diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index c90f620e86..23964b9818 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -245,7 +245,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 "$DSFROMKEY" -C "$key2.key" > "$key2.cds"
-cat "$infile" "$key1.key" "$key3.key" "$key2.cds" > "$zonefile"
+cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile"
 "$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
 
 zone=cds-update.secure
@@ -269,8 +269,8 @@ infile=cds-auto.secure.db.in
 zonefile=cds-auto.secure.db
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
-cat "$infile" "$key1.cds" > "$zonefile.signed"
+$SETTIME -P sync now "$key1" > /dev/null
+cat "$infile" > "$zonefile.signed"
 
 zone=cdnskey.secure
 infile=cdnskey.secure.db.in
@@ -288,7 +288,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
-cat "$infile" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
+cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
 "$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
 
 zone=cdnskey-update.secure
@@ -312,8 +312,8 @@ infile=cdnskey-auto.secure.db.in
 zonefile=cdnskey-auto.secure.db
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
-cat "$infile" "$key1.cds" > "$zonefile.signed"
+$SETTIME -P sync now "$key1" > /dev/null
+cat "$infile" > "$zonefile.signed"
 
 zone=updatecheck-kskonly.secure
 infile=template.secure.db.in
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index e847b54846..79f211a1ec 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3312,7 +3312,7 @@ echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($
 ret=0
 dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure > dig.out.test$n
 lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
-test "$lines" -eq 1 || ret=1
+test "$lines" -eq 2 || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
@@ -3464,7 +3464,7 @@ echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -
 ret=0
 dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure > dig.out.test$n
 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
-test "$lines" -eq 1 || ret=1
+test "$lines" -eq 2 || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
diff --git a/bin/tests/system/resolver/ns6/delegation-only.db b/bin/tests/system/resolver/ns6/delegation-only.db
index 29e9adbf7a..c9a7ad1850 100644
--- a/bin/tests/system/resolver/ns6/delegation-only.db
+++ b/bin/tests/system/resolver/ns6/delegation-only.db
@@ -17,7 +17,7 @@ $TTL 120
 ;
 @	IN	A	1.2.3.4
 @	IN	AAAA	c::1.2.3.4
-@	IN	CDS	21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2
+@	IN	CDS 	12023 7 2 36FB69A752615831B47EA6EF9EA4619D0FB08ABDA69EA3ED200F4C02FF4921D4
 @	IN	CDNSKEY	256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF
 ;
 ;	Delegation only test CDS and CDNSKEY records.  These should be rejected