled in 6 hour: 21600 seconds.  Prevent intermittent
+# 6h + 1h.  But three hours have already passed (the time it took to
+# make the DNSKEY omnipresent), so the next event should be scheduled
+# in 4 hour: 14400 seconds.  Prevent intermittent
 # false positives on slow platforms by subtracting the number of seconds
 # which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((21600 - time_passed))
+next_time=$((14400 - time_passed))
 check_next_key_event $next_time
 
 #
@@ -4753,28 +4750,28 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_cdslog "$DIR" "$ZONE" KEY3
 
 # Set expected key times:
-# - The old keys were activated 9 hours ago (32400 seconds).
-rollover_predecessor_keytimes -32400
-# - And retired 6 hours ago (21600 seconds).
+# - The old keys were activated 7 hours ago (25200 seconds).
+rollover_predecessor_keytimes -25200
+# - And retired 3 hours ago (10800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -21600
+set_addkeytime "KEY1" "RETIRED" "${created}" -10800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -21600
+set_addkeytime "KEY2" "RETIRED" "${created}" -10800
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-# - The new keys are published 9 hours ago.
+# - The new keys are published 7 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY3" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -25200
+set_addkeytime "KEY3" "ACTIVE" "${created}" -25200
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
 
 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY4" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -25200
+set_addkeytime "KEY4" "ACTIVE" "${created}" -25200
 
 # Continue signing policy checks.
 check_keytimes
@@ -4787,9 +4784,9 @@ dnssec_verify
 rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
 rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
 # Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 2h + 2h = 5h = 18000 seconds.
-check_next_key_event 18000
+# parent propagation delay, and DS TTL:
+# 1h + 2h = 3h = 10800 seconds.
+check_next_key_event 10800
 
 #
 # Zone: step4.algorithm-roll.kasp
@@ -4816,29 +4813,29 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old keys were activated 38 hours ago (136800 seconds).
-rollover_predecessor_keytimes -136800
-# - And retired 35 hours ago (126000 seconds).
+# - The old keys were activated 36 hours ago (129600 seconds).
+rollover_predecessor_keytimes -129600
+# - And retired 33 hours ago (118800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
+set_addkeytime "KEY1" "RETIRED" "${created}" -118800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -126000
+set_addkeytime "KEY2" "RETIRED" "${created}" -118800
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 
-# - The new keys are published 38 hours ago.
+# - The new keys are published 36 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -129600
+set_addkeytime "KEY3" "ACTIVE" "${created}" -129600
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
 
 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -129600
+set_addkeytime "KEY4" "ACTIVE" "${created}" -129600
 
 # Continue signing policy checks.
 check_keytimes
@@ -4867,29 +4864,29 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old keys were activated 40 hours ago (144000 seconds)
-rollover_predecessor_keytimes -144000
-# - And retired 37 hours ago (133200 seconds).
+# - The old keys were activated 38 hours ago (136800 seconds)
+rollover_predecessor_keytimes -136800
+# - And retired 35 hours ago (126000 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -133200
+set_addkeytime "KEY1" "RETIRED" "${created}" -126000
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -133200
+set_addkeytime "KEY2" "RETIRED" "${created}" -126000
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 
 # The new keys are published 40 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY3" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
 
 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY4" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
 
 # Continue signing policy checks.
 check_keytimes
@@ -4898,12 +4895,12 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the RSASHA1 signatures become HIDDEN.  This happens
-# after the max-zone-ttl plus zone propagation delay plus retire safety
-# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
-# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
+# after the max-zone-ttl plus zone propagation delay (6h + 1h)
+# minus the time already passed since the UNRETENTIVE state has
+# been reached (2h): 7h - 2h = 5h = 18000 seconds. Prevent intermittent
 # false positives on slow platforms by subtracting the number of seconds
 # which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((25200 - time_passed))
+next_time=$((18000 - time_passed))
 check_next_key_event $next_time
 
 #
@@ -4921,29 +4918,29 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old keys were activated 47 hours ago (169200 seconds)
-rollover_predecessor_keytimes -169200
-# - And retired 44 hours ago (158400 seconds).
+# - The old keys were activated 45 hours ago (162000 seconds)
+rollover_predecessor_keytimes -162000
+# - And retired 42 hours ago (151200 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -158400
+set_addkeytime "KEY1" "RETIRED" "${created}" -151200
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -158400
+set_addkeytime "KEY2" "RETIRED" "${created}" -151200
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 
 # The new keys are published 47 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY3" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -162000
+set_addkeytime "KEY3" "ACTIVE" "${created}" -162000
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
 
 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY4" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -162000
+set_addkeytime "KEY4" "ACTIVE" "${created}" -162000
 
 # Continue signing policy checks.
 check_keytimes
@@ -5026,9 +5023,8 @@ set_keytime "KEY2" "ACTIVE" "${created}"
 # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
 #   TTLsig:         6h (39600 seconds)
 #   Dprp:           1h (3600 seconds)
-#   publish-safety: 1h (3600 seconds)
-#   Ipub:           8h (28800 seconds)
-Ipub=28800
+#   Ipub:           7h (25200 seconds)
+Ipub=25200
 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
 
 # Continue signing policy checks.
@@ -5082,14 +5078,13 @@ check_apex
 check_subdomain
 dnssec_verify
 
-# Next key event is when all zone signatures are signed with the new
-# algorithm.  This is the max-zone-ttl plus zone propagation delay
-# plus retire safety: 6h + 1h + 2h.  But three hours have already passed
-# (the time it took to make the DNSKEY omnipresent), so the next event
-# should be scheduled in 6 hour: 21600 seconds.  Prevent intermittent
-# false positives on slow platforms by subtracting the number of seconds
-# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((21600 - time_passed))
+# Next key event is when all zone signatures are signed with the new algorithm.
+# This is the max-zone-ttl plus zone propagation delay: 6h + 1h.  But three
+# hours have already passed (the time it took to make the DNSKEY omnipresent),
+# so the next event should be scheduled in 4 hour: 14400 seconds.  Prevent
+# intermittent false positives on slow platforms by subtracting the number of
+# seconds which passed between key creation and invoking 'rndc reconfig'.
+next_time=$((14400 - time_passed))
 check_next_key_event $next_time
 
 #
@@ -5114,17 +5109,17 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_cdslog "$DIR" "$ZONE" KEY2
 
 # Set expected key times:
-# - The old key was activated 9 hours ago (32400 seconds).
-csk_rollover_predecessor_keytimes -32400
-# - And was retired 6 hours ago (21600 seconds).
+# - The old key was activated 7 hours ago (25200 seconds).
+csk_rollover_predecessor_keytimes -25200
+# - And was retired 3 hours ago (10800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -21600
+set_addkeytime "KEY1" "RETIRED" "${created}" -10800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
 # - The new key was published 9 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY2" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -25200
+set_addkeytime "KEY2" "ACTIVE" "${created}" -25200
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
 
@@ -5138,9 +5133,9 @@ dnssec_verify
 rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
 rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
 # Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 2h + 2h = 5h = 18000 seconds.
-check_next_key_event 18000
+# parent propagation delay, and DS TTL:
+# 1h + 2h = 3h = 10800 seconds.
+check_next_key_event 10800
 
 #
 # Zone: step4.csk-algorithm-roll.kasp
@@ -5164,17 +5159,17 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old key was activated 38 hours ago (136800 seconds)
-csk_rollover_predecessor_keytimes -136800
-# - And retired 35 hours ago (126000 seconds).
+# - The old keys were activated 36 hours ago (129600 seconds).
+csk_rollover_predecessor_keytimes -129600
+# - And retired 33 hours ago (118800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
+set_addkeytime "KEY1" "RETIRED" "${created}" -118800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 38 hours ago.
+# - The new key was published 36 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -129600
+set_addkeytime "KEY2" "ACTIVE" "${created}" -129600
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
 
@@ -5204,17 +5199,17 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old key was activated 40 hours ago (144000 seconds)
-csk_rollover_predecessor_keytimes -144000
-# - And retired 37 hours ago (133200 seconds).
+# - The old key was activated 38 hours ago (136800 seconds)
+csk_rollover_predecessor_keytimes -136800
+# - And retired 35 hours ago (126000 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -133200
+set_addkeytime "KEY1" "RETIRED" "${created}" -126000
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 40 hours ago.
+# - The new key was published 38 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY2" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
 
@@ -5225,12 +5220,12 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the RSASHA1 signatures become HIDDEN.  This happens
-# after the max-zone-ttl plus zone propagation delay plus retire safety
-# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
-# been reached (2h): 9h - 2h = 7h = 25200 seconds.  Prevent intermittent
-# false positives on slow platforms by subtracting the number of seconds
-# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((25200 - time_passed))
+# after the max-zone-ttl plus zone propagation delay (6h + 1h) minus the
+# time already passed since the UNRETENTIVE state has been reached (2h):
+# 7h - 2h = 5h = 18000 seconds.  Prevent intermittent false positives on slow
+# platforms by subtracting the number of seconds which passed between key
+# creation and invoking 'rndc reconfig'.
+next_time=$((18000 - time_passed))
 check_next_key_event $next_time
 
 #
@@ -5248,17 +5243,17 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old keys were activated 47 hours ago (169200 seconds)
-csk_rollover_predecessor_keytimes -169200
-# - And retired 44 hours ago (158400 seconds).
+# - The old keys were activated 45 hours ago (162000 seconds)
+csk_rollover_predecessor_keytimes -162000
+# - And retired 42 hours ago (151200 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -158400
+set_addkeytime "KEY1" "RETIRED" "${created}" -151200
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
 # - The new key was published 47 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY2" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -162000
+set_addkeytime "KEY2" "ACTIVE" "${created}" -162000
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
 
diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 6b56d5da8f..c07046a9a8 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -189,8 +189,7 @@ dns_keymgr_settime_syncpublish(dst_key_t *key, dns_kasp_t *kasp, bool first) {
 		isc_stdtime_t zrrsig_present;
 		dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
 		zrrsig_present = published + ttlsig +
-				 dns_kasp_zonepropagationdelay(kasp) +
-				 dns_kasp_publishsafety(kasp);
+				 dns_kasp_zonepropagationdelay(kasp);
 		if (zrrsig_present > syncpublish) {
 			syncpublish = zrrsig_present;
 		}
@@ -272,7 +271,6 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 				dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp,
 								       true);
 				syncpub2 = pub + ttlsig +
-					   dns_kasp_publishsafety(kasp) +
 					   dns_kasp_zonepropagationdelay(kasp);
 			}
 
@@ -1286,6 +1284,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 	isc_result_t ret;
 	isc_stdtime_t lastchange, dstime, nexttime = now;
 	dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
+	uint32_t dsstate;
 
 	/*
 	 * No need to wait if we move things into an uncertain state.
@@ -1355,15 +1354,12 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 			 * records.  This translates to:
 			 *
 			 *     Dsgn + zone-propagation-delay + max-zone-ttl.
-			 *
-			 * We will also add the retire-safety interval.
 			 */
 			nexttime = lastchange + ttlsig +
-				   dns_kasp_zonepropagationdelay(kasp) +
-				   dns_kasp_retiresafety(kasp);
+				   dns_kasp_zonepropagationdelay(kasp);
 			/*
-			 * Only add the sign delay Dsgn if there is an actual
-			 * predecessor or successor key.
+			 * Only add the sign delay Dsgn and retire-safety if
+			 * there is an actual predecessor or successor key.
 			 */
 			uint32_t tag;
 			ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
@@ -1373,7 +1369,8 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 						     DST_NUM_SUCCESSOR, &tag);
 			}
 			if (ret == ISC_R_SUCCESS) {
-				nexttime += dns_kasp_signdelay(kasp);
+				nexttime += dns_kasp_signdelay(kasp) +
+					    dns_kasp_retiresafety(kasp);
 			}
 			break;
 		default:
@@ -1399,35 +1396,36 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 		 * This translates to:
 		 *
 		 *      parent-propagation-delay + parent-ds-ttl.
-		 *
-		 * We will also add the retire-safety interval.
 		 */
 		case OMNIPRESENT:
-			/* Make sure DS has been seen in the parent. */
-			ret = dst_key_gettime(key->key, DST_TIME_DSPUBLISH,
-					      &dstime);
-			if (ret != ISC_R_SUCCESS || dstime > now) {
-				/* Not yet, try again in an hour. */
-				nexttime = now + 3600;
-			} else {
-				nexttime =
-					dstime + dns_kasp_dsttl(kasp) +
-					dns_kasp_parentpropagationdelay(kasp) +
-					dns_kasp_retiresafety(kasp);
-			}
-			break;
 		case HIDDEN:
-			/* Make sure DS has been withdrawn from the parent. */
-			ret = dst_key_gettime(key->key, DST_TIME_DSDELETE,
-					      &dstime);
+			/* Make sure DS has been seen in/withdrawn from the
+			 * parent. */
+			dsstate = next_state == HIDDEN ? DST_TIME_DSDELETE
+						       : DST_TIME_DSPUBLISH;
+			ret = dst_key_gettime(key->key, dsstate, &dstime);
 			if (ret != ISC_R_SUCCESS || dstime > now) {
 				/* Not yet, try again in an hour. */
 				nexttime = now + 3600;
 			} else {
 				nexttime =
 					dstime + dns_kasp_dsttl(kasp) +
-					dns_kasp_parentpropagationdelay(kasp) +
-					dns_kasp_retiresafety(kasp);
+					dns_kasp_parentpropagationdelay(kasp);
+				/*
+				 * Only add the retire-safety if there is an
+				 * actual predecessor or successor key.
+				 */
+				uint32_t tag;
+				ret = dst_key_getnum(key->key,
+						     DST_NUM_PREDECESSOR, &tag);
+				if (ret != ISC_R_SUCCESS) {
+					ret = dst_key_getnum(key->key,
+							     DST_NUM_SUCCESSOR,
+							     &tag);
+				}
+				if (ret == ISC_R_SUCCESS) {
+					nexttime += dns_kasp_retiresafety(kasp);
+				}
 			}
 			break;
 		default: