Merge branch '1843-print-correct-keytiming-metadata' into 'master'

Resolve "kasp: Set correct keytimings" Closes #1843 See merge request isc-projects/bind9!3534
2025-08-28 21:17:54 +00:00 · 2020-06-02 07:56:38 +00:00 · 2020-06-02 07:56:38 +00:00 · ab036232f0
commit ab036232f0
parent 31fa72ec2e 5b3decaf48
8 changed files with 2526 additions and 666 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
 5422.	[bug]		When using dnssec-policy, print correct keytiming
 			metadata. [GL #1843]
 5421.	[bug]		Fixed a race that could cause named to crash when
 			looking up the nodename of an RBT node if the tree
 			was modified. [GL #1857]
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@ -1223,18 +1223,7 @@ main(int argc, char **argv) {
 			fatal("-k and -3 cannot be used together");
 		}
 		if (ctx.setpub || ctx.setact || ctx.setrev || ctx.setinact ||
 		    ctx.setdel || ctx.unsetpub || ctx.unsetact ||
 		    ctx.unsetrev || ctx.unsetinact || ctx.unsetdel ||
 		    ctx.setsyncadd || ctx.setsyncdel)
 		{
 			fatal("cannot use -k together with "
 			      "-P, -A, -R, -I, or -D options "
 			      "(use dnssec-settime on keys afterwards)");
 		}
 		ctx.options |= DST_TYPE_STATE;
 		ctx.genonly = true;
 		if (strcmp(ctx.policy, "default") == 0) {
 			ctx.use_nsec3 = false;
--- a/bin/tests/system/kasp/clean.sh
+++ b/bin/tests/system/kasp/clean.sh
@ -23,3 +23,5 @@ rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
 rm -f ns*/managed-keys.bind
 rm -f ns*/*.mkeys
 rm -f ns*/zones* ns*/*.db.infile
 rm -f *.created published.test* retired.test*
 rm -f python.out.*
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@ -42,10 +42,10 @@ U="UNRETENTIVE"
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
 setup migrate.kasp
 echo "$zone" >> zones
-KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1)
+ksktimes="-P now -A now -P sync now"
-ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2)
+zsktimes="-P now -A now"
-$SETTIME -P now -P sync now -A now "$KSK" > settime.out.$zone.1 2>&1
+KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -P now -A now "$ZSK" > settime.out.$zone.2 2>&1
+ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
 private_type_record $zone 5 "$KSK" >> "$infile"
 private_type_record $zone 5 "$ZSK" >> "$infile"
@ -57,13 +57,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # ECDSAP256SHA256 keys.
 setup migrate-nomatch-algnum.kasp
 echo "$zone" >> zones
 KSK=$($KEYGEN -a RSASHA1 -b 2048 -f KSK -L 300 $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2)
 Tds="now-24h"    # Time according to dnssec-policy that DS will be OMNIPRESENT
 Tkey="now-3900s" # DNSKEY TTL + propagation delay
 Tsig="now-12h"   # Zone's maximum TTL + propagation delay
-$SETTIME -P $Tkey -P sync $Tds -A $Tkey "$KSK" > settime.out.$zone.1 2>&1
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
-$SETTIME -P $Tsig -A $Tsig "$ZSK" > settime.out.$zone.2 2>&1
+zsktimes="-P ${Tsig} -A ${Tsig}"
 KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
 private_type_record $zone 5 "$KSK" >> "$infile"
 private_type_record $zone 5 "$ZSK" >> "$infile"
@ -75,13 +75,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # dictates 2048 bits RSASHA1 keys.
 setup migrate-nomatch-alglen.kasp
 echo "$zone" >> zones
 KSK=$($KEYGEN -a RSASHA1 -b 1024 -f KSK -L 300 $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2)
 Tds="now-24h"    # Time according to dnssec-policy that DS will be OMNIPRESENT
 Tkey="now-3900s" # DNSKEY TTL + propagation delay
 Tsig="now-12h"   # Zone's maximum TTL + propagation delay
-$SETTIME -P $Tkey -P sync $Tds -A $Tkey "$KSK" > settime.out.$zone.1 2>&1
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
-$SETTIME -P $Tsig -A $Tsig "$ZSK" > settime.out.$zone.2 2>&1
+zsktimes="-P ${Tsig} -A ${Tsig}"
 KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
 private_type_record $zone 5 "$KSK" >> "$infile"
 private_type_record $zone 5 "$ZSK" >> "$infile"
@ -96,11 +96,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # Introduce the first key. This will immediately be active.
 setup step1.algorithm-roll.kasp
 echo "$zone" >> zones
 KSK=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2)
 TactN="now"
-$SETTIME -s -P $TactN -A $TactN  -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
+ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
-$SETTIME -s -P $TactN -A $TactN  -g $O -k $O $TactN -z $O $TactN              "$ZSK" > settime.out.$zone.2 2>&1
+zsktimes="-P ${TactN} -A ${TactN}"
 KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a RSASHA1 -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $TactN -z $O $TactN              "$ZSK" > settime.out.$zone.2 2>&1
 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
 private_type_record $zone 5 "$KSK" >> "$infile"
 private_type_record $zone 5 "$ZSK" >> "$infile"
@ -109,18 +111,24 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # Step 2:
 # After the publication interval has passed the DNSKEY is OMNIPRESENT.
 setup step2.algorithm-roll.kasp
 KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2)
 # The time passed since the new algorithm keys have been introduced is 3 hours.
 TactN="now-3h"
 TpubN1="now-3h"
-TactN1="now+6h"
+# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety =
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
+# now - 3h + 6h + 1h + 1h = now + 5h
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $O $TactN  -z $O $TactN                "$ZSK1" > settime.out.$zone.2 2>&1
+TsbmN1="now+5h"
-$SETTIME -s -P $TpubN1 -A $TpubN1        -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I now"
-$SETTIME -s -P $TpubN1 -A $TactN1        -g $O -k $R $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.2 2>&1
+zsk1times="-P ${TactN}  -A ${TactN}                    -I now"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
 KSK1=$($KEYGEN -a RSASHA1         -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
 ZSK1=$($KEYGEN -a RSASHA1         -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $H -k $O $TactN  -z $O $TactN                "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
 $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.4 2>&1
 # Fake lifetime of old algorithm keys.
 echo "Lifetime: 0" >> "${KSK1}.state"
 echo "Lifetime: 0" >> "${ZSK1}.state"
@ -134,18 +142,23 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # Step 3:
 # The zone signatures are also OMNIPRESENT.
 setup step3.algorithm-roll.kasp
 KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2)
 # The time passed since the new algorithm keys have been introduced is 9 hours.
 TactN="now-9h"
 TretN="now-6h"
 TpubN1="now-9h"
-TactN1="now"
+TsbmN1="now-1h"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $O $TactN  -z $O $TactN                "$ZSK1" > settime.out.$zone.2 2>&1
+zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
-$SETTIME -s -P $TpubN1 -A $TactN1        -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-$SETTIME -s -P $TpubN1 -A $TactN1        -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.2 2>&1
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
 KSK1=$($KEYGEN -a RSASHA1         -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
 ZSK1=$($KEYGEN -a RSASHA1         -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $H -k $O $TactN  -z $O $TactN                "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.4 2>&1
 # Fake lifetime of old algorithm keys.
 echo "Lifetime: 0" >> "${KSK1}.state"
 echo "Lifetime: 0" >> "${ZSK1}.state"
@ -159,18 +172,24 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # Step 4:
 # The DS is swapped and can become OMNIPRESENT.
 setup step4.algorithm-roll.kasp
 KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2)
 # The time passed since the DS has been swapped is 29 hours.
 TactN="now-38h"
 TretN="now-35h"
 TpubN1="now-38h"
 TsbmN1="now-30h"
 TactN1="now-29h"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $O $TactN  -r $O $TactN  -d $U $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $O $TactN  -z $O $TactN                "$ZSK1" > settime.out.$zone.2 2>&1
+zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
-$SETTIME -s -P $TpubN1 -A $TactN1        -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 "$KSK2" > settime.out.$zone.1 2>&1
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-$SETTIME -s -P $TpubN1 -A $TactN1        -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.2 2>&1
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
 KSK1=$($KEYGEN -a RSASHA1         -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
 ZSK1=$($KEYGEN -a RSASHA1         -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $H -k $O $TactN  -z $O $TactN                "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.4 2>&1
 # Fake lifetime of old algorithm keys.
 echo "Lifetime: 0" >> "${KSK1}.state"
 echo "Lifetime: 0" >> "${ZSK1}.state"
@ -184,19 +203,25 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # Step 5:
 # The DNSKEY is removed long enough to be HIDDEN.
 setup step5.algorithm-roll.kasp
 KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2)
 # The time passed since the DNSKEY has been removed is 2 hours.
 TactN="now-40h"
-TpubN1="now-40h"
+TretN="now-37h"
 TactN1="now-31h"
 TremN="now-2h"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $U $TremN  -r $U $TremN  -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
+TpubN1="now-40h"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $U $TremN  -z $U $TremN                "$ZSK1" > settime.out.$zone.2 2>&1
+TsbmN1="now-32h"
-$SETTIME -s -P $TpubN1 -A $TactN1        -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1
+TactN1="now-31h"
-$SETTIME -s -P $TpubN1 -A $TactN1        -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.2 2>&1
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
 KSK1=$($KEYGEN -a RSASHA1         -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
 ZSK1=$($KEYGEN -a RSASHA1         -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $H -k $U $TremN  -z $U $TremN                "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.4 2>&1
 # Fake lifetime of old algorithm keys.
 echo "Lifetime: 0" >> "${KSK1}.state"
 echo "Lifetime: 0" >> "${ZSK1}.state"
@ -210,20 +235,26 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # Step 6:
 # The RRSIGs have been removed long enough to be HIDDEN.
 setup step6.algorithm-roll.kasp
 KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2)
 # Additional time passed: 7h.
 TactN="now-47h"
 TretN="now-44h"
 TremN="now-7h"
 TpubN1="now-47h"
 TsbmN1="now-39h"
 TactN1="now-38h"
 TdeaN="now-9h"
-TremN="now-7h"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $H $TremN  -r $U $TdeaN  -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
+zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $H $TremN  -z $U $TdeaN                "$ZSK1" > settime.out.$zone.2 2>&1
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-$SETTIME -s -P $TpubN1 -A $TactN1        -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
-$SETTIME -s -P $TpubN1 -A $TactN1        -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.2 2>&1
+KSK1=$($KEYGEN -a RSASHA1         -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
 ZSK1=$($KEYGEN -a RSASHA1         -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $H $TremN  -r $U $TdeaN  -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $H -k $H $TremN  -z $U $TdeaN                "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.4 2>&1
 # Fake lifetime of old algorithm keys.
 echo "Lifetime: 0" >> "${KSK1}.state"
 echo "Lifetime: 0" >> "${ZSK1}.state"
@ -243,9 +274,10 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # Introduce the first key. This will immediately be active.
 setup step1.csk-algorithm-roll.kasp
 echo "$zone" >> zones
 CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1)
 TactN="now"
-$SETTIME -s -P $TactN -A $TactN  -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
+csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
 CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone 5 "$CSK" >> "$infile"
 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@ -253,13 +285,15 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig
 # Step 2:
 # After the publication interval has passed the DNSKEY is OMNIPRESENT.
 setup step2.csk-algorithm-roll.kasp
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1)
 # The time passed since the new algorithm keys have been introduced is 3 hours.
 TactN="now-3h"
 TpubN1="now-3h"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $O $TactN  -r $O $TactN  -z $O $TactN  -d $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I now"
-$SETTIME -s -P $TpubN1 -A $TpubN1        -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1
+newtimes="-P ${TpubN1} -A ${TpubN1}"
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -z $O $TactN  -d $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Fake lifetime of old algorithm keys.
 echo "Lifetime: 0" >> "${CSK1}.state"
 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
@ -270,14 +304,17 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig
 # Step 3:
 # The zone signatures are also OMNIPRESENT.
 setup step3.csk-algorithm-roll.kasp
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1)
 # The time passed since the new algorithm keys have been introduced is 9 hours.
 TactN="now-9h"
 TretN="now-6h"
 TpubN1="now-9h"
 TactN1="now-6h"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $O $TactN  -r $O $TactN  -z $O $TactN  -d $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
-$SETTIME -s -P $TpubN1 -A $TpubN1        -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1
+newtimes="-P ${TpubN1} -A ${TpubN1}"
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -z $O $TactN  -d $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Fake lifetime of old algorithm keys.
 echo "Lifetime: 0" >> "${CSK1}.state"
 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
@ -288,15 +325,18 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig
 # Step 4:
 # The DS is swapped and can become OMNIPRESENT.
 setup step4.csk-algorithm-roll.kasp
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1)
 # The time passed since the DS has been swapped is 29 hours.
 TactN="now-38h"
 TretN="now-35h"
 TpubN1="now-38h"
 TactN1="now-35h"
 TsubN1="now-29h"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $O $TactN  -r $O $TactN  -z $O $TactN  -d $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
-$SETTIME -s -P $TpubN1 -A $TpubN1        -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 "$CSK2" > settime.out.$zone.1 2>&1
+newtimes="-P ${TpubN1} -A ${TpubN1}"
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -z $O $TactN  -d $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Fake lifetime of old algorithm keys.
 echo "Lifetime: 0" >> "${CSK1}.state"
 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
@ -307,16 +347,19 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig
 # Step 5:
 # The DNSKEY is removed long enough to be HIDDEN.
 setup step5.csk-algorithm-roll.kasp
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1)
 # The time passed since the DNSKEY has been removed is 2 hours.
 TactN="now-40h"
 TretN="now-37h"
 TremN="now-2h"
 TpubN1="now-40h"
 TactN1="now-37h"
 TsubN1="now-31h"
-TremN="now-2h"
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $U $TremN  -r $U $TremN  -z $U $TremN  -d $H $TremN  "$CSK1" > settime.out.$zone.1 2>&1
+newtimes="-P ${TpubN1} -A ${TpubN1}"
-$SETTIME -s -P $TpubN1 -A $TpubN1        -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN  "$CSK2" > settime.out.$zone.1 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
 $SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -z $U $TremN  -d $H $TremN  "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN  "$CSK2" > settime.out.$zone.2 2>&1
 # Fake lifetime of old algorithm keys.
 echo "Lifetime: 0" >> "${CSK1}.state"
 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
@ -327,17 +370,20 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig
 # Step 6:
 # The RRSIGs have been removed long enough to be HIDDEN.
 setup step6.csk-algorithm-roll.kasp
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1)
 # Additional time passed: 7h.
 TactN="now-47h"
 TretN="now-44h"
 TdeaN="now-9h"
 TremN="now-7h"
 TpubN1="now-47h"
 TactN1="now-44h"
 TsubN1="now-38h"
-TdeaN="now-9h"
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
-TremN="now-7h"
+newtimes="-P ${TpubN1} -A ${TpubN1}"
-$SETTIME -s -P $TactN  -A $TactN  -I now -g $H -k $H $TremN  -r $U $TdeaN  -z $U $TdeaN  -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -P $TpubN1 -A $TpubN1        -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.1 2>&1
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
 $SETTIME -s -g $H -k $H $TremN  -r $U $TdeaN  -z $U $TdeaN  -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Fake lifetime of old algorithm keys.
 echo "Lifetime: 0" >> "${CSK1}.state"
 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@ -2021,6 +2021,8 @@ write_key_state(const dst_key_t *key, int type, const char *directory) {
 		printtime(key, DST_TIME_INACTIVE, "Retired", fp);
 		printtime(key, DST_TIME_REVOKE, "Revoked", fp);
 		printtime(key, DST_TIME_DELETE, "Removed", fp);
 		printtime(key, DST_TIME_SYNCPUBLISH, "PublishCDS", fp);
 		printtime(key, DST_TIME_SYNCDELETE, "DeleteCDS", fp);
 		printtime(key, DST_TIME_DNSKEY, "DNSKEYChange", fp);
 		printtime(key, DST_TIME_ZRRSIG, "ZRRSIGChange", fp);
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@ -88,12 +88,95 @@ keymgr_keyrole(dst_key_t *key) {
 	return ("NOSIGN");
 }
 /*
 * Set the remove time on key given its retire time.
 *
 */
 static void
 keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
 	isc_stdtime_t retire = 0, remove = 0, ksk_remove = 0, zsk_remove = 0;
 	bool zsk = false, ksk = false;
 	isc_result_t ret;
 	REQUIRE(key != NULL);
 	REQUIRE(key->key != NULL);
 	ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
 	if (ret != ISC_R_SUCCESS) {
 		return;
 	}
 	ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
 	if (ret == ISC_R_SUCCESS && zsk) {
 		/* ZSK: Iret = Dsgn + Dprp + TTLsig */
 		zsk_remove = retire + dns_kasp_zonemaxttl(kasp) +
 			     dns_kasp_zonepropagationdelay(kasp) +
 			     dns_kasp_retiresafety(kasp) +
 			     dns_kasp_signdelay(kasp);
 	}
 	ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
 	if (ret == ISC_R_SUCCESS && ksk) {
 		/* KSK: Iret = DprpP + TTLds */
 		ksk_remove = retire + dns_kasp_dsttl(kasp) +
 			     dns_kasp_parentpropagationdelay(kasp) +
 			     dns_kasp_retiresafety(kasp);
 	}
 	if (zsk && ksk) {
 		ksk_remove += dns_kasp_parentregistrationdelay(kasp);
 	}
 	remove = ksk_remove > zsk_remove ? ksk_remove : zsk_remove;
 	dst_key_settime(key->key, DST_TIME_DELETE, remove);
 }
 /*
 * Set the SyncPublish time (when the DS may be submitted to the parent)
 *
 */
 static void
 keymgr_settime_syncpublish(dns_dnsseckey_t *key, dns_kasp_t *kasp, bool first) {
 	isc_stdtime_t published, syncpublish;
 	bool ksk = false;
 	isc_result_t ret;
 	REQUIRE(key != NULL);
 	REQUIRE(key->key != NULL);
 	ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &published);
 	if (ret != ISC_R_SUCCESS) {
 		return;
 	}
 	ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
 	if (ret != ISC_R_SUCCESS || !ksk) {
 		return;
 	}
 	syncpublish = published + dst_key_getttl(key->key) +
 		      dns_kasp_zonepropagationdelay(kasp) +
 		      dns_kasp_publishsafety(kasp);
 	if (first) {
 		/* Also need to wait until the signatures are omnipresent. */
 		isc_stdtime_t zrrsig_present;
 		zrrsig_present = published + dns_kasp_zonemaxttl(kasp) +
 				 dns_kasp_zonepropagationdelay(kasp) +
 				 dns_kasp_publishsafety(kasp);
 		if (zrrsig_present > syncpublish) {
 			syncpublish = zrrsig_present;
 		}
 	}
 	dst_key_settime(key->key, DST_TIME_SYNCPUBLISH, syncpublish);
 }
 /*
 * Calculate prepublication time of a successor key of 'key'.
 * This function can have side effects:
- * If the lifetime is not set, it will be set now.
+ * 1. If there is no active time set, which would be super weird, set it now.
- * If there should be a retire time and it is not set, it will be set now.
+ * 2. If there is no published time set, also super weird, set it now.
- * If there is no active time set, which would be super weird, set it now.
+ * 3. If there is no syncpublished time set, set it now.
 * 4. If the lifetime is not set, it will be set now.
 * 5. If there should be a retire time and it is not set, it will be set now.
 * 6. The removed time is adjusted accordingly.
 *
 * This returns when the successor key needs to be published in the zone.
 * A special value of 0 means there is no need for a successor.
@ -104,40 +187,80 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 			   uint32_t lifetime, isc_stdtime_t now) {
 	isc_result_t ret;
 	isc_stdtime_t active, retire, pub, prepub;
-	bool ksk = false;
+	bool zsk = false, ksk = false;
 	REQUIRE(key != NULL);
 	REQUIRE(key->key != NULL);
 	active = 0;
 	pub = 0;
 	retire = 0;
 	/*
 	 * An active key must have publish and activate timing
 	 * metadata.
 	 */
 	ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
 	if (ret != ISC_R_SUCCESS) {
 		/* Super weird, but if it happens, set it to now. */
 		dst_key_settime(key->key, DST_TIME_ACTIVATE, now);
 		active = now;
 	}
 	ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &pub);
 	if (ret != ISC_R_SUCCESS) {
 		/* Super weird, but if it happens, set it to now. */
 		dst_key_settime(key->key, DST_TIME_PUBLISH, now);
 		pub = now;
 	}
 	/*
 	 * Calculate prepublication time.
 	 */
 	prepub = dst_key_getttl(key->key) + dns_kasp_publishsafety(kasp) +
 		 dns_kasp_zonepropagationdelay(kasp);
 	ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
 	if (ret == ISC_R_SUCCESS && ksk) {
-		/* Add registration delay to the prepublication time. */
+		isc_stdtime_t syncpub;
 		/*
 		 * Set PublishCDS if not set.
 		 */
 		ret = dst_key_gettime(key->key, DST_TIME_SYNCPUBLISH, &syncpub);
 		if (ret != ISC_R_SUCCESS) {
 			uint32_t tag;
 			isc_stdtime_t syncpub1, syncpub2;
 			syncpub1 = pub + prepub;
 			syncpub2 = 0;
 			ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
 					     &tag);
 			if (ret != ISC_R_SUCCESS) {
 				/*
 				 * No predecessor, wait for zone to be
 				 * completely signed.
 				 */
 				syncpub2 = pub + dns_kasp_zonemaxttl(kasp) +
 					   dns_kasp_publishsafety(kasp) +
 					   dns_kasp_zonepropagationdelay(kasp);
 			}
 			syncpub = syncpub1 > syncpub2 ? syncpub1 : syncpub2;
 			dst_key_settime(key->key, DST_TIME_SYNCPUBLISH,
 					syncpub);
 		}
 	}
 	(void)dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
 	if (!zsk && ksk) {
 		/*
 		 * Include registration delay in prepublication time.
 		 */
 		prepub += dns_kasp_parentregistrationdelay(kasp);
 	}
 	ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
 	if (ret != ISC_R_SUCCESS) {
 		uint32_t klifetime = 0;
 		/*
 		 * An active key must have publish and activate timing
 		 * metadata.
 		 */
 		ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
 		if (ret != ISC_R_SUCCESS) {
 			/* Super weird, but if it happens, set it to now. */
 			dst_key_settime(key->key, DST_TIME_ACTIVATE, now);
 			active = now;
 		}
 		ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &pub);
 		if (ret != ISC_R_SUCCESS) {
 			/* Super weird, but if it happens, set it to now. */
 			dst_key_settime(key->key, DST_TIME_PUBLISH, now);
 			pub = now;
 		}
 		ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime);
 		if (ret != ISC_R_SUCCESS) {
@ -156,6 +279,11 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 		dst_key_settime(key->key, DST_TIME_INACTIVE, retire);
 	}
 	/*
 	 * Update remove time.
 	 */
 	keymgr_settime_remove(key, kasp);
 	/*
 	 * Publish successor 'prepub' time before the 'retire' time of 'key'.
 	 */
@ -163,8 +291,10 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 }
 static void
-keymgr_key_retire(dns_dnsseckey_t *key, isc_stdtime_t now) {
+keymgr_key_retire(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now) {
 	char keystr[DST_KEY_FORMATSIZE];
 	isc_result_t ret;
 	isc_stdtime_t retire;
 	dst_key_state_t s;
 	bool ksk, zsk;
@ -172,8 +302,12 @@ keymgr_key_retire(dns_dnsseckey_t *key, isc_stdtime_t now) {
 	REQUIRE(key->key != NULL);
 	/* This key wants to retire and hide in a corner. */
-	dst_key_settime(key->key, DST_TIME_INACTIVE, now);
+	ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
 	if (ret != ISC_R_SUCCESS || (retire > now)) {
 		dst_key_settime(key->key, DST_TIME_INACTIVE, now);
 	}
 	dst_key_setstate(key->key, DST_KEY_GOAL, HIDDEN);
 	keymgr_settime_remove(key, kasp);
 	/* This key may not have key states set yet. Pretend as if they are
 	 * in the OMNIPRESENT state.
@ -1013,11 +1147,16 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 				   dns_kasp_retiresafety(kasp);
 			/*
 			 * Only add the sign delay Dsgn if there is an actual
-			 * predecessor key.
+			 * predecessor or successor key.
 			 */
-			uint32_t pre;
+			uint32_t tag;
-			if (dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
+			ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
-					   &pre) == ISC_R_SUCCESS) {
+					     &tag);
 			if (ret != ISC_R_SUCCESS) {
 				ret = dst_key_getnum(key->key,
 						     DST_NUM_SUCCESSOR, &tag);
 			}
 			if (ret == ISC_R_SUCCESS) {
 				nexttime += dns_kasp_signdelay(kasp);
 			}
 			break;
@ -1373,7 +1512,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 		/* No match, so retire unwanted retire key. */
 		if (!found_match) {
-			keymgr_key_retire(dkey, now);
+			keymgr_key_retire(dkey, kasp, now);
 		}
 	}
@ -1428,7 +1567,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 						 * the kasp key configuration.
 						 * Retire excess keys in use.
 						 */
-						keymgr_key_retire(dkey, now);
+						keymgr_key_retire(dkey, kasp,
 								  now);
 					}
 					continue;
 				}
@ -1537,8 +1677,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 			keymgr_key_init(newkey, kasp, now);
 		} else {
 			newkey = candidate;
 			dst_key_setnum(newkey->key, DST_NUM_LIFETIME, lifetime);
 		}
 		dst_key_setnum(newkey->key, DST_NUM_LIFETIME, lifetime);
 		/* Got a key. */
 		if (active_key == NULL) {
@ -1548,30 +1688,50 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 			 */
 			dst_key_settime(newkey->key, DST_TIME_PUBLISH, now);
 			dst_key_settime(newkey->key, DST_TIME_ACTIVATE, now);
 			keymgr_settime_syncpublish(newkey, kasp, true);
 			active = now;
 		} else {
 			/*
 			 * This is a successor.  Mark the relationship.
 			 */
 			isc_stdtime_t created;
 			(void)dst_key_gettime(newkey->key, DST_TIME_CREATED,
 					      &created);
 			dst_key_setnum(newkey->key, DST_NUM_PREDECESSOR,
 				       dst_key_id(active_key->key));
 			dst_key_setnum(active_key->key, DST_NUM_SUCCESSOR,
 				       dst_key_id(newkey->key));
 			(void)dst_key_gettime(active_key->key,
 					      DST_TIME_INACTIVE, &retire);
 			dst_key_settime(newkey->key, DST_TIME_PUBLISH, prepub);
 			dst_key_settime(newkey->key, DST_TIME_ACTIVATE, retire);
 			active = retire;
 			/*
 			 * If prepublication time and/or retire time are
 			 * in the past (before the new key was created), use
 			 * creation time as published and active time,
 			 * effectively immediately making the key active.
 			 */
 			if (prepub < created) {
 				active += (created - prepub);
 				prepub = created;
 			}
 			if (active < created) {
 				active = created;
 			}
 			dst_key_settime(newkey->key, DST_TIME_PUBLISH, prepub);
 			dst_key_settime(newkey->key, DST_TIME_ACTIVATE, active);
 			keymgr_settime_syncpublish(newkey, kasp, false);
 		}
 		/* This key wants to be present. */
 		dst_key_setstate(newkey->key, DST_KEY_GOAL, OMNIPRESENT);
 		/* Do we need to set retire time? */
 		(void)dst_key_getnum(newkey->key, DST_NUM_LIFETIME, &lifetime);
 		if (lifetime > 0) {
 			dst_key_settime(newkey->key, DST_TIME_INACTIVE,
 					(active + lifetime));
 			keymgr_settime_remove(newkey, kasp);
 		}
 		/* Append dnsseckey to list of new keys. */