Test keytimes on CSK rollover

This improves keytime testing on CSK rollover. It now tests for specific times, and also tests for SyncPublish and Removed keytimes. Since an "active key" for ZSK and KSK means something different, this makes it tricky to decide when a CSK is active. An "active key" intuitively means the key is signing so we say a CSK is active when it is creating zone signatures. This change means a lot of timings for the CSK rollover tests need to be adjusted. The keymgr code needs a slight change on calculating the prepublication time: For a KSK we need to include the parent registration delay, but for CSK we look at the zone signing property and stick with the ZSK prepublication calculation.
2025-08-28 13:08:06 +00:00 · 2020-05-11 15:12:32 +02:00 · 2020-05-11 15:12:32 +02:00 · e233433772
commit e233433772
parent 649d0833ce
3 changed files with 595 additions and 163 deletions
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@ -694,12 +694,17 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # The zones at csk-roll.autosign represent the various steps of a CSK rollover
 # (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
 #
+#
+# The activation time for zone signing (ZSK) is different than for chain of
+# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ
+# instead of Tact and Tret.
+#

 # Step 1:
 # Introduce the first key. This will immediately be active.
 setup step1.csk-roll.autosign
 TactN="now"
-csktimes="-P ${TactN} -A ${TactN}"
+csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
 CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
 cat template.db.in "${CSK}.key" > "$infile"
@ -709,17 +714,29 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # Step 2:
 # It is time to introduce the new CSK.
 setup step2.csk-roll.autosign
-# According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
-# According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
-# Also: Ipub = Dprp + TTLkey (+publish-safety)
-# Also: IpubC = DprpC + TTLkey (+publish-safety)
-# Both sums are almost the same, but the KSK case has Dreg in the equation.
-# so:   Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1d + 3h =
-#       now - 4464h + 24h + 3h = now - 4437h
+# According to RFC 7583:
+# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
+# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub
+# IpubC = DprpC + TTLkey (+publish-safety)
+# Ipub  = IpubC
+# Lcsk = Lksk = Lzsk
+#
+# Lcsk:           6mo (186d, 4464h)
+# Dreg:           1d
+# DprpC:          1h
+# TTLkey:         1h
+# publish-safety: 1h
+# Ipub:           3h
+#
+# Tact(N)  = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1d
+#          = now - 4464h + 3h + 24h = now - 4437h
+# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h
+#          = now - 4464h + 3h = now - 4461h
 TactN="now-4437h"
-csktimes="-P ${TactN} -A ${TactN}"
+TactZN="now-4461h"
+csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}"
 CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone 13 "$CSK" >> "$infile"
 $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@ -727,21 +744,56 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # Step 3:
 # It is time to submit the DS and to roll signatures.
 setup step3.csk-roll.autosign
-# According to RFC 7583: Tsbm(N+1) >= Trdy(N+1)
-# Also: Tact(N+1) = Tsbm(N+1) + Dreg
-# so:   Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1d - 6mo = now - 185d
-# and:  Tret(N) = Tsbm(N+1) + Dreg = now + 1d
-# and:  Tpub(N+1) <= Tsbm(N+1) - IpubC = now - 3h
-# and:  Tret(N+1) = Tsbm(N+1) + Dreg + Lksk = now + 1d + 6mo = now + 187d
+# According to RFC 7583:
+#
+# Tsbm(N+1) >= Trdy(N+1)
+# KSK: Tact(N+1)  = Tsbm(N+1) + Dreg
+# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
+# KSK: Iret  = DprpP + TTLds (+retire-safety)
+# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
+#
+# Lcsk:           186d
+# Dprp:           1h
+# DprpP:          1h
+# Dreg:           1d
+# Dsgn:           25d
+# TTLds:          1h
+# TTLsig:         1d
+# retire-safety:  2h
+# Iret:           4h
+# IretZ:          26d3h
+# Ipub:           3h
+#
+# TactZ(N)   = Tnow - Lcsk = now - 186d
+# TretZ(N)   = now
+# Tact(N)    = Tnow + Dreg - Lcsk = now + 1d - 186d = now - 185d
+# Tret(N)    = Tnow + Dreg = now + 1d
+# Trem(N)    = Tnow + IretZ = now + 26d3h = now + 627h
+# Tpub(N+1)  = Tnow - Ipub = now - 3h
+# Tsbm(N+1)  = TretZ(N)
+# TactZ(N+1) = TretZ(N)
+# TretZ(N+1) = Tnow + Lcsk = now + 186d
+# Tact(N+1)  = Tret(N)
+# Tret(N+1)  = Tnow + Dreg + Lcsk = now + 1d + 186d = now + 187d
+# Trem(N+1)  = Tnow + Lcsk + IretZ = now + 186d + 26d3h =
+#            = now + 5091h
+TactZN="now-186d"
+TretZN="now"
 TactN="now-185d"
 TretN="now+1d"
+TremN="now+627h"
 TpubN1="now-3h"
+TsbmN1="now"
+TactZN1="${TsbmN1}"
+TretZN1="now+186d"
+TactN1="${TretN}"
 TretN1="now+187d"
-csktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TretN} -I ${TretN1}"
+TremN1="now+5091h"
+csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN   -r $O $TactN  -d $O $TactN  -z $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactZN  -r $O $TactZN -d $O $TactN  -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $R $TpubN1  -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
@ -753,32 +805,51 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si

 # Step 4:
 # Some time later all the ZRRSIG records should be from the new CSK, and the
-# DS should be swapped.  The ZRRSIG records are all replaced after Iret
-# which is Dsgn + Dprp + TTLsig + retire-safety (25d + 1h + 1d + 2h = 26d3h).
-# The DS is swapped after Dreg + DprpP + TTLds + retire-safety
-# (1d + 1h + 1h + 2h = 1d4h).  In other words, the DS is swapped before all
-# zone signatures are replaced.
+# DS should be swapped.  The ZRRSIG records are all replaced after IretZ
+# (which is 26d3h).  The DS is swapped after Dreg + Iret (which is 1d4h).
+# In other words, the DS is swapped before all zone signatures are replaced.
 setup step4.csk-roll.autosign
-# According to RFC 7583: Tdea(N) = Tret(N) + Iret
-# Also: Iret = 1h + 1h + 2h = 4h
-# Also: Tact(N+1) = Tret(N)
-# so:   Tact(N) = Tdea(N) - Lksk - Iret = now - 6mo - 4h = now - 4468h
-# and:  Tret(N) = Tdea(N) - Iret = now - 4h = now - 4h
-# and:  Tpub(N+1) = Tdea(N) - Iret - Dreg - IpubC = now - 4h - 1d - 3h = now - 31h
-# and:  Tsbm(N+1) = Tdea(N) - Iret - Dreg = now - 4h - 1d = now - 28h
-# and:  Tact(N+1) = Tret(N)
-# and:  Tret(N+1) = Tdea(N) + Lksk - Iret = now + 6mo - 4h = now + 4460h
+# According to RFC 7583:
+# Trem(N)    = TretZ(N) + IretZ
+# Tnow       = Tsbm(N+1) + Dreg + Iret
+#
+# Lcsk:   186d
+# Iret:   4h
+# IretZ:  26d3h
+#
+# TactZ(N)   = Tnow - Iret - Dreg - Lcsk = now - 4h - 24h - 4464h
+#            = now - 4492h
+# TretZ(N)   = Tnow - Iret - Dreg = now - 4h - 1d = now - 28h
+# Tact(N)    = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h
+# Tret(N)    = Tnow - Iret = now - 4h = now - 4h
+# Trem(N)    = Tnow - Iret - Dreg + IretZ = now - 4h - 1d + 26d3h
+#            = now + 24d23h = now + 599h
+# Tpub(N+1)  = Tnow - Iret - Dreg - IpubC = now - 4h - 1d - 3h = now - 31h
+# Tsbm(N+1)  = TretZ(N)
+# TactZ(N+1) = TretZ(N)
+# TretZ(N+1) = Tnow - Iret - Dreg + Lcsk = now - 4h - 1d + 186d
+#            = now + 4436h
+# Tact(N+1)  = Tret(N)
+# Tret(N+1)  = Tnow - Iret + Lcsk = now + 6mo - 4h = now + 4460h
+# Trem(N+1)  = Tnow - Iret - Dreg + Lcsk + IretZ = now - 4h - 1d + 186d + 26d3h
+#	     = now + 5063h
+TactZN="now-4492h"
+TretZN="now-28h"
 TactN="now-4468h"
 TretN="now-4h"
+TremN="now+599h"
 TpubN1="now-31h"
-TsbmN1="now-28h"
+TsbmN1="${TretZN}"
+TactZN1="${TretZN}"
+TretZN1="now+4436h"
 TactN1="${TretN}"
 TretN1="now+4460h"
-csktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}"
+TremN1="now+5063h"
+csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
@ -793,19 +864,36 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # At this time these have all become hidden.
 setup step5.csk-roll.autosign
 # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
+# TactZ(N)   = now - 4492h - 2h = now - 4494h
+# TretZ(N)   = now - 28h - 2h = now - 30h
+# Tact(N)    = now - 4468h - 2h = now - 4470h
+# Tret(N)    = now - 4h - 2h = now - 6h
+# Trem(N)    = now + 599h - 2h = now + 597h
+# Tpub(N+1)  = now - 31h - 2h = now - 33h
+# Tsbm(N+1)  = TretZ(N)
+# TactZ(N+1) = TretZ(N)
+# TretZ(N+1) = now + 4436h - 2h = now + 4434h
+# Tact(N+1)  = Tret(N)
+# Tret(N+1)  = now + 4460h - 2h = now + 4458h
+# Trem(N+1)  = now + 5063h - 2h = now + 5061h
+TactZN="now-4494h"
+TretZN="now-30h"
 TactN="now-4470h"
 TretN="now-6h"
-TdeaN="now-2h"
+TremN="now+597h"
 TpubN1="now-33h"
 TsbmN1="now-30h"
+TactZN1="${TsbmN1}"
+TretZN1="now+4434h"
 TactN1="${TretN}"
 TretN1="now+4458h"
-csktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}"
+TremN1="now+5061h"
+csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN  -r $U $TdeaN  -d $H $TdeaN  -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN  -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $O $TactZN -r $U now-2h  -d $H now-2h -z $U $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
@ -818,28 +906,47 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # After the retire interval has passed the predecessor DNSKEY can be
 # removed from the zone.
 setup step6.csk-roll.autosign
-# According to RFC 7583: Tdea(N) = Tret(N) + Iret
-# Also: Tret(N) = Tact(N) + Lzsk
-# Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety)
-# so:   Tact(N) = Tdea(N) - Iret - Lzsk = now - 25d1h1d2h - 6mo =
-#       now - 26d3h - 6mo = now - 627h - 4464h = now - 5091h
-# and:  Tret(N) = Tdea(N) - Iret = now - 627h
-# and:  Tpub(N+1) = Tdea(N) - Iret - Ipub = now - 627h - 3h = now - 630h
-# and:  Tact(N+1) = Tdea(N) - Iret = Tret(N)
-# and:  Tret(N+1) = Tdea(N) - Iret + Lzsk = now - 627h + 6mo = now + 3837h
-TactN="now-5091h"
-TretN="now-627h"
-TdeaN="now-623h"
+# According to RFC 7583:
+# Trem(N) = TretZ(N) + IretZ
+# TretZ(N) = TactZ(N) + Lcsk
+#
+# Lcsk:   186d
+# Iret:   4h
+# IretZ:  26d3h
+#
+# TactZ(N)   = Tnow - IretZ - Lcsk = now - 627h - 186d
+#            = now - 627h - 4464h = now - 5091h
+# TretZ(N)   = Tnow - IretZ = now - 627h
+# Tact(N)    = Tnow - IretZ - Lcsk + Dreg = now - 627h - 186d + 1d =
+#              now - 627h - 4464h + 24h = now - 5067h
+# Tret(N)    = Tnow - IretZ + Dreg = now - 627h + 24h
+#            = Tnow - 603h
+# Trem(N)    = Tnow
+# Tpub(N+1)  = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h
+# Tsbm(N+1)  = TretZ(N)
+# TactZ(N+1) = TretZ(N)
+# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h
+# Tact(N+1)  = Tret(N)
+# Tret(N+1)  = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h
+# Trem(N+1)  = Tnow + Lcsk = now + 186d
+TactZN="now-5091h"
+TretZN="now-627h"
+TactN="now-5067h"
+TretN="now-603h"
+TremN="now"
 TpubN1="now-630h"
-TsbmN1="now-627h"
+TsbmN1="${TretZN}"
+TactZN1="${TretZN}"
+TretZN1="now+3837h"
 TactN1="${TretN}"
-TretN1="now+3837h"
-csktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}"
+TretN1="now+4460h"
+TremN1="now+186d"
+csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -P -g $H -k $O $TactN  -r $H $TdeaN  -d $H $TdeaN  -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -P -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN  -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $O $TactZN -r $H $TremN  -d $H $TremN  -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN  -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
@ -852,19 +959,36 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # Some time later the predecessor DNSKEY enters the HIDDEN state.
 setup step7.csk-roll.autosign
 # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
-TactN="now-5093h"
-TretN="now-629h"
-TdeaN="now-625h"
+# TactZ(N) = now - 5091h - 2h = now - 5093h
+# TretZ(N) = now - 627h - 2h  = now - 629h
+# Tact(N)  = now - 5067h - 2h = now - 5069h
+# Tret(N)  = now - 603h - 2h  = now - 605h
+# Trem(N) = now - 2h
+# Tpub(N+1) = now - 630h - 2h = now - 632h
+# Tsbm(N+1) = now - 627h - 2h = now - 629h
+# TactZ(N+1) = Tsbm(N+1)
+# TretZ(N+1) = now + 3837h - 2h = now + 3835h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4460h - 2h = now + 4458h
+# Trem(N+1) = now + 186d - 2h = now + 4462h
+TactZN="now-5093h"
+TretZN="now-629h"
+TactN="now-5069h"
+TretN="now-605h"
+TremN="now-2h"
 TpubN1="now-632h"
-TsbmN1="now-629h"
+TsbmN1="${TretZN}"
+TactZN1="${TretZN}"
+TretZN1="now+3835h"
 TactN1="${TretN}"
-TretN1="now+3835h"
-csktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}"
+TretN1="now+4458h"
+TremN1="now+4462h"
+csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U now-2h  -r $H $TdeaN  -d $H $TdeaN  -z $H $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN  -z $O $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $U $TremN  -r $H $TremN  -d $H $TremN  -z $H $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
@ -879,12 +1003,17 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # This scenario differs from the above one because the zone signatures (ZRRSIG)
 # are replaced with the new key sooner than the DS is swapped.
 #
+#
+# The activation time for zone signing (ZSK) is different than for chain of
+# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ
+# instead of Tact and Tret.
+#

 # Step 1:
 # Introduce the first key. This will immediately be active.
 setup step1.csk-roll2.autosign
 TactN="now"
-csktimes="-P ${TactN} -A ${TactN}"
+csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
 CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
 cat template.db.in "${CSK}.key" > "$infile"
@ -894,17 +1023,29 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # Step 2:
 # It is time to introduce the new CSK.
 setup step2.csk-roll2.autosign
-# According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
-# According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
-# Also: Ipub = Dprp + TTLkey (+publish-safety)
-# Also: IpubC = DprpC + TTLkey (+publish-safety)
-# Both sums are almost the same, but the KSK case has Dreg in the equation.
-# so:   Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1w + 3h =
-#       now - 4464h + 168h + 3h = now - 4635h
-TactN="now-4635h"
-csktimes="-P ${TactN} -A ${TactN}"
+# According to RFC 7583:
+# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
+# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub
+# IpubC = DprpC + TTLkey (+publish-safety)
+# Ipub  = IpubC
+# Lcsk = Lksk = Lzsk
+#
+# Lcsk:           6mo (186d, 4464h)
+# Dreg:           1w
+# DprpC:          1h
+# TTLkey:         1h
+# publish-safety: 1h
+# Ipub:           3h
+#
+# Tact(N)  = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1w
+#          = now - 4464h + 3h + 168h = now - 4293h
+# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h
+#          = now - 4464h + 3h = now - 4461h
+TactN="now-4293h"
+TactZN="now-4461h"
+csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}"
 CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone 13 "$CSK" >> "$infile"
 $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@ -912,21 +1053,56 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # Step 3:
 # It is time to submit the DS and to roll signatures.
 setup step3.csk-roll2.autosign
-# According to RFC 7583: Tsbm(N+1) >= Trdy(N+1)
-# Also: Tact(N+1) = Tsbm(N+1) + Dreg
-# so:   Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1w - 6mo = now - 179d
-# and:  Tret(N) = Tsbm(N+1) + Dreg = now + 1w
-# and:  Tpub(N+1) <= Tsbm(N+1) - IpubC = now - 3h
-# and:  Tret(N+1) = Tsbm(N+1) + Dreg + Lksk = now + 1w + 6mo = now + 193d
+# According to RFC 7583:
+#
+# Tsbm(N+1) >= Trdy(N+1)
+# KSK: Tact(N+1)  = Tsbm(N+1) + Dreg
+# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
+# KSK: Iret  = DprpP + TTLds (+retire-safety)
+# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
+#
+# Lcsk:           186d
+# Dprp:           1h
+# DprpP:          1h
+# Dreg:           1w
+# Dsgn:           12h
+# TTLds:          1h
+# TTLsig:         1d
+# retire-safety:  1h
+# Iret:           3h
+# IretZ:          38h
+# Ipub:           3h
+#
+# TactZ(N)   = Tnow - Lcsk = now - 186d
+# TretZ(N)   = now
+# Tact(N)    = Tnow + Dreg - Lcsk = now + 1w - 186d = now - 179d
+# Tret(N)    = Tnow + Dreg = now + 7d
+# Trem(N)    = Tnow + Dreg + Iret = now + 1w + 3h = now + 171h
+# Tpub(N+1)  = Tnow - Ipub = now - 3h
+# Tsbm(N+1)  = TretZ(N)
+# TactZ(N+1) = TretZ(N)
+# TretZ(N+1) = Tnow + Lcsk = now + 186d
+# Tact(N+1)  = Tret(N)
+# Tret(N+1)  = Tnow + Lcsk + Dreg = now + 186d + 7d = now + 193d
+# Trem(N+1)  = Tnow + Lcsk + Dreg + Iret = now + 186d + 7d + 3h =
+#            = now + 193d + 3h = now + 4632h + 3h = now + 4635h
+TactZN="now-186d"
+TretZN="now"
 TactN="now-179d"
-TretN="now+1w"
+TretN="now+7d"
+TremN="now+171h"
 TpubN1="now-3h"
+TsbmN1="${TretZN}"
+TactZN1="${TretZN}"
+TretZN1="now+186d"
+TactN1="${TretN}"
 TretN1="now+193d"
-csktimes="-P ${TactN}  -A ${TactN} -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TretN} -I ${TretN1}"
+TremN1="now+4635h"
+csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN   -r $O $TactN  -d $O $TactN  -z $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactZN  -r $O $TactZN -d $O $TactN  -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $R $TpubN1  -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
@ -938,31 +1114,54 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si

 # Step 4:
 # Some time later all the ZRRSIG records should be from the new CSK, and the
-# DS should be swapped.  The ZRRSIG records are all replaced after Iret
-# which is Dsgn + Dprp + TTLsig + retire-safety (12h + 1h + 1d + 2h = 38h).
-# The DS is swapped after Dreg + DprpP + TTLds + retire-safety
-# (1w + 1h + 1h + 1h = 1w3h).  In other words, the zone signatures are
-# replaced before the DS is swapped.
+# DS should be swapped.  The ZRRSIG records are all replaced after IretZ (38h).
+# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
+# signatures are replaced before the DS is swapped.
 setup step4.csk-roll2.autosign
-# According to RFC 7583: Tdea(N) = Tret(N) + Iret
-# Also: Tret(N) = Tact(N) + Lzsk
-# Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety)
-# so:   Tact(N) = Tdea(N) - Iret - Lzsk = now - 38h - 6mo = now - 4502h
-# and:  Tret(N) = Tdea(N) - Iret = now - 38h
-# and:  Tpub(N+1) = Tdea(N) - Iret - Ipub = now - 41h
-# and:  Tact(N+1) = Tdea(N) - Iret = Tret(N)
-# and:  Tret(N+1) = Tdea(N) - Iret + Lzsk = now - 38h + 6mo = now + 4426h
-TactN="now-4502h"
-TretN="now-38h"
+# According to RFC 7583:
+# Trem(N)    = Tret(N) + Iret
+# Tnow       = TretZ(N) + IretZ
+#
+# Lcsk:   186d
+# Dreg:   1w
+# Iret:   3h
+# IretZ:  38h
+#
+# TactZ(N)   = Tnow - IretZ = Lcsk = now - 38h - 186d
+#            = now - 38h - 4464h = now - 4502h
+# TretZ(N)   = Tnow - IretZ = now - 38h
+# Tact(N)    = Tnow - IretZ - Lcsk + Dreg = now - 38h - 4464h + 168h
+#            = now - 4334h
+# Tret(N)    = Tnow - IretZ + Dreg = now - 38h + 168h = now + 130h
+# Trem(N)    = Tnow - IretZ + Dreg + Iret = now + 130h + 3h = now + 133h
+# Tpub(N+1)  = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h
+# Tsbm(N+1)  = TretZ(N)
+# TactZ(N+1) = TretZ(N)
+# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d
+#            = now + 4426h
+# Tact(N+1)  = Tret(N)
+# Tret(N+1)  = Tnow - IretZ + Dreg + Lcsk = now - 38h + 168h + 4464h
+#            = now + 4594h
+# Trem(N+1)  = Tnow - IretZ + Dreg + Lcsk + Iret
+#            = now + 4594h + 3h = now + 4597h
+TactZN="now-4502h"
+TretZN="now-38h"
+TactN="now-4334h"
+TretN="now+130h"
+TremN="now+133h"
 TpubN1="now-41h"
+TsbmN1="${TretZN}"
+TactZN1="${TretZN}"
+TretZN1="now+4426h"
 TactN1="${TretN}"
-TretN1="now+4426"
-csktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}"
+TretN1="now+4594h"
+TremN1="now+4597h"
+csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN  -d $U $TretN -z $U $TretN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TretN -r $O $TretN  -d $R $TretN -z $R $TretN "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TretZN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
@ -975,18 +1174,38 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # Some time later the DS can be swapped and the old DNSKEY can be removed from
 # the zone.
 setup step5.csk-roll2.autosign
-# Subtract Dreg + Iret (174h).
-TactN="now-4676h"
-TretN="now-212h"
-TpubN1="now-215h"
+# Subtract Dreg + Iret (171h) - IretZ (38h) = 133h.
+#
+# TactZ(N)   = now - 4502h - 133h = now - 4635h
+# TretZ(N)   = now - 38h - 133h = now - 171h
+# Tact(N)    = now - 4334h = 133h = now - 4467h
+# Tret(N)    = now + 130h - 133h = now - 3h
+# Trem(N)    = now + 133h - 133h = now
+# Tpub(N+1)  = now - 41h - 133h = now - 174h
+# Tsbm(N+1)  = TretZ(N)
+# TactZ(N+1) = TretZ(N)
+# TretZ(N+1) = now + 4426h - 133h = now + 4293h
+# Tact(N+1)  = Tret(N)
+# Tret(N+1)  = now + 4594h - 133h = now + 4461h
+# Trem(N+1)  = now + 4597h - 133h = now + 4464h = now + 186d
+TactZN="now-4635h"
+TretZN="now-171h"
+TactN="now-4467h"
+TretN="now-3h"
+TremN="now"
+TpubN1="now-174h"
+TsbmN1="${TretZN}"
+TactZN1="${TretZN}"
+TretZN1="now+4293h"
 TactN1="${TretN}"
-TretN1="now+4252h"
-csktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}"
+TretN1="now+4461h"
+TremN1="now+186d"
+csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $O $TretN "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $H now-133h "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $O now-133h "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
@ -999,18 +1218,37 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si
 # Some time later the predecessor DNSKEY enters the HIDDEN state.
 setup step6.csk-roll2.autosign
 # Subtract DNSKEY TTL plus zone propagation delay (2h).
-TactN="now-4678h"
-TretN="now-214h"
-TdeaN="now-2h"
-TpubN1="now-217h"
+#
+# TactZ(N)   = now - 4635h - 2h = now - 4637h
+# TretZ(N)   = now - 171h - 2h = now - 173h
+# Tact(N)    = now - 4467h - 2h = now - 4469h
+# Tret(N)    = now - 3h - 2h = now - 5h
+# Trem(N)    = now - 2h
+# Tpub(N+1)  = now - 174h - 2h = now - 176h
+# Tsbm(N+1)  = TretZ(N)
+# TactZ(N+1) = TretZ(N)
+# TretZ(N+1) = now + 4293h - 2h = now + 4291h
+# Tact(N+1)  = Tret(N)
+# Tret(N+1)  = now + 4461h - 2h = now + 4459h
+# Trem(N+1)  = now + 4464h - 2h = now + 4462h
+TactZN="now-4637h"
+TretZN="now-173h"
+TactN="now-4469h"
+TretN="now-5h"
+TremN="now-2h"
+TpubN1="now-176h"
+TsbmN1="${TretZN}"
+TactZN1="${TretZN}"
+TretZN1="now+4291h"
 TactN1="${TretN}"
-TretN1="now+4250h"
-csktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}"
+TretN1="now+4459h"
+TremN1="now+4462h"
+csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
 CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
 CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -P $TactN  -A $TactN  -I $TretN  -g $H -k $U $TdeaN -r $U $TdeaN -d $H $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $O $TretN -z $O $TretN "$CSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1
 # Set key rollover relationship.
 key_successor $CSK1 $CSK2
 # Sign zone.
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@ -2670,7 +2670,7 @@ check_next_key_event 1627200
 #

 # Policy parameters.
-# Lksk:      60 days (5184000 seconds)
+# Lksk:      60 days (16070400 seconds)
 # Lzsk:      1 year (31536000 seconds)
 # Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d)
 # Iret(KSK): 50h (180000 seconds)
@ -2898,6 +2898,28 @@ check_next_key_event 4813200
 # Testing CSK key rollover (1).
 #

+# Policy parameters.
+# Lcsk:      186 days (5184000 seconds)
+# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h)
+# Iret(KSK): 4h (14400 seconds)
+# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (25d) + retire-safety (2h)
+# Iret(ZSK): 26d3h (2257200 seconds)
+Lcsk=16070400
+IretKSK=14400
+IretZSK=2257200
+IretCSK=$IretZSK
+
+csk_rollover_predecessor_keytimes() {
+	_addksktime=$1
+	_addzsktime=$2
+
+	_created=$(key_get KEY1 CREATED)
+	set_addkeytime      "KEY1" "PUBLISHED"   "${_created}" "${_addksktime}"
+	set_addkeytime      "KEY1" "SYNCPUBLISH" "${_created}" "${_addzsktime}"
+	set_addkeytime      "KEY1" "ACTIVE"      "${_created}" "${_addzsktime}"
+	set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}"
+}
+
 #
 # Zone: step1.csk-roll.autosign.
 #
@ -2907,14 +2929,10 @@ set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
 set_keyrole      "KEY1" "csk"
-set_keylifetime  "KEY1" "16070400"
+set_keylifetime  "KEY1" "${Lcsk}"
 set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
 set_keysigning   "KEY1" "yes"
 set_zonesigning  "KEY1" "yes"
-# Key timings.
-set_keytime  "KEY1" "PUBLISHED" "yes"
-set_keytime  "KEY1" "ACTIVE"    "yes"
-set_keytime  "KEY1" "RETIRED"   "yes"
 # The CSK (KEY1) starts in OMNIPRESENT.
 set_keystate "KEY1" "GOAL"         "omnipresent"
 set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
@ -2927,16 +2945,20 @@ key_clear "KEY3"
 key_clear "KEY4"

 check_keys
+
+# This key is immediately published and activated.
+csk_rollover_predecessor_keytimes 0 0
+check_keytimes
+
 check_apex
 check_subdomain
 dnssec_verify

-# Next key event is when the successor CSK needs to be published.  That is
-# the CSK lifetime - prepublication time - DS registration delay.  The
-# prepublication time is DNSKEY TTL plus publish safety plus the zone
-# propagation delay.  For the csk-roll policy that means:
-# 6mo - 1d - 3h = 15973200 seconds.
-check_next_key_event 15973200
+# Next key event is when the successor CSK needs to be published.
+# This is Lcsk - Ipub - Dreg.
+# Lcsk: 186d (16070400 seconds)
+# Ipub: 3h   (10800 seconds)
+check_next_key_event 16059600

 #
 # Zone: step2.csk-roll.autosign.
@ -2951,10 +2973,6 @@ set_keylifetime  "KEY2" "16070400"
 set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
 set_keysigning   "KEY2" "yes"
 set_zonesigning  "KEY2" "no"
-# Key timings.
-set_keytime  "KEY2" "PUBLISHED" "yes"
-set_keytime  "KEY2" "ACTIVE"    "yes"
-set_keytime  "KEY2" "RETIRED"   "yes"
 # Key states.
 set_keystate "KEY2" "GOAL"         "omnipresent"
 set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
@ -2963,6 +2981,21 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
 set_keystate "KEY2" "STATE_DS"     "hidden"

 check_keys
+
+# This key was activated 4437 hours ago (15973200 seconds)
+# and started signing 4461 hours ago (16059600 seconds).
+csk_rollover_predecessor_keytimes -15973200 -16059600
+# The new CSK is published now.
+created=$(key_get KEY2 CREATED)
+set_keytime    "KEY2" "PUBLISHED"   "${created}"
+# The new CSK should publish the CDS after the prepublication time.
+# Ipub: 3 hour (10800 seconds)
+Ipub="10800"
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE"      "${created}" "${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+check_keytimes
+
 check_apex
 check_subdomain
 dnssec_verify
@ -2993,6 +3026,19 @@ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
 set_keystate "KEY2" "STATE_DS"     "rumoured"

 check_keys
+
+# This key was activated 185 days ago (15984000 seconds)
+# and started signing 186 days ago (16070400 seconds).
+csk_rollover_predecessor_keytimes -15984000 -16070400
+# The new CSK is published three hours ago, CDS must be published now.
+# Also signatures are being introduced now.
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}" "-${Ipub}"
+set_keytime    "KEY2" "SYNCPUBLISH" "${created}"
+set_keytime    "KEY2" "ACTIVE"      "${created}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+check_keytimes
+
 check_apex
 # Subdomain still has good signatures of old CSK (KEY1).
 # Set expected zone signing on for KEY1 and off for KEY2,
@ -3020,7 +3066,7 @@ set_zone "step4.csk-roll.autosign"
 set_policy "csk-roll" "2" "3600"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) is no longer signing the DNSKEY RRset.
-set_keysigning   "KEY1" "no"
+set_keysigning "KEY1" "no"
 # The old CSK (KEY1) DS is hidden.  We still need to keep the DNSKEY public
 # but can remove the KRRSIG records.
 set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
@ -3029,6 +3075,19 @@ set_keystate "KEY1" "STATE_DS"     "hidden"
 set_keystate "KEY2" "STATE_DS"     "omnipresent"

 check_keys
+
+# This key was activated 4468 hours ago (16084800 seconds)
+# and started signing 4492 hours ago (16171200 seconds).
+csk_rollover_predecessor_keytimes -16084800 -16171200
+# The new CSK started signing 1d4h ago (100800 seconds).
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -100800
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -100800
+syncpub=$(key_get KEY2 SYNCPUBLISH)
+set_addkeytime "KEY2" "PUBLISHED"   "${syncpub}" "-${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+check_keytimes
+
 check_apex
 check_subdomain
 dnssec_verify
@ -3048,6 +3107,19 @@ set_server "ns3" "10.53.0.3"
 set_keystate "KEY1" "STATE_KRRSIG" "hidden"

 check_keys
+
+# This key was activated 4470 hours ago (16092000 seconds)
+# and started signing 4494 hours ago (16178400 seconds).
+csk_rollover_predecessor_keytimes -16092000 -16178400
+# The new CSK started signing 1d6h ago (108000 seconds).
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -108000
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -108000
+syncpub=$(key_get KEY2 SYNCPUBLISH)
+set_addkeytime "KEY2" "PUBLISHED"   "${syncpub}" "-${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+check_keytimes
+
 check_apex
 check_subdomain
 dnssec_verify
@ -3073,6 +3145,19 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"

 check_keys
+
+# This key was activated 5067 hours ago (18241200 seconds)
+# and started signing 5091 hours ago (18327600 seconds).
+csk_rollover_predecessor_keytimes -18241200 -18327600
+# The new CSK is activated 627 hours ago (2257200 seconds).
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -2257200
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200
+syncpub=$(key_get KEY2 SYNCPUBLISH)
+set_addkeytime "KEY2" "PUBLISHED"   "${syncpub}" "-${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+check_keytimes
+
 check_apex
 check_subdomain
 dnssec_verify
@ -3092,20 +3177,48 @@ set_server "ns3" "10.53.0.3"
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"

 check_keys
+
+# This key was activated 5069 hours ago (18248400 seconds)
+# and started signing 5093 hours ago (18334800 seconds).
+csk_rollover_predecessor_keytimes -18248400 -18334800
+# The new CSK is activated 629 hours ago (2264400 seconds).
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -2264400
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400
+syncpub=$(key_get KEY2 SYNCPUBLISH)
+set_addkeytime "KEY2" "PUBLISHED"   "${syncpub}" "-${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+check_keytimes
+
 check_apex
 check_subdomain
 dnssec_verify

-# Next key event is when the new successor needs to be published.  This is the
-# CSK lifetime minus Ipub minus Dreg minus Iret minus DNSKEY TTL minus zone
-# propagation delay.  For the csk-roll this is:
-# 6mo - 3h - 1d - 26d3h - 1h - 1h = 6mo - 27d8h = 13708800 seconds.
-check_next_key_event 13708800
+# Next key event is when the new successor needs to be published.
+# This is the Lcsk, minus time passed since the key started signing,
+# minus the prepublication time.
+# Lcsk:        186d (16070400 seconds)
+# Time passed: 629h (2264400 seconds)
+# Ipub:        3h   (10800 seconds)
+check_next_key_event 13795200

 #
 # Testing CSK key rollover (2).
 #

+# Policy parameters.
+# Lcsk:      186 days (16070400 seconds)
+# Dreg:    : 1w (604800 seconds)
+# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (1h)
+# Iret(KSK): 3h (10800 seconds)
+# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h)
+# Iret(ZSK): 38h (136800 seconds)
+Lcsk=16070400
+Dreg=604800
+IretKSK=10800
+IretZSK=136800
+IretCSK=$((Dreg+IretKSK))
+
 #
 # Zone: step1.csk-roll2.autosign.
 #
@ -3135,16 +3248,20 @@ key_clear "KEY3"
 key_clear "KEY4"

 check_keys
+
+# This key is immediately published and activated.
+csk_rollover_predecessor_keytimes 0 0
+check_keytimes
+
 check_apex
 check_subdomain
 dnssec_verify

-# Next key event is when the successor CSK needs to be published.  That is
-# the CSK lifetime - prepublication time - DS registration delay.  The
-# prepublication time is DNSKEY TTL plus publish safety plus the zone
-# propagation delay.  For the csk-roll2 policy that means:
-# 6mo - 3h - 1w = 15454800 seconds.
-check_next_key_event 15454800
+# Next key event is when the successor CSK needs to be published.
+# This is Lcsk - Ipub - Dreg.
+# Lcsk: 186d (16070400 seconds)
+# Ipub: 3h   (10800 seconds)
+check_next_key_event 16059600

 #
 # Zone: step2.csk-roll2.autosign.
@ -3171,6 +3288,20 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
 set_keystate "KEY2" "STATE_DS"     "hidden"

 check_keys
+
+# This key was activated 4293 hours ago (15454800 seconds)
+# and started signing 4461 hours ago (16059600 seconds).
+csk_rollover_predecessor_keytimes -15454800 -16059600
+# The new CSK is published now.
+created=$(key_get KEY2 CREATED)
+set_keytime    "KEY2" "PUBLISHED"   "${created}"
+# The new CSK should publish the CDS after the prepublication time.
+# Ipub: 3 hour (10800 seconds)
+Ipub="10800"
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE"      "${created}" "${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
 check_apex
 check_subdomain
 dnssec_verify
@ -3200,6 +3331,19 @@ set_keystate     "KEY2" "STATE_ZRRSIG" "rumoured"
 set_keystate     "KEY2" "STATE_DS"     "rumoured"

 check_keys
+
+# This key was activated 179 days ago (15465600 seconds)
+# and started signing 186 days ago (16070400 seconds).
+csk_rollover_predecessor_keytimes -15465600 -16070400
+# The new CSK is published three hours ago, CDS must be published now.
+# Also signatures are being introduced now.
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}" "-${Ipub}"
+set_keytime    "KEY2" "SYNCPUBLISH" "${created}"
+set_keytime    "KEY2" "ACTIVE"      "${created}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+check_keytimes
+
 check_apex
 # Subdomain still has good signatures of old CSK (KEY1).
 # Set expected zone signing on for KEY1 and off for KEY2,
@ -3233,6 +3377,19 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"

 check_keys
+
+# This key was activated 4334 hours ago (15602400 seconds)
+# and started signing 4502 hours ago (16207200 seconds).
+csk_rollover_predecessor_keytimes -15602400 -16207200
+# The new CSK was published 41 hours (147600 seconds) ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -147600
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE"      "${published}" "${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+check_keytimes
+
 check_apex
 check_subdomain
 dnssec_verify
@ -3261,6 +3418,19 @@ set_keystate     "KEY1" "STATE_DS"     "hidden"
 set_keystate     "KEY2" "STATE_DS"     "omnipresent"

 check_keys
+
+# This key was activated 4467 hours ago (16081200 seconds)
+# and started signing 4635 hours ago (16686000 seconds).
+csk_rollover_predecessor_keytimes -16081200 -16686000
+# The new CSK was published 174 hours (626400 seconds) ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -626400
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE"      "${published}" "${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+check_keytimes
+
 check_apex
 check_subdomain
 dnssec_verify
@ -3281,12 +3451,28 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden"
 set_keystate "KEY1" "STATE_KRRSIG" "hidden"

 check_keys
+
+# This key was activated 4469 hours ago (16088400 seconds)
+# and started signing 4637 hours ago (16693200 seconds).
+csk_rollover_predecessor_keytimes -16088400 -16693200
+# The new CSK was published 176 hours (633600 seconds) ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -633600
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE"      "${published}" "${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+check_keytimes
+
 check_apex
 check_subdomain
 dnssec_verify

 # Next key event is when the new successor needs to be published.
-check_next_key_event 14684400
+# This is the Lcsk, minus time passed since the key was published.
+# Lcsk:        186d (16070400 seconds)
+# Time passed: 176h (633600 seconds)
+check_next_key_event 15436800

 #
 # Testing algorithm rollover.
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@ -121,6 +121,10 @@ keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
 			     dns_kasp_parentpropagationdelay(kasp) +
 			     dns_kasp_retiresafety(kasp);
 	}
+	if (zsk && ksk) {
+		ksk_remove += dns_kasp_parentregistrationdelay(kasp);
+	}
+
 	remove = ksk_remove > zsk_remove ? ksk_remove : zsk_remove;
 	dst_key_settime(key->key, DST_TIME_DELETE, remove);
 }
@ -183,7 +187,7 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 			   uint32_t lifetime, isc_stdtime_t now) {
 	isc_result_t ret;
 	isc_stdtime_t active, retire, pub, prepub;
-	bool ksk = false;
+	bool zsk = false, ksk = false;

 	REQUIRE(key != NULL);
 	REQUIRE(key->key != NULL);
@ -244,7 +248,10 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 			dst_key_settime(key->key, DST_TIME_SYNCPUBLISH,
 					syncpub);
 		}
+	}

+	(void)dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
+	if (!zsk && ksk) {
 		/*
 		 * Include registration delay in prepublication time.
 		 */
@ -1697,6 +1704,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 				       dst_key_id(newkey->key));
 			(void)dst_key_gettime(active_key->key,
 					      DST_TIME_INACTIVE, &retire);
+			active = retire;
+
 			/*
 			 * If prepublication time and/or retire time are
 			 * in the past (before the new key was created), use
@ -1704,16 +1713,15 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 			 * effectively immediately making the key active.
 			 */
 			if (prepub < created) {
-				retire += (created - prepub);
+				active += (created - prepub);
 				prepub = created;
 			}
-			if (retire < created) {
-				retire = created;
+			if (active < created) {
+				active = created;
 			}
 			dst_key_settime(newkey->key, DST_TIME_PUBLISH, prepub);
-			dst_key_settime(newkey->key, DST_TIME_ACTIVATE, retire);
+			dst_key_settime(newkey->key, DST_TIME_ACTIVATE, active);
 			keymgr_settime_syncpublish(newkey, kasp, false);
-			active = retire;
 		}

 		/* This key wants to be present. */