diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 7429b869df..d8497a40fd 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -400,120 +400,6 @@ set_keytimes_algorithm_policy() {
   set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
 }
 
-#
-# Zone: keystore.kasp.
-#
-set_zone "keystore.kasp"
-set_policy "keystore" "2" "303"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
-set_keydir "KEY1" "ns3/ksk"
-set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
-set_keydir "KEY2" "ns3/zsk"
-set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-
-# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
-# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-# Two keys only.
-key_clear "KEY3"
-key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# Reuse set_keytimes_csk_policy to set the KEY1 keytimes.
-set_keytimes_csk_policy
-created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
-set_keytime "KEY2" "ACTIVE" "${created}"
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Key properties for tests below.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "315360000"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "157680000"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-
-key_clear "KEY3"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "31536000"
-set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "yes"
-# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
-# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-
-set_keystate "KEY3" "GOAL" "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
-# Three keys only.
-key_clear "KEY4"
-
-#
-# Zone: rumoured.kasp.
-#
-# There are three keys in rumoured state.
-set_zone "rumoured.kasp"
-set_policy "rsasha256" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-# Activation date is a day later.
-set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400
-set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400
-set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400
-set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400
-set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400
-set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400
-set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400
-set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400
-set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
 # TODO: we might want to test:
 # - configuring a zone with too many active keys (should trigger retire).
 # - configuring a zone with keys not matching the policy.
diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py
index eba8e73277..05f4e4254b 100644
--- a/bin/tests/system/kasp/tests_kasp.py
+++ b/bin/tests/system/kasp/tests_kasp.py
@@ -310,11 +310,18 @@ def test_kasp_cases(servers):
             ttl=ttl, keys=test["key-properties"]
         )
         # Key files.
-        keys = isctest.kasp.keydir_to_keylist(
-            zone, test["config"]["key-directory"], in_use=pregenerated
-        )
-        ksks = [k for k in keys if k.is_ksk()]
-        zsks = [k for k in keys if not k.is_ksk()]
+        if "key-directories" in test:
+            kdir = test["key-directories"][0]
+            ksks = isctest.kasp.keydir_to_keylist(zone, kdir, in_use=pregenerated)
+            kdir = test["key-directories"][1]
+            zsks = isctest.kasp.keydir_to_keylist(zone, kdir, in_use=pregenerated)
+            keys = ksks + zsks
+        else:
+            keys = isctest.kasp.keydir_to_keylist(
+                zone, test["config"]["key-directory"], in_use=pregenerated
+            )
+            ksks = [k for k in keys if k.is_ksk()]
+            zsks = [k for k in keys if not k.is_ksk()]
 
         isctest.kasp.check_zone_is_signed(server, zone)
         isctest.kasp.check_keys(zone, keys, expected)
@@ -326,7 +333,8 @@ def test_kasp_cases(servers):
                 test["config"], offset=offset, pregenerated=pregenerated
             )
 
-        isctest.kasp.check_keytimes(keys, expected)
+        if "rumoured" not in test:
+            isctest.kasp.check_keytimes(keys, expected)
 
         check_all(server, zone, policy, ksks, zsks, zsk_missing=zsk_missing)
 
@@ -458,6 +466,27 @@ def test_kasp_cases(servers):
             "config": kasp_config,
             "key-properties": fips_properties(8),
         },
+        {
+            "zone": "keystore.kasp",
+            "policy": "keystore",
+            "config": {
+                "dnskey-ttl": timedelta(seconds=303),
+                "ds-ttl": timedelta(days=1),
+                "key-directory": keydir,
+                "max-zone-ttl": timedelta(days=1),
+                "parent-propagation-delay": timedelta(hours=1),
+                "publish-safety": timedelta(hours=1),
+                "retire-safety": timedelta(hours=1),
+                "signatures-refresh": timedelta(days=5),
+                "signatures-validity": timedelta(days=14),
+                "zone-propagation-delay": timedelta(minutes=5),
+            },
+            "key-directories": [f"{keydir}/ksk", f"{keydir}/zsk"],
+            "key-properties": [
+                f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+                f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+            ],
+        },
         {
             "zone": "legacy-keys.kasp",
             "policy": "migrate-to-dnssec-policy",
@@ -493,6 +522,13 @@ def test_kasp_cases(servers):
             "config": kasp_config,
             "key-properties": fips_properties(10),
         },
+        {
+            "zone": "rumoured.kasp",
+            "policy": "rsasha256",
+            "config": kasp_config,
+            "rumoured": True,
+            "key-properties": fips_properties(8),
+        },
         {
             "zone": "secondary.kasp",
             "policy": "rsasha256",