fix: usr: Fix several small DNSSEC timing issues

The following small issues related to `dnssec-policy` have been fixed: - In some cases the key manager inside BIND 9 could run every hour, while it could have run less often. - While `CDS` and `CDNSKEY` records will be removed correctly from the zone when the corresponding `DS` record needs to be updated, the expected timing metadata when this will happen was never set. - There were a couple of cases where the safety intervals are added inappropriately, delaying key rollovers longer than necessary. - If you have identical `keys` in your `dnssec-policy`, they may be retired inappropriately. Note that having keys with identical properties is discouraged in all cases. Closes #5242 Merge branch '5242-several-keymgr-issues' into 'main' See merge request isc-projects/bind9!10251
2025-08-29 05:28:00 +00:00 · 2025-03-20 10:13:22 +00:00 · 2025-03-20 10:13:22 +00:00 · d2214cb704
commit d2214cb704
parent 329a332708 3e836a87e6
4 changed files with 237 additions and 212 deletions
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@ -130,7 +130,7 @@ $KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.2 2>&1
 zone="multisigner-model2.kasp"
 echo_i "setting up zone: $zone"
 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zone -M 32768:65535 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.2)
 cat "${KSK}.key" | grep -v ";.*" >>"${zone}.db"
 cat "${ZSK}.key" | grep -v ";.*" >>"${zone}.db"
 # Import the ZSK sets of the other providers into their DNSKEY RRset.
@ -350,10 +350,9 @@ setup step2.enable-dnssec.autosign
 TpubN="now-900s"
 # RRSIG TTL:              12 hour (43200 seconds)
 # zone-propagation-delay: 5 minutes (300 seconds)
-# retire-safety:          20 minutes (1200 seconds)
 # Already passed time:    -900 seconds
-# Total:                  43800 seconds
-TsbmN="now+43800s"
+# Total:                  42600 seconds
+TsbmN="now+42600s"
 keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
 CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
 $SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
@ -365,10 +364,10 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i
 # Step 3:
 # The zone signatures have been published long enough to become OMNIPRESENT.
 setup step3.enable-dnssec.autosign
-# Passed time since publications: 43800 + 900 = 44700 seconds.
-TpubN="now-44700s"
+# Passed time since publications: 42600 + 900 = 43500 seconds.
+TpubN="now-43500s"
 # The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT.
-TcotN="now-43800s"
+TcotN="now-42600s"
 # We can submit the DS now.
 TsbmN="now"
 keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@ -127,9 +127,9 @@ setup step2.algorithm-roll.kasp
 # The time passed since the new algorithm keys have been introduced is 3 hours.
 TactN="now-3h"
 TpubN1="now-3h"
-# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety =
-# now - 3h + 6h + 1h + 1h = now + 5h
-TsbmN1="now+5h"
+# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp =
+# now - 3h + 6h + 1h = now + 4h
+TsbmN1="now+4h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I now"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I now"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@ -156,11 +156,11 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # Step 3:
 # The zone signatures are also OMNIPRESENT.
 setup step3.algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 9 hours.
-TactN="now-9h"
-TretN="now-6h"
-TpubN1="now-9h"
-TsbmN1="now-1h"
+# The time passed since the new algorithm keys have been introduced is 7 hours.
+TactN="now-7h"
+TretN="now-3h"
+TpubN1="now-7h"
+TsbmN1="now"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@ -188,11 +188,11 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # The DS is swapped and can become OMNIPRESENT.
 setup step4.algorithm-roll.kasp
 # The time passed since the DS has been swapped is 29 hours.
-TactN="now-38h"
-TretN="now-35h"
-TpubN1="now-38h"
-TsbmN1="now-30h"
-TactN1="now-29h"
+TactN="now-36h"
+TretN="now-33h"
+TpubN1="now-36h"
+TsbmN1="now-29h"
+TactN1="now-27h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@ -220,12 +220,12 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # The DNSKEY is removed long enough to be HIDDEN.
 setup step5.algorithm-roll.kasp
 # The time passed since the DNSKEY has been removed is 2 hours.
-TactN="now-40h"
-TretN="now-37h"
+TactN="now-38h"
+TretN="now-35h"
 TremN="now-2h"
-TpubN1="now-40h"
-TsbmN1="now-32h"
-TactN1="now-31h"
+TpubN1="now-38h"
+TsbmN1="now-31h"
+TactN1="now-29h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@ -253,13 +253,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 # The RRSIGs have been removed long enough to be HIDDEN.
 setup step6.algorithm-roll.kasp
 # Additional time passed: 7h.
-TactN="now-47h"
-TretN="now-44h"
+TactN="now-45h"
+TretN="now-42h"
 TremN="now-7h"
-TpubN1="now-47h"
-TsbmN1="now-39h"
-TactN1="now-38h"
-TdeaN="now-9h"
+TpubN1="now-45h"
+TsbmN1="now-38h"
+TactN1="now-36h"
+TdeaN="now-7h"
 ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@ -324,11 +324,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # Step 3:
 # The zone signatures are also OMNIPRESENT.
 setup step3.csk-algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 9 hours.
-TactN="now-9h"
-TretN="now-6h"
-TpubN1="now-9h"
-TactN1="now-6h"
+# The time passed since the new algorithm keys have been introduced is 7 hours.
+TactN="now-7h"
+TretN="now-3h"
+TpubN1="now-7h"
+TactN1="now-3h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
@ -347,10 +347,10 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # The DS is swapped and can become OMNIPRESENT.
 setup step4.csk-algorithm-roll.kasp
 # The time passed since the DS has been swapped is 29 hours.
-TactN="now-38h"
-TretN="now-35h"
-TpubN1="now-38h"
-TactN1="now-35h"
+TactN="now-36h"
+TretN="now-33h"
+TpubN1="now-36h"
+TactN1="now-33h"
 TsubN1="now-29h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
@ -370,11 +370,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # The DNSKEY is removed long enough to be HIDDEN.
 setup step5.csk-algorithm-roll.kasp
 # The time passed since the DNSKEY has been removed is 2 hours.
-TactN="now-40h"
-TretN="now-37h"
+TactN="now-38h"
+TretN="now-35h"
 TremN="now-2h"
-TpubN1="now-40h"
-TactN1="now-37h"
+TpubN1="now-38h"
+TactN1="now-35h"
 TsubN1="now-31h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
@ -394,12 +394,12 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
 # The RRSIGs have been removed long enough to be HIDDEN.
 setup step6.csk-algorithm-roll.kasp
 # Additional time passed: 7h.
-TactN="now-47h"
-TretN="now-44h"
+TactN="now-45h"
+TretN="now-42h"
 TdeaN="now-9h"
 TremN="now-7h"
-TpubN1="now-47h"
-TactN1="now-44h"
+TpubN1="now-45h"
+TactN1="now-42h"
 TsubN1="now-38h"
 csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
 newtimes="-P ${TpubN1} -A ${TpubN1}"
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@ -275,9 +275,8 @@ set_keytimes_csk_policy() {
  set_keytime "KEY1" "ACTIVE" "${created}"
  # The DS can be published if the DNSKEY and RRSIG records are
  # OMNIPRESENT.  This happens after max-zone-ttl (1d) plus
-  # publish-safety (1h) plus zone-propagation-delay (300s) =
-  # 86400 + 3600 + 300 = 90300.
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300
+  # zone-propagation-delay (300s) = 86400 + 300 = 86700.
+  set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 86700
  # Key lifetime is unlimited, so not setting RETIRED and REMOVED.
 }

@ -769,9 +768,8 @@ set_keytimes_algorithm_policy() {

  # The DS can be published if the DNSKEY and RRSIG records are
  # OMNIPRESENT.  This happens after max-zone-ttl (1d) plus
-  # publish-safety (1h) plus zone-propagation-delay (300s) =
-  # 86400 + 3600 + 300 = 90300.
-  set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
+  # zone-propagation-delay (300s) = 86400 + 300 = 86700.
+  set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
  # Key lifetime is 10 years, 315360000 seconds.
  set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
  # The key is removed after the retire time plus DS TTL (1d),
@ -1720,10 +1718,10 @@ published=$(awk '{print $3}' <published.test${n}.key1)
 set_keytime "KEY1" "PUBLISHED" "${published}"
 set_keytime "KEY1" "ACTIVE" "${published}"
 published=$(key_get KEY1 PUBLISHED)
-# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT.
-#  This happens after max-zone-ttl (1d) plus publish-safety (1h) plus
-# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300.
-set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
+# The DS can be published if the zone is fully signed.
+# This happens after max-zone-ttl (1d) plus
+# zone-propagation-delay (300s) = 86400 + 300 = 86700.
+set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
 # Key lifetime is 6 months, 315360000 seconds.
 set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
 # The key is removed after the retire time plus DS TTL (1d), parent
@ -2486,9 +2484,9 @@ set_keytime "KEY1" "PUBLISHED" "${created}"
 set_keytime "KEY1" "ACTIVE" "${created}"
 # - The DS can be published if the DNSKEY and RRSIG records are
 #   OMNIPRESENT.  This happens after max-zone-ttl (12h) plus
-#   publish-safety (5m) plus zone-propagation-delay (5m) =
-#   43200 + 300 + 300 = 43800.
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
+#   plus zone-propagation-delay (5m) =
+#   43200 + 300 = 43500.
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43500
 # - Key lifetime is unlimited, so not setting RETIRED and REMOVED.

 # Various signing policy checks.
@ -2556,7 +2554,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "PUBLISHED" "${created}" -900
 set_addkeytime "KEY1" "ACTIVE" "${created}" -900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 42600

 # Continue signing policy checks.
 check_keytimes
@ -2566,8 +2564,8 @@ dnssec_verify

 # Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl
 # plus zone propagation delay plus retire safety minus the already elapsed
-# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds
-check_next_key_event 43800
+# 900 seconds: 12h + 300s + 20m - 900 = 43500 - 900 = 42600 seconds
+check_next_key_event 42600

 #
 # Zone: step3.enable-dnssec.autosign.
@ -2584,10 +2582,10 @@ check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"

 # Set expected key times:
-# - The key was published and activated 44700 seconds ago (with settime).
+# - The key was published and activated 43500 seconds ago (with settime).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700
-set_addkeytime "KEY1" "ACTIVE" "${created}" -44700
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -43500
+set_addkeytime "KEY1" "ACTIVE" "${created}" -43500
 set_keytime "KEY1" "SYNCPUBLISH" "${created}"

 # Continue signing policy checks.
@ -2603,8 +2601,8 @@ check_cdslog "$DIR" "$ZONE" KEY1
 rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE"
 # Next key event is when the DS can move to the OMNIPRESENT state.  This occurs
 # when the parent propagation delay have passed, plus the DS TTL and retire
-# safety delay:  1h + 2h + 20m = 3h20m = 12000 seconds
-check_next_key_event 12000
+# safety delay:  1h + 2h = 3h = 10800 seconds
+check_next_key_event 10800

 #
 # Zone: step4.enable-dnssec.autosign.
@ -4388,9 +4386,9 @@ check_subdomain
 dnssec_verify

 # Next key event is when the DS becomes HIDDEN. This happens after the
-# parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 1h + 1d = 26h = 93600 seconds.
-check_next_key_event 93600
+# parent propagation delay, and DS TTL:
+# 1h + 1d = 25h = 90000 seconds.
+check_next_key_event 90000

 #
 # Zone: step2.going-insecure.kasp
@ -4456,8 +4454,8 @@ dnssec_verify

 # Next key event is when the DS becomes HIDDEN. This happens after the
 # parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 1h + 1d = 26h = 93600 seconds.
-check_next_key_event 93600
+# 1h + 1d = 25h = 90000 seconds.
+check_next_key_event 90000

 #
 # Zone: step2.going-insecure-dynamic.kasp
@ -4651,12 +4649,11 @@ set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 created=$(key_get KEY3 CREATED)
 set_keytime "KEY3" "PUBLISHED" "${created}"
 set_keytime "KEY3" "ACTIVE" "${created}"
-# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
+# - It takes TTLsig + Dprp to propagate the zone.
 #   TTLsig:         6h (39600 seconds)
 #   Dprp:           1h (3600 seconds)
-#   publish-safety: 1h (3600 seconds)
-#   Ipub:           8h (28800 seconds)
-Ipub=28800
+#   Ipub:           7h (25200 seconds)
+Ipub=25200
 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
 # - The new ZSK is published and activated.
 created=$(key_get KEY4 CREATED)
@ -4725,12 +4722,12 @@ dnssec_verify

 # Next key event is when all zone signatures are signed with the new
 # algorithm.  This is the max-zone-ttl plus zone propagation delay
-# plus retire safety: 6h + 1h + 2h.  But three hours have already passed
-# (the time it took to make the DNSKEY omnipresent), so the next event
-# should be scheduled in 6 hour: 21600 seconds.  Prevent intermittent
+# 6h + 1h.  But three hours have already passed (the time it took to
+# make the DNSKEY omnipresent), so the next event should be scheduled
+# in 4 hour: 14400 seconds.  Prevent intermittent
 # false positives on slow platforms by subtracting the number of seconds
 # which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((21600 - time_passed))
+next_time=$((14400 - time_passed))
 check_next_key_event $next_time

 #
@ -4753,28 +4750,28 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_cdslog "$DIR" "$ZONE" KEY3

 # Set expected key times:
-# - The old keys were activated 9 hours ago (32400 seconds).
-rollover_predecessor_keytimes -32400
-# - And retired 6 hours ago (21600 seconds).
+# - The old keys were activated 7 hours ago (25200 seconds).
+rollover_predecessor_keytimes -25200
+# - And retired 3 hours ago (10800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -21600
+set_addkeytime "KEY1" "RETIRED" "${created}" -10800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"

 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -21600
+set_addkeytime "KEY2" "RETIRED" "${created}" -10800
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-# - The new keys are published 9 hours ago.
+# - The new keys are published 7 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY3" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -25200
+set_addkeytime "KEY3" "ACTIVE" "${created}" -25200
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}

 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY4" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -25200
+set_addkeytime "KEY4" "ACTIVE" "${created}" -25200

 # Continue signing policy checks.
 check_keytimes
@ -4787,9 +4784,9 @@ dnssec_verify
 rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
 rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
 # Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 2h + 2h = 5h = 18000 seconds.
-check_next_key_event 18000
+# parent propagation delay, and DS TTL:
+# 1h + 2h = 3h = 10800 seconds.
+check_next_key_event 10800

 #
 # Zone: step4.algorithm-roll.kasp
@ -4816,29 +4813,29 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"

 # Set expected key times:
-# - The old keys were activated 38 hours ago (136800 seconds).
-rollover_predecessor_keytimes -136800
-# - And retired 35 hours ago (126000 seconds).
+# - The old keys were activated 36 hours ago (129600 seconds).
+rollover_predecessor_keytimes -129600
+# - And retired 33 hours ago (118800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
+set_addkeytime "KEY1" "RETIRED" "${created}" -118800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"

 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -126000
+set_addkeytime "KEY2" "RETIRED" "${created}" -118800
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"

-# - The new keys are published 38 hours ago.
+# - The new keys are published 36 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -129600
+set_addkeytime "KEY3" "ACTIVE" "${created}" -129600
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}

 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -129600
+set_addkeytime "KEY4" "ACTIVE" "${created}" -129600

 # Continue signing policy checks.
 check_keytimes
@ -4867,29 +4864,29 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"

 # Set expected key times:
-# - The old keys were activated 40 hours ago (144000 seconds)
-rollover_predecessor_keytimes -144000
-# - And retired 37 hours ago (133200 seconds).
+# - The old keys were activated 38 hours ago (136800 seconds)
+rollover_predecessor_keytimes -136800
+# - And retired 35 hours ago (126000 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -133200
+set_addkeytime "KEY1" "RETIRED" "${created}" -126000
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"

 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -133200
+set_addkeytime "KEY2" "RETIRED" "${created}" -126000
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"

 # The new keys are published 40 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY3" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}

 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY4" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY4" "ACTIVE" "${created}" -136800

 # Continue signing policy checks.
 check_keytimes
@ -4898,12 +4895,12 @@ check_subdomain
 dnssec_verify

 # Next key event is when the RSASHA1 signatures become HIDDEN.  This happens
-# after the max-zone-ttl plus zone propagation delay plus retire safety
-# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
-# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
+# after the max-zone-ttl plus zone propagation delay (6h + 1h)
+# minus the time already passed since the UNRETENTIVE state has
+# been reached (2h): 7h - 2h = 5h = 18000 seconds. Prevent intermittent
 # false positives on slow platforms by subtracting the number of seconds
 # which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((25200 - time_passed))
+next_time=$((18000 - time_passed))
 check_next_key_event $next_time

 #
@ -4921,29 +4918,29 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"

 # Set expected key times:
-# - The old keys were activated 47 hours ago (169200 seconds)
-rollover_predecessor_keytimes -169200
-# - And retired 44 hours ago (158400 seconds).
+# - The old keys were activated 45 hours ago (162000 seconds)
+rollover_predecessor_keytimes -162000
+# - And retired 42 hours ago (151200 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -158400
+set_addkeytime "KEY1" "RETIRED" "${created}" -151200
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"

 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -158400
+set_addkeytime "KEY2" "RETIRED" "${created}" -151200
 retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"

 # The new keys are published 47 hours ago.
 created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY3" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -162000
+set_addkeytime "KEY3" "ACTIVE" "${created}" -162000
 published=$(key_get KEY3 PUBLISHED)
 set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}

 created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY4" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -162000
+set_addkeytime "KEY4" "ACTIVE" "${created}" -162000

 # Continue signing policy checks.
 check_keytimes
@ -5026,9 +5023,8 @@ set_keytime "KEY2" "ACTIVE" "${created}"
 # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
 #   TTLsig:         6h (39600 seconds)
 #   Dprp:           1h (3600 seconds)
-#   publish-safety: 1h (3600 seconds)
-#   Ipub:           8h (28800 seconds)
-Ipub=28800
+#   Ipub:           7h (25200 seconds)
+Ipub=25200
 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"

 # Continue signing policy checks.
@ -5082,14 +5078,13 @@ check_apex
 check_subdomain
 dnssec_verify

-# Next key event is when all zone signatures are signed with the new
-# algorithm.  This is the max-zone-ttl plus zone propagation delay
-# plus retire safety: 6h + 1h + 2h.  But three hours have already passed
-# (the time it took to make the DNSKEY omnipresent), so the next event
-# should be scheduled in 6 hour: 21600 seconds.  Prevent intermittent
-# false positives on slow platforms by subtracting the number of seconds
-# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((21600 - time_passed))
+# Next key event is when all zone signatures are signed with the new algorithm.
+# This is the max-zone-ttl plus zone propagation delay: 6h + 1h.  But three
+# hours have already passed (the time it took to make the DNSKEY omnipresent),
+# so the next event should be scheduled in 4 hour: 14400 seconds.  Prevent
+# intermittent false positives on slow platforms by subtracting the number of
+# seconds which passed between key creation and invoking 'rndc reconfig'.
+next_time=$((14400 - time_passed))
 check_next_key_event $next_time

 #
@ -5114,17 +5109,17 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 check_cdslog "$DIR" "$ZONE" KEY2

 # Set expected key times:
-# - The old key was activated 9 hours ago (32400 seconds).
-csk_rollover_predecessor_keytimes -32400
-# - And was retired 6 hours ago (21600 seconds).
+# - The old key was activated 7 hours ago (25200 seconds).
+csk_rollover_predecessor_keytimes -25200
+# - And was retired 3 hours ago (10800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -21600
+set_addkeytime "KEY1" "RETIRED" "${created}" -10800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
 # - The new key was published 9 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY2" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -25200
+set_addkeytime "KEY2" "ACTIVE" "${created}" -25200
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"

@ -5138,9 +5133,9 @@ dnssec_verify
 rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
 rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
 # Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent propagation delay, retire safety delay, and DS TTL:
-# 1h + 2h + 2h = 5h = 18000 seconds.
-check_next_key_event 18000
+# parent propagation delay, and DS TTL:
+# 1h + 2h = 3h = 10800 seconds.
+check_next_key_event 10800

 #
 # Zone: step4.csk-algorithm-roll.kasp
@ -5164,17 +5159,17 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"

 # Set expected key times:
-# - The old key was activated 38 hours ago (136800 seconds)
-csk_rollover_predecessor_keytimes -136800
-# - And retired 35 hours ago (126000 seconds).
+# - The old keys were activated 36 hours ago (129600 seconds).
+csk_rollover_predecessor_keytimes -129600
+# - And retired 33 hours ago (118800 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
+set_addkeytime "KEY1" "RETIRED" "${created}" -118800
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 38 hours ago.
+# - The new key was published 36 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -129600
+set_addkeytime "KEY2" "ACTIVE" "${created}" -129600
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}

@ -5204,17 +5199,17 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"

 # Set expected key times:
-# - The old key was activated 40 hours ago (144000 seconds)
-csk_rollover_predecessor_keytimes -144000
-# - And retired 37 hours ago (133200 seconds).
+# - The old key was activated 38 hours ago (136800 seconds)
+csk_rollover_predecessor_keytimes -136800
+# - And retired 35 hours ago (126000 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -133200
+set_addkeytime "KEY1" "RETIRED" "${created}" -126000
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 40 hours ago.
+# - The new key was published 38 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY2" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}

@ -5225,12 +5220,12 @@ check_subdomain
 dnssec_verify

 # Next key event is when the RSASHA1 signatures become HIDDEN.  This happens
-# after the max-zone-ttl plus zone propagation delay plus retire safety
-# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
-# been reached (2h): 9h - 2h = 7h = 25200 seconds.  Prevent intermittent
-# false positives on slow platforms by subtracting the number of seconds
-# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((25200 - time_passed))
+# after the max-zone-ttl plus zone propagation delay (6h + 1h) minus the
+# time already passed since the UNRETENTIVE state has been reached (2h):
+# 7h - 2h = 5h = 18000 seconds.  Prevent intermittent false positives on slow
+# platforms by subtracting the number of seconds which passed between key
+# creation and invoking 'rndc reconfig'.
+next_time=$((18000 - time_passed))
 check_next_key_event $next_time

 #
@ -5248,17 +5243,17 @@ wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"

 # Set expected key times:
-# - The old keys were activated 47 hours ago (169200 seconds)
-csk_rollover_predecessor_keytimes -169200
-# - And retired 44 hours ago (158400 seconds).
+# - The old keys were activated 45 hours ago (162000 seconds)
+csk_rollover_predecessor_keytimes -162000
+# - And retired 42 hours ago (151200 seconds).
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -158400
+set_addkeytime "KEY1" "RETIRED" "${created}" -151200
 retired=$(key_get KEY1 RETIRED)
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
 # - The new key was published 47 hours ago.
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY2" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -162000
+set_addkeytime "KEY2" "ACTIVE" "${created}" -162000
 published=$(key_get KEY2 PUBLISHED)
 set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}

--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@ -189,13 +189,19 @@ dns_keymgr_settime_syncpublish(dst_key_t *key, dns_kasp_t *kasp, bool first) {
 		isc_stdtime_t zrrsig_present;
 		dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
 		zrrsig_present = published + ttlsig +
-				 dns_kasp_zonepropagationdelay(kasp) +
-				 dns_kasp_publishsafety(kasp);
+				 dns_kasp_zonepropagationdelay(kasp);
 		if (zrrsig_present > syncpublish) {
 			syncpublish = zrrsig_present;
 		}
 	}
 	dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncpublish);
+
+	uint32_t lifetime = 0;
+	ret = dst_key_getnum(key, DST_NUM_LIFETIME, &lifetime);
+	if (ret == ISC_R_SUCCESS && lifetime > 0) {
+		dst_key_settime(key, DST_TIME_SYNCDELETE,
+				(syncpublish + lifetime));
+	}
 }

 /*
@ -243,6 +249,17 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 		pub = now;
 	}

+	/*
+	 * To calculate phase out times ("Retired", "Removed", ...),
+	 * the key lifetime is required.
+	 */
+	uint32_t klifetime = 0;
+	ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime);
+	if (ret != ISC_R_SUCCESS) {
+		dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
+		klifetime = lifetime;
+	}
+
 	/*
 	 * Calculate prepublication time.
 	 */
@ -272,13 +289,16 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 				dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp,
 								       true);
 				syncpub2 = pub + ttlsig +
-					   dns_kasp_publishsafety(kasp) +
 					   dns_kasp_zonepropagationdelay(kasp);
 			}

 			syncpub = ISC_MAX(syncpub1, syncpub2);
 			dst_key_settime(key->key, DST_TIME_SYNCPUBLISH,
 					syncpub);
+			if (klifetime > 0) {
+				dst_key_settime(key->key, DST_TIME_SYNCDELETE,
+						(syncpub + klifetime));
+			}
 		}
 	}

@ -291,13 +311,6 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,

 	ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
 	if (ret != ISC_R_SUCCESS) {
-		uint32_t klifetime = 0;
-
-		ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime);
-		if (ret != ISC_R_SUCCESS) {
-			dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
-			klifetime = lifetime;
-		}
 		if (klifetime == 0) {
 			/*
 			 * No inactive time and no lifetime,
@ -398,7 +411,7 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 	/* Initialize lifetime. */
 	if (r != ISC_R_SUCCESS) {
 		dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
-		return;
+		l = lifetime - 1;
 	}
 	/* Skip keys that are still hidden or already retiring. */
 	if (g != OMNIPRESENT) {
@ -420,6 +433,7 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 		} else {
 			dst_key_unsettime(key->key, DST_TIME_INACTIVE);
 			dst_key_unsettime(key->key, DST_TIME_DELETE);
+			dst_key_unsettime(key->key, DST_TIME_SYNCDELETE);
 		}
 	}
 }
@ -1286,6 +1300,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 	isc_result_t ret;
 	isc_stdtime_t lastchange, dstime, nexttime = now;
 	dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
+	uint32_t dsstate;

 	/*
 	 * No need to wait if we move things into an uncertain state.
@ -1355,15 +1370,12 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 			 * records.  This translates to:
 			 *
 			 *     Dsgn + zone-propagation-delay + max-zone-ttl.
-			 *
-			 * We will also add the retire-safety interval.
 			 */
 			nexttime = lastchange + ttlsig +
-				   dns_kasp_zonepropagationdelay(kasp) +
-				   dns_kasp_retiresafety(kasp);
+				   dns_kasp_zonepropagationdelay(kasp);
 			/*
-			 * Only add the sign delay Dsgn if there is an actual
-			 * predecessor or successor key.
+			 * Only add the sign delay Dsgn and retire-safety if
+			 * there is an actual predecessor or successor key.
 			 */
 			uint32_t tag;
 			ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
@ -1373,7 +1385,8 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 						     DST_NUM_SUCCESSOR, &tag);
 			}
 			if (ret == ISC_R_SUCCESS) {
-				nexttime += dns_kasp_signdelay(kasp);
+				nexttime += dns_kasp_signdelay(kasp) +
+					    dns_kasp_retiresafety(kasp);
 			}
 			break;
 		default:
@ -1399,35 +1412,36 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 		 * This translates to:
 		 *
 		 *      parent-propagation-delay + parent-ds-ttl.
-		 *
-		 * We will also add the retire-safety interval.
 		 */
 		case OMNIPRESENT:
-			/* Make sure DS has been seen in the parent. */
-			ret = dst_key_gettime(key->key, DST_TIME_DSPUBLISH,
-					      &dstime);
-			if (ret != ISC_R_SUCCESS || dstime > now) {
-				/* Not yet, try again in an hour. */
-				nexttime = now + 3600;
-			} else {
-				nexttime =
-					dstime + dns_kasp_dsttl(kasp) +
-					dns_kasp_parentpropagationdelay(kasp) +
-					dns_kasp_retiresafety(kasp);
-			}
-			break;
 		case HIDDEN:
-			/* Make sure DS has been withdrawn from the parent. */
-			ret = dst_key_gettime(key->key, DST_TIME_DSDELETE,
-					      &dstime);
+			/* Make sure DS has been seen in/withdrawn from the
+			 * parent. */
+			dsstate = next_state == HIDDEN ? DST_TIME_DSDELETE
+						       : DST_TIME_DSPUBLISH;
+			ret = dst_key_gettime(key->key, dsstate, &dstime);
 			if (ret != ISC_R_SUCCESS || dstime > now) {
 				/* Not yet, try again in an hour. */
 				nexttime = now + 3600;
 			} else {
 				nexttime =
 					dstime + dns_kasp_dsttl(kasp) +
-					dns_kasp_parentpropagationdelay(kasp) +
-					dns_kasp_retiresafety(kasp);
+					dns_kasp_parentpropagationdelay(kasp);
+				/*
+				 * Only add the retire-safety if there is an
+				 * actual predecessor or successor key.
+				 */
+				uint32_t tag;
+				ret = dst_key_getnum(key->key,
+						     DST_NUM_PREDECESSOR, &tag);
+				if (ret != ISC_R_SUCCESS) {
+					ret = dst_key_getnum(key->key,
+							     DST_NUM_SUCCESSOR,
+							     &tag);
+				}
+				if (ret == ISC_R_SUCCESS) {
+					nexttime += dns_kasp_retiresafety(kasp);
+				}
 			}
 			break;
 		default:
@ -1763,7 +1777,9 @@ keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key,
 		if (prepub == 0 || prepub > now) {
 			/* No need to start rollover now. */
 			if (*nexttime == 0 || prepub < *nexttime) {
-				*nexttime = prepub;
+				if (prepub > 0) {
+					*nexttime = prepub;
+				}
 			}
 			return ISC_R_SUCCESS;
 		}
@ -2022,6 +2038,20 @@ keymgr_purge_keyfile(dst_key_t *key, int type) {
 	}
 }

+static bool
+dst_key_doublematch(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
+	int matches = 0;
+
+	for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
+	     kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
+	{
+		if (dns_kasp_key_match(kkey, key)) {
+			matches++;
+		}
+	}
+	return matches > 1;
+}
+
 /*
 * Examine 'keys' and match 'kasp' policy.
 *
@ -2161,6 +2191,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 					 * matches the kasp policy.
 					 */
 					if (!dst_key_is_unused(dkey->key) &&
+					    !dst_key_doublematch(dkey, kasp) &&
 					    (dst_key_goal(dkey->key) ==
 					     OMNIPRESENT) &&
 					    !keymgr_dep(dkey->key, keyring,