From 63edc4435f8ddefbbabbf9731f2b44d59d68c40b Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 3 Mar 2025 12:07:03 +0100
Subject: [PATCH] Fix wrong usage of safety intervals in keymgr

There are a couple of cases where the safety intervals are added
inappropriately:

1. When setting the PublishCDS/SyncPublish timing metadata, we don't
   need to add the publish-safety value if we are calculating the time
   when the zone is completely signed for the first time. This value
   is for when the DNSKEY has been published and we add a safety
   interval before considering the DNSKEY omnipresent.

2. The retire-safety value should only be added to ZSK rollovers if
   there is an actual rollover happening, similar to adding the sign
   delay.

3. The retire-safety value should only be added to KSK rollovers if
   there is an actual rollover happening. We consider the new DS
   omnipresent a bit later, so that we are forced to keep the old DS
   a bit longer.
---
 bin/tests/system/kasp/ns3/setup.sh |  11 +-
 bin/tests/system/kasp/ns6/setup.sh |  82 +++++-----
 bin/tests/system/kasp/tests.sh     | 245 ++++++++++++++---------------
 lib/dns/keymgr.c                   |  58 ++++---
 4 files changed, 194 insertions(+), 202 deletions(-)

diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 85a88f5856..bd7ee71ded 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -350,10 +350,9 @@ setup step2.enable-dnssec.autosign
 TpubN="now-900s"
 # RRSIG TTL:              12 hour (43200 seconds)
 # zone-propagation-delay: 5 minutes (300 seconds)
-# retire-safety:          20 minutes (1200 seconds)
 # Already passed time:    -900 seconds
-# Total:                  43800 seconds
-TsbmN="now+43800s"
+# Total:                  42600 seconds
+TsbmN="now+42600s"
 keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
 CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
 $SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
@@ -365,10 +364,10 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i
 # Step 3:
 # The zone signatures have been published long enough to become OMNIPRESENT.
 setup step3.enable-dnssec.autosign
-# Passed time since publications: 43800 + 900 = 44700 seconds.
-TpubN="now-44700s"
+# Passed time since publications: 42600 + 900 = 43500 seconds.
+TpubN="now-43500s"
 # The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT.
-TcotN="now-43800s"
+TcotN="now-42600s"
 # We can submit the DS now.
 TsbmN="now"
 keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index 312a70518b..fcdabad355 100644
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -127,9 +127,9 @@ setup step2.algorithm-roll.kasp
 # The time passed since the new algorithm keys have been introduced is 3 hours.
 TactN="now-3h"
 TpubN1="now-3h"
-# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety =
-# now - 3h + 6h + 1h + 1h = now + 5h
-TsbmN1="now+5h"
+# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp =
+# now - 3h + 6h + 1h = now + 4h
+TsbmN1="now+4h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I now"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I now"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@@ -156,11 +156,11 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # Step 3:
 # The zone signatures are also OMNIPRESENT.
 setup step3.algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 9 hours.
-TactN="now-9h"
-TretN="now-6h"
-TpubN1="now-9h"
-TsbmN1="now-1h"
+# The time passed since the new algorithm keys have been introduced is 7 hours.
+TactN="now-7h"
+TretN="now-3h"
+TpubN1="now-7h"
+TsbmN1="now"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@@ -188,11 +188,11 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # The DS is swapped and can become OMNIPRESENT.
 setup step4.algorithm-roll.kasp
 # The time passed since the DS has been swapped is 29 hours.
-TactN="now-38h"
-TretN="now-35h"
-TpubN1="now-38h"
-TsbmN1="now-30h"
-TactN1="now-29h"
+TactN="now-36h"
+TretN="now-33h"
+TpubN1="now-36h"
+TsbmN1="now-29h"
+TactN1="now-27h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@@ -220,12 +220,12 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # The DNSKEY is removed long enough to be HIDDEN.
 setup step5.algorithm-roll.kasp
 # The time passed since the DNSKEY has been removed is 2 hours.
-TactN="now-40h"
-TretN="now-37h"
+TactN="now-38h"
+TretN="now-35h"
 TremN="now-2h"
-TpubN1="now-40h"
-TsbmN1="now-32h"
-TactN1="now-31h"
+TpubN1="now-38h"
+TsbmN1="now-31h"
+TactN1="now-29h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@@ -253,13 +253,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # The RRSIGs have been removed long enough to be HIDDEN.
 setup step6.algorithm-roll.kasp
 # Additional time passed: 7h.
-TactN="now-47h"
-TretN="now-44h"
+TactN="now-45h"
+TretN="now-42h"
 TremN="now-7h"
-TpubN1="now-47h"
-TsbmN1="now-39h"
-TactN1="now-38h"
-TdeaN="now-9h"
+TpubN1="now-45h"
+TsbmN1="now-38h"
+TactN1="now-36h"
+TdeaN="now-7h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@@ -324,11 +324,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # Step 3:
 # The zone signatures are also OMNIPRESENT.
 setup step3.csk-algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 9 hours.
-TactN="now-9h"
-TretN="now-6h"
-TpubN1="now-9h"
-TactN1="now-6h"
+# The time passed since the new algorithm keys have been introduced is 7 hours.
+TactN="now-7h"
+TretN="now-3h"
+TpubN1="now-7h"
+TactN1="now-3h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
@@ -347,10 +347,10 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # The DS is swapped and can become OMNIPRESENT.
 setup step4.csk-algorithm-roll.kasp
 # The time passed since the DS has been swapped is 29 hours.
-TactN="now-38h"
-TretN="now-35h"
-TpubN1="now-38h"
-TactN1="now-35h"
+TactN="now-36h"
+TretN="now-33h"
+TpubN1="now-36h"
+TactN1="now-33h"
 TsubN1="now-29h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
@@ -370,11 +370,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # The DNSKEY is removed long enough to be HIDDEN.
 setup step5.csk-algorithm-roll.kasp
 # The time passed since the DNSKEY has been removed is 2 hours.
-TactN="now-40h"
-TretN="now-37h"
+TactN="now-38h"
+TretN="now-35h"
 TremN="now-2h"
-TpubN1="now-40h"
-TactN1="now-37h"
+TpubN1="now-38h"
+TactN1="now-35h"
 TsubN1="now-31h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
@@ -394,12 +394,12 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # The RRSIGs have been removed long enough to be HIDDEN.
 setup step6.csk-algorithm-roll.kasp
 # Additional time passed: 7h.
-TactN="now-47h"
-TretN="now-44h"
+TactN="now-45h"
+TretN="now-42h"
 TdeaN="now-9h"
 TremN="now-7h"
-TpubN1="now-47h"
-TactN1="now-44h"
+TpubN1="now-45h"
+TactN1="now-42h"
 TsubN1="now-38h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 2215666bb3..fa64c69f58 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -275,9 +275,8 @@ set_keytimes_csk_policy() {
   set_keytime "KEY1" "ACTIVE" "${created}"
   # The DS can be published if the DNSKEY and RRSIG records are
   # OMNIPRESENT.  This happens after max-zone-ttl (1d) plus
-  # publish-safety (1h) plus zone-propagation-delay (300s) =
-  # 86400 + 3600 + 300 = 90300.
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300
+  # zone-propagation-delay (300s) = 86400 + 300 = 86700.
+  set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 86700
   # Key lifetime is unlimited, so not setting RETIRED and REMOVED.
 }
 
@@ -769,9 +768,8 @@ set_keytimes_algorithm_policy() {
 
   # The DS can be published if the DNSKEY and RRSIG records are
   # OMNIPRESENT.  This happens after max-zone-ttl (1d) plus
-  # publish-safety (1h) plus zone-propagation-delay (300s) =
-  # 86400 + 3600 + 300 = 90300.
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
+  # zone-propagation-delay (300s) = 86400 + 300 = 86700.
+  set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
   # Key lifetime is 10 years, 315360000 seconds.
   set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
   # The key is removed after the retire time plus DS TTL (1d),
@@ -1720,10 +1718,10 @@ published=$(awk '{print $3}' <published.test${n}.key1)
 set_keytime "KEY1" "PUBLISHED" "${published}"
 set_keytime "KEY1" "ACTIVE" "${published}"
 published=$(key_get KEY1 PUBLISHED)
-# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT.
-#  This happens after max-zone-ttl (1d) plus publish-safety (1h) plus
-# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300.
-set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
+# The DS can be published if the zone is fully signed.
+# This happens after max-zone-ttl (1d) plus
+# zone-propagation-delay (300s) = 86400 + 300 = 86700.
+set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
 # Key lifetime is 6 months, 315360000 seconds.
 set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
 # The key is removed after the retire time plus DS TTL (1d), parent
@@ -2486,9 +2484,9 @@ set_keytime "KEY1" "PUBLISHED" "${created}"
 set_keytime "KEY1" "ACTIVE" "${created}"
 # - The DS can be published if the DNSKEY and RRSIG records are
 #   OMNIPRESENT.  This happens after max-zone-ttl (12h) plus
-#   publish-safety (5m) plus zone-propagation-delay (5m) =
-#   43200 + 300 + 300 = 43800.
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
+#   plus zone-propagation-delay (5m) =
+#   43200 + 300 = 43500.
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43500
 # - Key lifetime is unlimited, so not setting RETIRED and REMOVED.
 
 # Various signing policy checks.
@@ -2556,7 +2554,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "PUBLISHED" "${created}" -900
 set_addkeytime "KEY1" "ACTIVE" "${created}" -900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 42600
 
 # Continue signing policy checks.
 check_keytimes
@@ -2566,8 +2564,8 @@ dnssec_verify
 
 # Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl
 # plus zone propagation delay plus retire safety minus the already elapsed
-# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds
-check_next_key_event 43800
+# 900 seconds: 12h + 300s + 20m - 900 = 43500 - 900 = 42600 seconds
+check_next_key_event 42600
 
 #
 # Zone: step3.enable-dnssec.autosign.
@@ -2584,10 +2582,10 @@ check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The key was published and activated 44700 seconds ago (with settime).
+# - The key was published and activated 43500 seconds ago (with settime).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700
-set_addkeytime "KEY1" "ACTIVE" "${created}" -44700
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -43500
+set_addkeytime "KEY1" "ACTIVE" "${created}" -43500
 set_keytime "KEY1" "SYNCPUBLISH" "${created}"
 
 # Continue signing policy checks.
@@ -2603,8 +2601,8 @@ check_cdslog "$DIR" "$ZONE" KEY1
 rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE"
 # Next key event is when the DS can move to the OMNIPRESENT state.  This occurs
 # when the parent propagation delay have passed, plus the DS TTL and retire
-# safety delay:  1h + 2h + 20m = 3h20m = 12000 seconds
-check_next_key_event 12000
+# safety delay:  1h + 2h = 3h = 10800 seconds
+check_next_key_event 10800
 
 #
 # Zone: step4.enable-dnssec.autosign.
@@ -4388,9 +4386,9 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the DS becomes HIDDEN. This happens after the
-# parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 1h + 1d = 26h = 93600 seconds.
-check_next_key_event 93600
+# parent propagation delay, and DS TTL:
+# 1h + 1d = 25h = 90000 seconds.
+check_next_key_event 90000
 
 #
 # Zone: step2.going-insecure.kasp
@@ -4456,8 +4454,8 @@ dnssec_verify
 
 # Next key event is when the DS becomes HIDDEN. This happens after the
 # parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 1h + 1d = 26h = 93600 seconds.
-check_next_key_event 93600
+# 1h + 1d = 25h = 90000 seconds.
+check_next_key_event 90000
 
 #
 # Zone: step2.going-insecure-dynamic.kasp
@@ -4651,12 +4649,11 @@ set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 created=$(key_get KEY3 CREATED)
 set_keytime "KEY3" "PUBLISHED" "${created}"
 set_keytime "KEY3" "ACTIVE" "${created}"
-# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
+# - It takes TTLsig + Dprp to propagate the zone.
 #   TTLsig:         6h (39600 seconds)
 #   Dprp:           1h (3600 seconds)
-#   publish-safety: 1h (3600 seconds)
-#   Ipub:           8h (28800 seconds)
-Ipub=28800
+#   Ipub:           7h (25200 seconds)
+Ipub=25200
 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
 # - The new ZSK is published and activated.
 created=$(key_get KEY4 CREATED)
@@ -4725,12 +4722,12 @@ dnssec_verify
 
 # Next key event is when all zone signatures are signed with the new
 # algorithm.  This is the max-zone-ttl plus zone propagation delay
-# plus retire safety: 6h + 1h + 2h.  But three hours have already passed
-# (the time it took to make the DNSKEY omnipresent), so the next event
-# should be scheduled in 6 hour: 21600 seconds.  Prevent intermittent
+# 6h + 1h.  But three hours have already passed (the time it took to
+# make the DNSKEY omnipresent), so the next event should be scheduled
+# in 4 hour: 14400 seconds.  Prevent intermittent
 # false positives on slow platforms by subtracting the number of seconds
 # which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((21600 - time_passed))
+next_time=$((14400 - time_passed))
 check_next_key_event $next_time
 
 #
@@ -4753,28 +4750,28 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_cdslog "$DIR" "$ZONE" KEY3
 
 # Set expected key times:
-# - The old keys were activated 9 hours ago (32400 seconds).
-rollover_predecessor_keytimes -32400
-# - And retired 6 hours ago (21600 seconds).
+# - The old keys were activated 7 hours ago (25200 seconds).
+rollover_predecessor_keytimes -25200
+# - And retired 3 hours ago (10800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -21600
+set_addkeytime "KEY1" "RETIRED" "${created}" -10800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -21600
+set_addkeytime "KEY2" "RETIRED" "${created}" -10800
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-# - The new keys are published 9 hours ago.
+# - The new keys are published 7 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY3" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -25200
+set_addkeytime "KEY3" "ACTIVE" "${created}" -25200
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
 
 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY4" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -25200
+set_addkeytime "KEY4" "ACTIVE" "${created}" -25200
 
 # Continue signing policy checks.
 check_keytimes
@@ -4787,9 +4784,9 @@ dnssec_verify
 rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
 rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
 # Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 2h + 2h = 5h = 18000 seconds.
-check_next_key_event 18000
+# parent propagation delay, and DS TTL:
+# 1h + 2h = 3h = 10800 seconds.
+check_next_key_event 10800
 
 #
 # Zone: step4.algorithm-roll.kasp
@@ -4816,29 +4813,29 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old keys were activated 38 hours ago (136800 seconds).
-rollover_predecessor_keytimes -136800
-# - And retired 35 hours ago (126000 seconds).
+# - The old keys were activated 36 hours ago (129600 seconds).
+rollover_predecessor_keytimes -129600
+# - And retired 33 hours ago (118800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
+set_addkeytime "KEY1" "RETIRED" "${created}" -118800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -126000
+set_addkeytime "KEY2" "RETIRED" "${created}" -118800
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 
-# - The new keys are published 38 hours ago.
+# - The new keys are published 36 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -129600
+set_addkeytime "KEY3" "ACTIVE" "${created}" -129600
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
 
 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -129600
+set_addkeytime "KEY4" "ACTIVE" "${created}" -129600
 
 # Continue signing policy checks.
 check_keytimes
@@ -4867,29 +4864,29 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old keys were activated 40 hours ago (144000 seconds)
-rollover_predecessor_keytimes -144000
-# - And retired 37 hours ago (133200 seconds).
+# - The old keys were activated 38 hours ago (136800 seconds)
+rollover_predecessor_keytimes -136800
+# - And retired 35 hours ago (126000 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -133200
+set_addkeytime "KEY1" "RETIRED" "${created}" -126000
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -133200
+set_addkeytime "KEY2" "RETIRED" "${created}" -126000
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 
 # The new keys are published 40 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY3" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
 
 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY4" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
 
 # Continue signing policy checks.
 check_keytimes
@@ -4898,12 +4895,12 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the RSASHA1 signatures become HIDDEN.  This happens
-# after the max-zone-ttl plus zone propagation delay plus retire safety
-# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
-# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
+# after the max-zone-ttl plus zone propagation delay (6h + 1h)
+# minus the time already passed since the UNRETENTIVE state has
+# been reached (2h): 7h - 2h = 5h = 18000 seconds. Prevent intermittent
 # false positives on slow platforms by subtracting the number of seconds
 # which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((25200 - time_passed))
+next_time=$((18000 - time_passed))
 check_next_key_event $next_time
 
 #
@@ -4921,29 +4918,29 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old keys were activated 47 hours ago (169200 seconds)
-rollover_predecessor_keytimes -169200
-# - And retired 44 hours ago (158400 seconds).
+# - The old keys were activated 45 hours ago (162000 seconds)
+rollover_predecessor_keytimes -162000
+# - And retired 42 hours ago (151200 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -158400
+set_addkeytime "KEY1" "RETIRED" "${created}" -151200
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -158400
+set_addkeytime "KEY2" "RETIRED" "${created}" -151200
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 
 # The new keys are published 47 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY3" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -162000
+set_addkeytime "KEY3" "ACTIVE" "${created}" -162000
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
 
 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY4" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -162000
+set_addkeytime "KEY4" "ACTIVE" "${created}" -162000
 
 # Continue signing policy checks.
 check_keytimes
@@ -5026,9 +5023,8 @@ set_keytime "KEY2" "ACTIVE" "${created}"
 # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
 #   TTLsig:         6h (39600 seconds)
 #   Dprp:           1h (3600 seconds)
-#   publish-safety: 1h (3600 seconds)
-#   Ipub:           8h (28800 seconds)
-Ipub=28800
+#   Ipub:           7h (25200 seconds)
+Ipub=25200
 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
 
 # Continue signing policy checks.
@@ -5082,14 +5078,13 @@ check_apex
 check_subdomain
 dnssec_verify
 
-# Next key event is when all zone signatures are signed with the new
-# algorithm.  This is the max-zone-ttl plus zone propagation delay
-# plus retire safety: 6h + 1h + 2h.  But three hours have already passed
-# (the time it took to make the DNSKEY omnipresent), so the next event
-# should be scheduled in 6 hour: 21600 seconds.  Prevent intermittent
-# false positives on slow platforms by subtracting the number of seconds
-# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((21600 - time_passed))
+# Next key event is when all zone signatures are signed with the new algorithm.
+# This is the max-zone-ttl plus zone propagation delay: 6h + 1h.  But three
+# hours have already passed (the time it took to make the DNSKEY omnipresent),
+# so the next event should be scheduled in 4 hour: 14400 seconds.  Prevent
+# intermittent false positives on slow platforms by subtracting the number of
+# seconds which passed between key creation and invoking 'rndc reconfig'.
+next_time=$((14400 - time_passed))
 check_next_key_event $next_time
 
 #
@@ -5114,17 +5109,17 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_cdslog "$DIR" "$ZONE" KEY2
 
 # Set expected key times:
-# - The old key was activated 9 hours ago (32400 seconds).
-csk_rollover_predecessor_keytimes -32400
-# - And was retired 6 hours ago (21600 seconds).
+# - The old key was activated 7 hours ago (25200 seconds).
+csk_rollover_predecessor_keytimes -25200
+# - And was retired 3 hours ago (10800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -21600
+set_addkeytime "KEY1" "RETIRED" "${created}" -10800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
 # - The new key was published 9 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY2" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -25200
+set_addkeytime "KEY2" "ACTIVE" "${created}" -25200
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
 
@@ -5138,9 +5133,9 @@ dnssec_verify
 rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
 rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
 # Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 2h + 2h = 5h = 18000 seconds.
-check_next_key_event 18000
+# parent propagation delay, and DS TTL:
+# 1h + 2h = 3h = 10800 seconds.
+check_next_key_event 10800
 
 #
 # Zone: step4.csk-algorithm-roll.kasp
@@ -5164,17 +5159,17 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old key was activated 38 hours ago (136800 seconds)
-csk_rollover_predecessor_keytimes -136800
-# - And retired 35 hours ago (126000 seconds).
+# - The old keys were activated 36 hours ago (129600 seconds).
+csk_rollover_predecessor_keytimes -129600
+# - And retired 33 hours ago (118800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
+set_addkeytime "KEY1" "RETIRED" "${created}" -118800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 38 hours ago.
+# - The new key was published 36 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -129600
+set_addkeytime "KEY2" "ACTIVE" "${created}" -129600
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
 
@@ -5204,17 +5199,17 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old key was activated 40 hours ago (144000 seconds)
-csk_rollover_predecessor_keytimes -144000
-# - And retired 37 hours ago (133200 seconds).
+# - The old key was activated 38 hours ago (136800 seconds)
+csk_rollover_predecessor_keytimes -136800
+# - And retired 35 hours ago (126000 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -133200
+set_addkeytime "KEY1" "RETIRED" "${created}" -126000
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 40 hours ago.
+# - The new key was published 38 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY2" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
 
@@ -5225,12 +5220,12 @@ check_subdomain
 dnssec_verify
 
 # Next key event is when the RSASHA1 signatures become HIDDEN.  This happens
-# after the max-zone-ttl plus zone propagation delay plus retire safety
-# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
-# been reached (2h): 9h - 2h = 7h = 25200 seconds.  Prevent intermittent
-# false positives on slow platforms by subtracting the number of seconds
-# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((25200 - time_passed))
+# after the max-zone-ttl plus zone propagation delay (6h + 1h) minus the
+# time already passed since the UNRETENTIVE state has been reached (2h):
+# 7h - 2h = 5h = 18000 seconds.  Prevent intermittent false positives on slow
+# platforms by subtracting the number of seconds which passed between key
+# creation and invoking 'rndc reconfig'.
+next_time=$((18000 - time_passed))
 check_next_key_event $next_time
 
 #
@@ -5248,17 +5243,17 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # Set expected key times:
-# - The old keys were activated 47 hours ago (169200 seconds)
-csk_rollover_predecessor_keytimes -169200
-# - And retired 44 hours ago (158400 seconds).
+# - The old keys were activated 45 hours ago (162000 seconds)
+csk_rollover_predecessor_keytimes -162000
+# - And retired 42 hours ago (151200 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -158400
+set_addkeytime "KEY1" "RETIRED" "${created}" -151200
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
 # - The new key was published 47 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY2" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -162000
+set_addkeytime "KEY2" "ACTIVE" "${created}" -162000
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
 
diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 6b56d5da8f..c07046a9a8 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -189,8 +189,7 @@ dns_keymgr_settime_syncpublish(dst_key_t *key, dns_kasp_t *kasp, bool first) {
 		isc_stdtime_t zrrsig_present;
 		dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
 		zrrsig_present = published + ttlsig +
-				 dns_kasp_zonepropagationdelay(kasp) +
-				 dns_kasp_publishsafety(kasp);
+				 dns_kasp_zonepropagationdelay(kasp);
 		if (zrrsig_present > syncpublish) {
 			syncpublish = zrrsig_present;
 		}
@@ -272,7 +271,6 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 				dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp,
 								       true);
 				syncpub2 = pub + ttlsig +
-					   dns_kasp_publishsafety(kasp) +
 					   dns_kasp_zonepropagationdelay(kasp);
 			}
 
@@ -1286,6 +1284,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 	isc_result_t ret;
 	isc_stdtime_t lastchange, dstime, nexttime = now;
 	dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
+	uint32_t dsstate;
 
 	/*
 	 * No need to wait if we move things into an uncertain state.
@@ -1355,15 +1354,12 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 			 * records.  This translates to:
 			 *
 			 *     Dsgn + zone-propagation-delay + max-zone-ttl.
-			 *
-			 * We will also add the retire-safety interval.
 			 */
 			nexttime = lastchange + ttlsig +
-				   dns_kasp_zonepropagationdelay(kasp) +
-				   dns_kasp_retiresafety(kasp);
+				   dns_kasp_zonepropagationdelay(kasp);
 			/*
-			 * Only add the sign delay Dsgn if there is an actual
-			 * predecessor or successor key.
+			 * Only add the sign delay Dsgn and retire-safety if
+			 * there is an actual predecessor or successor key.
 			 */
 			uint32_t tag;
 			ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
@@ -1373,7 +1369,8 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 						     DST_NUM_SUCCESSOR, &tag);
 			}
 			if (ret == ISC_R_SUCCESS) {
-				nexttime += dns_kasp_signdelay(kasp);
+				nexttime += dns_kasp_signdelay(kasp) +
+					    dns_kasp_retiresafety(kasp);
 			}
 			break;
 		default:
@@ -1399,35 +1396,36 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 		 * This translates to:
 		 *
 		 *      parent-propagation-delay + parent-ds-ttl.
-		 *
-		 * We will also add the retire-safety interval.
 		 */
 		case OMNIPRESENT:
-			/* Make sure DS has been seen in the parent. */
-			ret = dst_key_gettime(key->key, DST_TIME_DSPUBLISH,
-					      &dstime);
-			if (ret != ISC_R_SUCCESS || dstime > now) {
-				/* Not yet, try again in an hour. */
-				nexttime = now + 3600;
-			} else {
-				nexttime =
-					dstime + dns_kasp_dsttl(kasp) +
-					dns_kasp_parentpropagationdelay(kasp) +
-					dns_kasp_retiresafety(kasp);
-			}
-			break;
 		case HIDDEN:
-			/* Make sure DS has been withdrawn from the parent. */
-			ret = dst_key_gettime(key->key, DST_TIME_DSDELETE,
-					      &dstime);
+			/* Make sure DS has been seen in/withdrawn from the
+			 * parent. */
+			dsstate = next_state == HIDDEN ? DST_TIME_DSDELETE
+						       : DST_TIME_DSPUBLISH;
+			ret = dst_key_gettime(key->key, dsstate, &dstime);
 			if (ret != ISC_R_SUCCESS || dstime > now) {
 				/* Not yet, try again in an hour. */
 				nexttime = now + 3600;
 			} else {
 				nexttime =
 					dstime + dns_kasp_dsttl(kasp) +
-					dns_kasp_parentpropagationdelay(kasp) +
-					dns_kasp_retiresafety(kasp);
+					dns_kasp_parentpropagationdelay(kasp);
+				/*
+				 * Only add the retire-safety if there is an
+				 * actual predecessor or successor key.
+				 */
+				uint32_t tag;
+				ret = dst_key_getnum(key->key,
+						     DST_NUM_PREDECESSOR, &tag);
+				if (ret != ISC_R_SUCCESS) {
+					ret = dst_key_getnum(key->key,
+							     DST_NUM_SUCCESSOR,
+							     &tag);
+				}
+				if (ret == ISC_R_SUCCESS) {
+					nexttime += dns_kasp_retiresafety(kasp);
+				}
 			}
 			break;
 		default: