Make cds-digest-type plural

Allow for configuring multiple CDS records with different digest types (currently only SHA-256 and SHA-384 are allowed).
2026-04-29 18:09:11 -04:00 · 2023-02-10 15:18:36 +01:00 · 2023-02-10 15:18:36 +01:00 · c0b606885e
commit c0b606885e
parent 06e64821f5
24 changed files with 422 additions and 282 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -294,7 +294,7 @@ dnssec-policy \"default\" {\n\
 		csk key-directory lifetime unlimited algorithm 13;\n\
 	};\n\
 \n\
-	cds-digest-type 2;\n\
+	cds-digest-types { 2; };\n\
 	dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
 	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
 	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@ -1198,7 +1198,13 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
 	    ztype != dns_zone_redirect)
 	{
+		/* Make a reference to the default policy. */
+		result = dns_kasplist_find(kasplist, "default", &kasp);
+		INSIST(result == ISC_R_SUCCESS && kasp != NULL);
+		dns_zone_setdefaultkasp(zone, kasp);
+
 		obj = NULL;
+		kasp = NULL;
 		result = named_config_get(maps, "dnssec-policy", &obj);
 		if (result == ISC_R_SUCCESS) {
 			kaspname = cfg_obj_asstring(obj);
--- a/bin/tests/system/checkconf/bad-kasp-digest-type.conf
+++ b/bin/tests/system/checkconf/bad-kasp-digest-type.conf
@ -12,7 +12,7 @@
 */

 dnssec-policy "bad-digesttype" {
-	cds-digest-type foobar;
+	cds-digest-types { foobar; 2; };
 };

 zone "example.net" {
--- a/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf
+++ b/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf
@ -12,7 +12,7 @@
 */

 dnssec-policy "bad-digesttype" {
-	cds-digest-type GOST;
+	cds-digest-types { GOST; 2; };
 };

 zone "example.net" {
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@ -17,7 +17,9 @@

 /* cut here */
 dnssec-policy "test" {
-	cds-digest-type "sha-256";
+	cds-digest-types {
+		"sha-256";
+	};
 	dnskey-ttl 3600;
 	keys {
 		ksk key-directory lifetime P1Y algorithm ecdsa256;
--- a/bin/tests/system/checkconf/good.conf.in
+++ b/bin/tests/system/checkconf/good.conf.in
@ -17,7 +17,9 @@

 /* cut here */
 dnssec-policy "test" {
-	cds-digest-type "sha-256";
+	cds-digest-types {
+		"sha-256";
+	};
 	dnskey-ttl 3600;
 	keys {
 		ksk key-directory lifetime P1Y algorithm 13 256;
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@ -209,14 +209,14 @@ set_dynamic() {
 	DYNAMIC="yes"
 }

-# Set policy settings (name $1, number of keys $2, dnskey ttl $3),
-# and digest type ($4) for testing keys.
+# Set policy settings (name $1, number of keys $2, dnskey ttl $3).
 set_policy() {
 	POLICY=$1
 	NUM_KEYS=$2
 	DNSKEY_TTL=$3
-	DIGEST_TYPE=$4
 	CDS_DELETE="no"
+	CDS_SHA256="yes"
+	CDS_SHA384="no"
 }
 # By default policies are considered to be secure.
 # If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the
@ -941,18 +941,18 @@ check_signatures() {
 	retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed"
 }

-response_has_cds_for_key() (
+response_has_cds_for_key() {
 	awk -v zone="${ZONE%%.}." \
 	    -v ttl="${DNSKEY_TTL}" \
 	    -v qtype="CDS" \
-	    -v keyid="$(key_get "${1}" ID)" \
-	    -v keyalg="$(key_get "${1}" ALG_NUM)" \
-	    -v hashalg="${DIGEST_TYPE}" \
+	    -v keyid="$(key_get "${2}" ID)" \
+	    -v keyalg="$(key_get "${2}" ALG_NUM)" \
+	    -v hashalg="$1" \
 	    'BEGIN { ret=1; }
 	     $1 == zone && $2 == ttl && $4 == qtype && $5 == keyid && $6 == keyalg && $7 == hashalg { ret=0; exit; }
 	     END { exit ret; }' \
-	    "$2"
-)
+	    "$3"
+}

 response_has_cdnskey_for_key() (

@ -967,6 +967,25 @@ response_has_cdnskey_for_key() (
 	    "$2"
 )

+check_cds_digests() {
+	if [ "$CDS_SHA256" = "yes" ]; then
+		response_has_cds_for_key 2 $1 $2 || _log_error "missing CDS 2 record in response for key $(key_get $1 ID)"
+	else
+		response_has_cds_for_key 2 $1 $2 && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)"
+	fi
+
+	if [ "$CDS_SHA384" = "yes" ]; then
+		response_has_cds_for_key 4 $1 $2 || _log_error "missing CDS 4 record in response for key $(key_get $1 ID)"
+	else
+		response_has_cds_for_key 4 $1 $2 && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)"
+	fi
+}
+
+check_cds_digests_invert() {
+	response_has_cds_for_key 2 $1 $2 && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)"
+	response_has_cds_for_key 4 $1 $2 && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)"
+}
+
 # Test CDS and CDNSKEY publication.
 check_cds() {

@ -992,11 +1011,11 @@ check_cds() {
 	fi

 	if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then
-		response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)"
+		check_cds_digests KEY1 "dig.out.$DIR.test$n.cds"
 		response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)"
 		_checksig=1
 	elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
-		response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)"
+		check_cds_digests_invert KEY1 "dig.out.$DIR.test$n.cds"
 		# KEY1 should not have an associated CDNSKEY, but there may be
 		# one for another key.  Since the CDNSKEY has no field for key
 		# id, it is hard to check what key the CDNSKEY may belong to
@ -1004,11 +1023,11 @@ check_cds() {
 	fi

 	if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then
-		response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)"
+		check_cds_digests KEY2 "dig.out.$DIR.test$n.cds"
 		response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)"
 		_checksig=1
 	elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
-		response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)"
+		check_cds_digests_invert KEY2 "dig.out.$DIR.test$n.cds"
 		# KEY2 should not have an associated CDNSKEY, but there may be
 		# one for another key.  Since the CDNSKEY has no field for key
 		# id, it is hard to check what key the CDNSKEY may belong to
@ -1016,11 +1035,11 @@ check_cds() {
 	fi

 	if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then
-		response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)"
+		check_cds_digests KEY3 "dig.out.$DIR.test$n.cds"
 		response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)"
 		_checksig=1
 	elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
-		response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)"
+		check_cds_digests_invert KEY3 "dig.out.$DIR.test$n.cds"
 		# KEY3 should not have an associated CDNSKEY, but there may be
 		# one for another key.  Since the CDNSKEY has no field for key
 		# id, it is hard to check what key the CDNSKEY may belong to
@ -1028,11 +1047,11 @@ check_cds() {
 	fi

 	if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then
-		response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)"
+		check_cds_digests KEY4 "dig.out.$DIR.test$n.cds"
 		response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)"
 		_checksig=1
 	elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
-		response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)"
+		check_cds_digests_invert KEY4 "dig.out.$DIR.test$n.cds"
 		# KEY4 should not have an associated CDNSKEY, but there may be
 		# one for another key.  Since the CDNSKEY has no field for key
 		# id, it is hard to check what key the CDNSKEY may belong to
@ -1174,7 +1193,12 @@ check_cdslog() {
 	echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)"
 	ret=0

-	grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+	if [ "$CDS_SHA256" = "yes" ]; then
+		grep "CDS (SHA-256) for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+	fi
+	if [ "$CDS_SHA384" = "yes" ]; then
+		grep "CDS (SHA-384) for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+	fi
 	grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1

 	test "$ret" -eq 0 || echo_i "failed"
--- a/bin/tests/system/kasp/ns3/policies/autosign.conf.in
+++ b/bin/tests/system/kasp/ns3/policies/autosign.conf.in
@ -99,6 +99,7 @@ dnssec-policy "csk-roll" {
 	retire-safety 2h;
 	purge-keys PT1H;

+	cds-digest-types { "sha-384"; }; // use a different digest type for testing purposes
 	keys {
 		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
 	};
@ -121,7 +122,7 @@ dnssec-policy "csk-roll2" {
 	retire-safety 1h;
 	purge-keys 0;

-	cds-digest-type "sha-384"; // use a different digest type for testing purposes
+	cds-digest-types { "sha-256"; "sha-384"; }; // use two digest type for testing purposes
 	keys {
 		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
 	};
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@ -888,7 +888,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 2:
 # It is time to introduce the new CSK.
@ -916,7 +916,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 3:
 # It is time to submit the DS and to roll signatures.
@ -971,7 +971,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 4:
 # Some time later all the ZRRSIG records should be from the new CSK, and the
@ -1018,7 +1018,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 5:
 # After the DS is swapped in step 4, also the KRRSIG records can be removed.
@ -1054,7 +1054,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 6:
 # After the retire interval has passed the predecessor DNSKEY can be
@ -1098,7 +1098,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 7:
 # Some time later the predecessor DNSKEY enters the HIDDEN state.
@ -1133,7 +1133,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 8:
 # The predecessor DNSKEY can be purged.
@ -1168,7 +1168,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 #
 # The zones at csk-roll2.autosign represent the various steps of a CSK rollover
@ -1187,7 +1187,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 2:
 # It is time to introduce the new CSK.
@ -1215,7 +1215,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 3:
 # It is time to submit the DS and to roll signatures.
@ -1270,7 +1270,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 4:
 # Some time later all the ZRRSIG records should be from the new CSK, and the
@ -1318,7 +1318,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 5:
 # Some time later the DS can be swapped and the old DNSKEY can be removed from
@ -1355,7 +1355,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 6:
 # Some time later the predecessor DNSKEY enters the HIDDEN state.
@ -1391,7 +1391,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

 # Step 7:
 # The predecessor DNSKEY can be purged, but purge-keys is disabled.
@ -1426,4 +1426,4 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@ -56,7 +56,7 @@ next_key_event_threshold=100
 # dnssec-keygen
 #
 set_zone "kasp"
-set_policy "kasp" "4" "200" "2"
+set_policy "kasp" "4" "200"
 set_server "keys" "10.53.0.1"

 n=$((n+1))
@ -122,7 +122,7 @@ n=$((n+1))
 echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
 ret=0
 set_zone "kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "." "10.53.0.1"
 # Key properties.
 set_keyrole      "KEY1" "csk"
@ -277,7 +277,7 @@ set_keytimes_csk_policy() {

 # Check the zone with default kasp policy has loaded and is signed.
 set_zone "default.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyrole      "KEY1" "csk"
@ -398,7 +398,7 @@ dnssec_verify
 #
 set_zone "dynamic.kasp"
 set_dynamic
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 check_keys
@ -461,7 +461,7 @@ status=$((status+ret))
 #
 set_zone "dynamic-inline-signing.kasp"
 set_dynamic
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 check_keys
@ -489,7 +489,7 @@ status=$((status+ret))
 # Zone: inline-signing.kasp
 #
 set_zone "inline-signing.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 check_keys
@ -509,7 +509,7 @@ key_clear "KEY3"
 key_clear "KEY4"

 set_zone "checkds-ksk.kasp"
-set_policy "checkds-ksk" "2" "303" "2"
+set_policy "checkds-ksk" "2" "303"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyrole      "KEY1" "ksk"
@ -579,7 +579,7 @@ key_clear "KEY3"
 key_clear "KEY4"

 set_zone "checkds-doubleksk.kasp"
-set_policy "checkds-doubleksk" "3" "303" "2"
+set_policy "checkds-doubleksk" "3" "303"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyrole      "KEY1" "ksk"
@ -680,7 +680,7 @@ key_clear "KEY3"
 key_clear "KEY4"

 set_zone "checkds-csk.kasp"
-set_policy "checkds-csk" "1" "303" "2"
+set_policy "checkds-csk" "1" "303"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyrole      "KEY1" "csk"
@ -796,7 +796,7 @@ set_keytimes_algorithm_policy() {
 if $SHELL ../testcrypto.sh -q RSASHA1
 then
 	set_zone "rsasha1.kasp"
-	set_policy "rsasha1" "3" "1234" "2"
+	set_policy "rsasha1" "3" "1234"
 	set_server "ns3" "10.53.0.3"
 	# Key properties.
 	key_clear        "KEY1"
@ -850,7 +850,7 @@ fi
 # Zone: unsigned.kasp.
 #
 set_zone "unsigned.kasp"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns3" "10.53.0.3"

 key_clear "KEY1"
@ -874,7 +874,7 @@ status=$((status+ret))
 # Zone: insecure.kasp.
 #
 set_zone "insecure.kasp"
-set_policy "insecure" "0" "0" "0"
+set_policy "insecure" "0" "0"
 set_server "ns3" "10.53.0.3"

 key_clear "KEY1"
@ -891,7 +891,7 @@ check_subdomain
 # Zone: unlimited.kasp.
 #
 set_zone "unlimited.kasp"
-set_policy "unlimited" "1" "1234" "2"
+set_policy "unlimited" "1" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyrole      "KEY1" "csk"
@ -918,7 +918,7 @@ dnssec_verify
 # Zone: inherit.kasp.
 #
 set_zone "inherit.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"

 # Key properties.
@ -971,7 +971,7 @@ dnssec_verify
 # Zone: dnssec-keygen.kasp.
 #
 set_zone "dnssec-keygen.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.

@ -987,7 +987,7 @@ dnssec_verify
 # Zone: some-keys.kasp.
 #
 set_zone "some-keys.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.

@ -1005,7 +1005,7 @@ dnssec_verify
 # There are more pregenerated keys than needed, hence the number of keys is
 # six, not three.
 set_zone "pregenerated.kasp"
-set_policy "rsasha256" "6" "1234" "2"
+set_policy "rsasha256" "6" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.

@ -1022,7 +1022,7 @@ dnssec_verify
 #
 # There are three keys in rumoured state.
 set_zone "rumoured.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.

@ -1048,7 +1048,7 @@ dnssec_verify
 # Zone: secondary.kasp.
 #
 set_zone "secondary.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.

@ -1095,7 +1095,7 @@ status=$((status+ret))
 if $SHELL ../testcrypto.sh -q RSASHA1
 then
 	set_zone "rsasha1-nsec3.kasp"
-	set_policy "rsasha1-nsec3" "3" "1234" "2"
+	set_policy "rsasha1-nsec3" "3" "1234"
 	set_server "ns3" "10.53.0.3"
 	# Key properties.
 	set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
@ -1116,7 +1116,7 @@ fi
 # Zone: rsasha256.kasp.
 #
 set_zone "rsasha256.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
@ -1136,7 +1136,7 @@ dnssec_verify
 # Zone: rsasha512.kasp.
 #
 set_zone "rsasha512.kasp"
-set_policy "rsasha512" "3" "1234" "2"
+set_policy "rsasha512" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyalgorithm "KEY1" "10" "RSASHA512" "2048"
@ -1156,7 +1156,7 @@ dnssec_verify
 # Zone: ecdsa256.kasp.
 #
 set_zone "ecdsa256.kasp"
-set_policy "ecdsa256" "3" "1234" "2"
+set_policy "ecdsa256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
@ -1176,7 +1176,7 @@ dnssec_verify
 # Zone: ecdsa512.kasp.
 #
 set_zone "ecdsa384.kasp"
-set_policy "ecdsa384" "3" "1234" "2"
+set_policy "ecdsa384" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384"
@ -1197,7 +1197,7 @@ dnssec_verify
 #
 if [ -f ed25519-supported.file ]; then
 	set_zone "ed25519.kasp"
-	set_policy "ed25519" "3" "1234" "2"
+	set_policy "ed25519" "3" "1234"
 	set_server "ns3" "10.53.0.3"
 	# Key properties.
 	set_keyalgorithm "KEY1" "15" "ED25519" "256"
@ -1219,7 +1219,7 @@ fi
 #
 if [ -f ed448-supported.file ]; then
 	set_zone "ed448.kasp"
-	set_policy "ed448" "3" "1234" "2"
+	set_policy "ed448" "3" "1234"
 	set_server "ns3" "10.53.0.3"
 	# Key properties.
 	set_keyalgorithm "KEY1" "16" "ED448" "456"
@ -1273,7 +1273,7 @@ set_keytimes_autosign_policy() {
 # Zone: expired-sigs.autosign.
 #
 set_zone "expired-sigs.autosign"
-set_policy "autosign" "2" "300" "2"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
@ -1357,7 +1357,7 @@ check_rrsig_refresh
 # Zone: fresh-sigs.autosign.
 #
 set_zone "fresh-sigs.autosign"
-set_policy "autosign" "2" "300" "2"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.

@ -1418,7 +1418,7 @@ check_rrsig_reuse
 # Zone: unfresh-sigs.autosign.
 #
 set_zone "unfresh-sigs.autosign"
-set_policy "autosign" "2" "300" "2"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.

@ -1435,7 +1435,7 @@ check_rrsig_refresh
 # Zone: ksk-missing.autosign.
 #
 set_zone "ksk-missing.autosign"
-set_policy "autosign" "2" "300" "2"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 # Skip checking the private file, because it is missing.
@ -1454,7 +1454,7 @@ key_set "KEY1" "PRIVATE" "yes"
 # Zone: zsk-missing.autosign.
 #
 set_zone "zsk-missing.autosign"
-set_policy "autosign" "2" "300" "2"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 # Skip checking the private file, because it is missing.
@ -1481,7 +1481,7 @@ key_set "KEY2" "PRIVATE" "yes"
 # Zone: zsk-retired.autosign.
 #
 set_zone "zsk-retired.autosign"
-set_policy "autosign" "3" "300" "2"
+set_policy "autosign" "3" "300"
 set_server "ns3" "10.53.0.3"
 # The third key is not yet expected to be signing.
 set_keyrole      "KEY3" "zsk"
@ -1537,7 +1537,7 @@ check_rrsig_refresh
 set_zone "legacy-keys.kasp"
 # This zone has two active keys and two old keys left in key directory, so
 # expect 4 key files.
-set_policy "migrate-to-dnssec-policy" "4" "1234" "2"
+set_policy "migrate-to-dnssec-policy" "4" "1234"
 set_server "ns3" "10.53.0.3"

 # Key properties.
@ -1648,7 +1648,7 @@ key_clear "KEY3"
 key_clear "KEY4"

 set_zone "unsigned.tld"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns2" "10.53.0.2"
 TSIG=""
 check_keys
@ -1657,7 +1657,7 @@ check_apex
 check_subdomain

 set_zone "none.inherit.signed"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
@ -1666,7 +1666,7 @@ check_apex
 check_subdomain

 set_zone "none.override.signed"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
@ -1675,7 +1675,7 @@ check_apex
 check_subdomain

 set_zone "inherit.none.signed"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
@ -1684,7 +1684,7 @@ check_apex
 check_subdomain

 set_zone "none.none.signed"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
@ -1693,7 +1693,7 @@ check_apex
 check_subdomain

 set_zone "inherit.inherit.unsigned"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
@ -1702,7 +1702,7 @@ check_apex
 check_subdomain

 set_zone "none.inherit.unsigned"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
@ -1711,7 +1711,7 @@ check_apex
 check_subdomain

 set_zone "none.override.unsigned"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
@ -1720,7 +1720,7 @@ check_apex
 check_subdomain

 set_zone "inherit.none.unsigned"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
@ -1729,7 +1729,7 @@ check_apex
 check_subdomain

 set_zone "none.none.unsigned"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
@ -1756,7 +1756,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
 set_keystate "KEY1" "STATE_DS"     "hidden"

 set_zone "signed.tld"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns2" "10.53.0.2"
 TSIG=""
 check_keys
@ -1768,7 +1768,7 @@ check_subdomain
 dnssec_verify

 set_zone "override.inherit.signed"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
@ -1780,7 +1780,7 @@ check_subdomain
 dnssec_verify

 set_zone "inherit.override.signed"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
@ -1792,7 +1792,7 @@ check_subdomain
 dnssec_verify

 set_zone "override.inherit.unsigned"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
@ -1804,7 +1804,7 @@ check_subdomain
 dnssec_verify

 set_zone "inherit.override.unsigned"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
@ -1829,7 +1829,7 @@ set_keysigning   "KEY1" "yes"
 set_zonesigning  "KEY1" "yes"

 set_zone "inherit.inherit.signed"
-set_policy "test" "1" "3600" "2"
+set_policy "test" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 wait_for_nsec
@ -1842,7 +1842,7 @@ check_subdomain
 dnssec_verify

 set_zone "override.override.signed"
-set_policy "test" "1" "3600" "2"
+set_policy "test" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 wait_for_nsec
@ -1855,7 +1855,7 @@ check_subdomain
 dnssec_verify

 set_zone "override.none.signed"
-set_policy "test" "1" "3600" "2"
+set_policy "test" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 wait_for_nsec
@ -1868,7 +1868,7 @@ check_subdomain
 dnssec_verify

 set_zone "override.override.unsigned"
-set_policy "test" "1" "3600" "2"
+set_policy "test" "1" "3600"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 wait_for_nsec
@ -1881,7 +1881,7 @@ check_subdomain
 dnssec_verify

 set_zone "override.none.unsigned"
-set_policy "test" "1" "3600" "2"
+set_policy "test" "1" "3600"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 wait_for_nsec
@ -1980,7 +1980,7 @@ TSIG=""
 # Testing RFC 8901 Multi-Signer Model 2.
 #
 set_zone "multisigner-model2.kasp"
-set_policy "multisigner-model2" "2" "3600" "2"
+set_policy "multisigner-model2" "2" "3600"
 set_server "ns3" "10.53.0.3"
 key_clear "KEY1"
 key_clear "KEY2"
@ -2042,7 +2042,7 @@ status=$((status+ret))
 # Testing manual rollover.
 #
 set_zone "manual-rollover.kasp"
-set_policy "manual-rollover" "2" "3600" "2"
+set_policy "manual-rollover" "2" "3600"
 set_server "ns3" "10.53.0.3"
 key_clear "KEY1"
 key_clear "KEY2"
@ -2108,7 +2108,7 @@ check_subdomain
 dnssec_verify

 # Schedule KSK rollover now.
-set_policy "manual-rollover" "3" "3600" "2"
+set_policy "manual-rollover" "3" "3600"
 set_keystate "KEY1" "GOAL" "hidden"
 # This key was activated one day ago, so lifetime is set to 1d plus
 # prepublication duration (7500 seconds) = 93900 seconds.
@ -2135,7 +2135,7 @@ check_subdomain
 dnssec_verify

 # Schedule ZSK rollover now.
-set_policy "manual-rollover" "4" "3600" "2"
+set_policy "manual-rollover" "4" "3600"
 set_keystate "KEY2" "GOAL" "hidden"
 # This key was activated one day ago, so lifetime is set to 1d plus
 # prepublication duration (7500 seconds) = 93900 seconds.
@ -2177,7 +2177,7 @@ status=$((status+ret))
 # Zone: step1.enable-dnssec.autosign.
 #
 set_zone "step1.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300" "2"
+set_policy "enable-dnssec" "1" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
@ -2261,7 +2261,7 @@ check_next_key_event 900
 # Zone: step2.enable-dnssec.autosign.
 #
 set_zone "step2.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300" "2"
+set_policy "enable-dnssec" "1" "300"
 set_server "ns3" "10.53.0.3"
 # The DNSKEY is omnipresent, but the zone signatures not yet.
 # Thus, the DS remains hidden.
@ -2294,7 +2294,7 @@ check_next_key_event 43800
 # Zone: step3.enable-dnssec.autosign.
 #
 set_zone "step3.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300" "2"
+set_policy "enable-dnssec" "1" "300"
 set_server "ns3" "10.53.0.3"
 # All signatures should be omnipresent, so the DS can be submitted.
 set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
@ -2331,7 +2331,7 @@ check_next_key_event 12000
 # Zone: step4.enable-dnssec.autosign.
 #
 set_zone "step4.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300" "2"
+set_policy "enable-dnssec" "1" "300"
 set_server "ns3" "10.53.0.3"
 # The DS is omnipresent.
 set_keystate "KEY1" "STATE_DS" "omnipresent"
@ -2377,7 +2377,7 @@ IretZSK=867600
 # Zone: step1.zsk-prepub.autosign.
 #
 set_zone "step1.zsk-prepub.autosign"
-set_policy "zsk-prepub" "2" "3600" "2"
+set_policy "zsk-prepub" "2" "3600"
 set_server "ns3" "10.53.0.3"

 set_retired_removed() {
@ -2452,7 +2452,7 @@ check_next_key_event 2498400
 # Zone: step2.zsk-prepub.autosign.
 #
 set_zone "step2.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600" "2"
+set_policy "zsk-prepub" "3" "3600"
 set_server "ns3" "10.53.0.3"
 # New ZSK (KEY3) is prepublished, but not yet signing.
 key_clear        "KEY3"
@ -2499,7 +2499,7 @@ check_next_key_event 93600
 # Zone: step3.zsk-prepub.autosign.
 #
 set_zone "step3.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600" "2"
+set_policy "zsk-prepub" "3" "3600"
 set_server "ns3" "10.53.0.3"
 # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE.
 # New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
@ -2547,7 +2547,7 @@ check_next_key_event 867600
 # Zone: step4.zsk-prepub.autosign.
 #
 set_zone "step4.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600" "2"
+set_policy "zsk-prepub" "3" "3600"
 set_server "ns3" "10.53.0.3"
 # ZSK (KEY2) DNSKEY is no longer needed.
 # ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
@ -2584,7 +2584,7 @@ check_next_key_event 7200
 # Zone: step5.zsk-prepub.autosign.
 #
 set_zone "step5.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600" "2"
+set_policy "zsk-prepub" "3" "3600"
 set_server "ns3" "10.53.0.3"
 # ZSK (KEY2) DNSKEY is now completely HIDDEN and removed.
 set_keystate "KEY2" "STATE_DNSKEY" "hidden"
@ -2618,7 +2618,7 @@ check_next_key_event 1627200
 # Zone: step6.zsk-prepub.autosign.
 #
 set_zone "step6.zsk-prepub.autosign"
-set_policy "zsk-prepub" "2" "3600" "2"
+set_policy "zsk-prepub" "2" "3600"
 set_server "ns3" "10.53.0.3"
 # ZSK (KEY2) DNSKEY is purged.
 key_clear "KEY2"
@ -2650,7 +2650,7 @@ IretZSK=867600
 # Zone: step1.ksk-doubleksk.autosign.
 #
 set_zone "step1.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "2" "7200" "2"
+set_policy "ksk-doubleksk" "2" "7200"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
@ -2699,7 +2699,7 @@ check_next_key_event 5086800
 # Zone: step2.ksk-doubleksk.autosign.
 #
 set_zone "step2.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200" "2"
+set_policy "ksk-doubleksk" "3" "7200"
 set_server "ns3" "10.53.0.3"
 # New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
 key_clear        "KEY3"
@ -2750,7 +2750,7 @@ check_next_key_event 97200
 # Zone: step3.ksk-doubleksk.autosign.
 #
 set_zone "step3.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200" "2"
+set_policy "ksk-doubleksk" "3" "7200"
 set_server "ns3" "10.53.0.3"

 # The DNSKEY RRset has become omnipresent.
@ -2800,7 +2800,7 @@ check_next_key_event 180000
 # Zone: step4.ksk-doubleksk.autosign.
 #
 set_zone "step4.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200" "2"
+set_policy "ksk-doubleksk" "3" "7200"
 set_server "ns3" "10.53.0.3"
 # KSK (KEY1) DNSKEY can be removed.
 set_keysigning "KEY1" "no"
@ -2841,7 +2841,7 @@ check_next_key_event 10800
 # Zone: step5.ksk-doubleksk.autosign.
 #
 set_zone "step5.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200" "2"
+set_policy "ksk-doubleksk" "3" "7200"
 set_server "ns3" "10.53.0.3"
 # KSK (KEY1) DNSKEY is now HIDDEN.
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
@ -2879,7 +2879,7 @@ check_next_key_event 4899600
 # Zone: step6.ksk-doubleksk.autosign.
 #
 set_zone "step6.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "2" "7200" "2"
+set_policy "ksk-doubleksk" "2" "7200"
 set_server "ns3" "10.53.0.3"
 # KSK (KEY1) DNSKEY is purged.
 key_clear "KEY1"
@ -2920,7 +2920,9 @@ csk_rollover_predecessor_keytimes() {
 # Zone: step1.csk-roll.autosign.
 #
 set_zone "step1.csk-roll.autosign"
-set_policy "csk-roll" "1" "3600" "2"
+set_policy "csk-roll" "1" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
@ -2960,7 +2962,9 @@ check_next_key_event 16059600
 # Zone: step2.csk-roll.autosign.
 #
 set_zone "step2.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
 key_clear        "KEY2"
@ -3009,7 +3013,9 @@ check_next_key_event 10800
 # Zone: step3.csk-roll.autosign.
 #
 set_zone "step3.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # Swap zone signing role.
 set_zonesigning  "KEY1" "no"
@ -3070,7 +3076,9 @@ check_next_key_event 14400
 # Zone: step4.csk-roll.autosign.
 #
 set_zone "step4.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) is no longer signing the DNSKEY RRset.
 set_keysigning "KEY1" "no"
@ -3111,7 +3119,9 @@ check_next_key_event 7200
 # Zone: step5.csk-roll.autosign.
 #
 set_zone "step5.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) KRRSIG records are now all hidden.
 set_keystate "KEY1" "STATE_KRRSIG" "hidden"
@ -3148,7 +3158,9 @@ check_next_key_event 2235600
 # Zone: step6.csk-roll.autosign.
 #
 set_zone "step6.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can
 # be removed).
@ -3187,7 +3199,9 @@ check_next_key_event 7200
 # Zone: step7.csk-roll.autosign.
 #
 set_zone "step7.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) is now completely HIDDEN.
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
@ -3225,7 +3239,9 @@ check_next_key_event 13795200
 # Zone: step8.csk-roll.autosign.
 #
 set_zone "step8.csk-roll.autosign"
-set_policy "csk-roll" "1" "3600" "2"
+set_policy "csk-roll" "1" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) is purged.
 key_clear "KEY1"
@ -3257,7 +3273,8 @@ IretCSK=$IretKSK
 # Zone: step1.csk-roll2.autosign.
 #
 set_zone "step1.csk-roll2.autosign"
-set_policy "csk-roll2" "1" "3600" "4"
+set_policy "csk-roll2" "1" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
@ -3298,7 +3315,8 @@ check_next_key_event 16059600
 # Zone: step2.csk-roll2.autosign.
 #
 set_zone "step2.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
 key_clear        "KEY2"
@ -3346,7 +3364,8 @@ check_next_key_event 10800
 # Zone: step3.csk-roll2.autosign.
 #
 set_zone "step3.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # CSK (KEY1) can be removed, so move to UNRETENTIVE.
 set_zonesigning  "KEY1" "no"
@ -3412,7 +3431,8 @@ check_next_key_event $next_time
 # Zone: step4.csk-roll2.autosign.
 #
 set_zone "step4.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) ZRRSIG is now HIDDEN.
 set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
@ -3453,7 +3473,8 @@ check_next_key_event 475200
 # Zone: step5.csk-roll2.autosign.
 #
 set_zone "step5.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) DNSKEY can be removed.
 set_keysigning   "KEY1" "no"
@ -3493,7 +3514,8 @@ check_next_key_event 7200
 # Zone: step6.csk-roll2.autosign.
 #
 set_zone "step6.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) is now completely HIDDEN.
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
@ -3530,7 +3552,8 @@ check_next_key_event 15440400
 # Zone: step7.csk-roll2.autosign.
 #
 set_zone "step7.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) could have been purged, but purge-keys is disabled.

@ -3545,13 +3568,13 @@ dnssec_verify
 # Test #2375: Scheduled rollovers are happening faster than they can finish
 #
 set_zone "step1.three-is-a-crowd.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # TODO (GL #2471).

 # Test dynamic zones that switch to inline-signing.
 set_zone "dynamic2inline.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 key_clear        "KEY1"
@ -3589,7 +3612,7 @@ IretZSK=0
 # Zone: step1.algorithm-roll.kasp
 #
 set_zone "step1.algorithm-roll.kasp"
-set_policy "rsasha256" "2" "3600" "2"
+set_policy "rsasha256" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 key_clear        "KEY1"
@ -3637,7 +3660,7 @@ check_next_key_event 3600
 # Zone: step1.csk-algorithm-roll.kasp
 #
 set_zone "step1.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "1" "3600" "2"
+set_policy "csk-algoroll" "1" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 key_clear        "KEY1"
@ -3681,7 +3704,7 @@ check_next_key_event 3600
 # Zone step1.going-insecure.kasp
 #
 set_zone "step1.going-insecure.kasp"
-set_policy "unsigning" "2" "7200" "2"
+set_policy "unsigning" "2" "7200"
 set_server "ns6" "10.53.0.6"

 # Policy parameters.
@ -3742,7 +3765,7 @@ dnssec_verify

 set_zone "step1.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "unsigning" "2" "7200" "2"
+set_policy "unsigning" "2" "7200"
 set_server "ns6" "10.53.0.6"
 init_migration_insecure

@ -3761,7 +3784,7 @@ dnssec_verify
 # Zone step1.going-straight-to-none.kasp
 #
 set_zone "step1.going-straight-to-none.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 set_keyrole      "KEY1" "csk"
@ -3846,7 +3869,7 @@ wait_for_done_signing() {

 # Test dynamic zones that switch to inline-signing.
 set_zone "dynamic2inline.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 key_clear        "KEY1"
@ -3880,7 +3903,7 @@ dnssec_verify
 # Zone: step1.going-insecure.kasp
 #
 set_zone "step1.going-insecure.kasp"
-set_policy "insecure" "2" "7200" "2"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@ -3917,7 +3940,7 @@ check_next_key_event 93600
 # Zone: step2.going-insecure.kasp
 #
 set_zone "step2.going-insecure.kasp"
-set_policy "insecure" "2" "7200" "2"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"

 # The DS is long enough removed from the zone to be considered HIDDEN.
@ -3947,7 +3970,7 @@ check_next_key_event 7500
 #
 set_zone "step1.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "insecure" "2" "7200" "2"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@ -3985,7 +4008,7 @@ check_next_key_event 93600
 #
 set_zone "step2.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "insecure" "2" "7200" "2"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"

 # The DS is long enough removed from the zone to be considered HIDDEN.
@ -4014,7 +4037,7 @@ check_next_key_event 7500
 # Zone: step1.going-straight-to-none.kasp
 #
 set_zone "step1.going-straight-to-none.kasp"
-set_policy "none" "1" "3600" "2"
+set_policy "none" "1" "3600"
 set_server "ns6" "10.53.0.6"

 # The zone will go bogus after signatures expire, but remains validly signed for now.
@ -4055,7 +4078,7 @@ Lzsk=0
 # Zone: step1.algorithm-roll.kasp
 #
 set_zone "step1.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # Old RSASHA1 keys.
 key_clear        "KEY1"
@ -4168,7 +4191,7 @@ check_next_key_event 10800
 # Zone: step2.algorithm-roll.kasp
 #
 set_zone "step2.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # The RSAHSHA1 keys are outroducing, but need to stay present until the new
 # algorithm chain of trust has been established. Thus the properties, timings
@ -4227,7 +4250,7 @@ check_next_key_event $next_time
 # Zone: step3.algorithm-roll.kasp
 #
 set_zone "step3.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # The ECDSAP256SHA256 keys are introducing.
 set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
@ -4285,7 +4308,7 @@ check_next_key_event 18000
 # Zone: step4.algorithm-roll.kasp
 #
 set_zone "step4.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
 set_keysigning   "KEY1" "no"
@ -4344,7 +4367,7 @@ check_next_key_event 7200
 # Zone: step5.algorithm-roll.kasp
 #
 set_zone "step5.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # The DNSKEY becomes HIDDEN.
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
@ -4400,7 +4423,7 @@ check_next_key_event $next_time
 # Zone: step6.algorithm-roll.kasp
 #
 set_zone "step6.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # The old zone signatures (KEY2) should now also be HIDDEN.
 set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
@ -4457,7 +4480,7 @@ Lcksk=0
 # Zone: step1.csk-algorithm-roll.kasp
 #
 set_zone "step1.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Old RSASHA1 key.
 key_clear	 "KEY1"
@ -4536,7 +4559,7 @@ check_next_key_event 10800
 # Zone: step2.csk-algorithm-roll.kasp
 #
 set_zone "step2.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The RSAHSHA1 key is outroducing, but need to stay present until the new
 # algorithm chain of trust has been established. Thus the properties, timings
@ -4586,7 +4609,7 @@ check_next_key_event $next_time
 # Zone: step3.csk-algorithm-roll.kasp
 #
 set_zone "step3.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The RSAHSHA1 key is outroducing, and it is time to swap the DS.
 # The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures
@ -4636,7 +4659,7 @@ check_next_key_event 18000
 # Zone: step4.csk-algorithm-roll.kasp
 #
 set_zone "step4.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
 set_keysigning   "KEY1" "no"
@ -4682,7 +4705,7 @@ check_next_key_event 7200
 # Zone: step5.csk-algorithm-roll.kasp
 #
 set_zone "step5.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The DNSKEY becomes HIDDEN.
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
@ -4727,7 +4750,7 @@ check_next_key_event $next_time
 # Zone: step6.csk-algorithm-roll.kasp
 #
 set_zone "step6.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The zone signatures should now also be HIDDEN.
 set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
--- a/bin/tests/system/keymgr2kasp/tests.sh
+++ b/bin/tests/system/keymgr2kasp/tests.sh
@ -126,7 +126,7 @@ init_migration_states() {
 # Testing a good migration.
 #
 set_zone "migrate.kasp"
-set_policy "none" "2" "7200" "2"
+set_policy "none" "2" "7200"
 set_server "ns3" "10.53.0.3"

 init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
@ -149,7 +149,7 @@ _migrate_zsk=$(key_get KEY2 ID)
 # Testing a good migration (CSK).
 #
 set_zone "csk.kasp"
-set_policy "none" "1" "7200" "2"
+set_policy "none" "1" "7200"
 set_server "ns3" "10.53.0.3"

 key_clear        "KEY1"
@ -192,7 +192,7 @@ _migrate_csk=$(key_get KEY1 ID)
 # Testing a good migration (CSK, no SEP).
 #
 set_zone "csk-nosep.kasp"
-set_policy "none" "1" "7200" "2"
+set_policy "none" "1" "7200"
 set_server "ns3" "10.53.0.3"

 key_clear        "KEY1"
@ -235,7 +235,7 @@ _migrate_csk_nosep=$(key_get KEY1 ID)
 # Testing key states derived from key timing metadata (rumoured).
 #
 set_zone "rumoured.kasp"
-set_policy "none" "2" "300" "2"
+set_policy "none" "2" "300"
 set_server "ns3" "10.53.0.3"

 init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
@ -255,7 +255,7 @@ _rumoured_zsk=$(key_get KEY2 ID)
 # Testing key states derived from key timing metadata (omnipresent).
 #
 set_zone "omnipresent.kasp"
-set_policy "none" "2" "300" "2"
+set_policy "none" "2" "300"
 set_server "ns3" "10.53.0.3"

 init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
@ -275,7 +275,7 @@ _omnipresent_zsk=$(key_get KEY2 ID)
 # Testing migration with unmatched existing keys (different algorithm).
 #
 set_zone "migrate-nomatch-algnum.kasp"
-set_policy "none" "2" "300" "2"
+set_policy "none" "2" "300"
 set_server "ns3" "10.53.0.3"

 init_migration_keys "8" "RSASHA256" "2048" "2048"
@ -312,7 +312,7 @@ _migratenomatch_algnum_zsk=$(key_get KEY2 ID)
 # Testing migration with unmatched existing keys (different length).
 #
 set_zone "migrate-nomatch-alglen.kasp"
-set_policy "none" "2" "300" "2"
+set_policy "none" "2" "300"
 set_server "ns3" "10.53.0.3"

 init_migration_keys "8" "RSASHA256" "2048" "2048"
@ -411,7 +411,7 @@ IretZSK=867900
 # Testing good migration.
 #
 set_zone "migrate.kasp"
-set_policy "migrate" "2" "7200" "2"
+set_policy "migrate" "2" "7200"
 set_server "ns3" "10.53.0.3"

 # Key properties, timings and metadata should be the same as legacy keys above.
@ -462,7 +462,7 @@ status=$((status+ret))
 # Testing a good migration (CSK).
 #
 set_zone "csk.kasp"
-set_policy "default" "1" "7200" "2"
+set_policy "default" "1" "7200"
 set_server "ns3" "10.53.0.3"

 key_clear        "KEY1"
@ -512,7 +512,7 @@ status=$((status+ret))
 # Testing a good migration (CSK, no SEP).
 #
 set_zone "csk-nosep.kasp"
-set_policy "default" "1" "7200" "2"
+set_policy "default" "1" "7200"
 set_server "ns3" "10.53.0.3"

 key_clear        "KEY1"
@ -563,7 +563,7 @@ status=$((status+ret))
 # Test migration to dnssec-policy, existing keys do not match key algorithm.
 #
 set_zone "migrate-nomatch-algnum.kasp"
-set_policy "migrate-nomatch-algnum" "4" "300" "2"
+set_policy "migrate-nomatch-algnum" "4" "300"
 set_server "ns3" "10.53.0.3"
 # The legacy keys need to be retired, but otherwise stay present until the
 # new keys are omnipresent, and can be used to construct a chain of trust.
@ -678,7 +678,7 @@ status=$((status+ret))
 # Test migration to dnssec-policy, existing keys do not match key length.
 #
 set_zone "migrate-nomatch-alglen.kasp"
-set_policy "migrate-nomatch-alglen" "4" "300" "2"
+set_policy "migrate-nomatch-alglen" "4" "300"
 set_server "ns3" "10.53.0.3"

 # The legacy keys need to be retired, but otherwise stay present until the
@ -811,7 +811,7 @@ IretZSK=651600
 # Testing rumoured state.
 #
 set_zone "rumoured.kasp"
-set_policy "timing-metadata" "2" "300" "2"
+set_policy "timing-metadata" "2" "300"
 set_server "ns3" "10.53.0.3"

 # Key properties, timings and metadata should be the same as legacy keys above.
@ -861,7 +861,7 @@ status=$((status+ret))
 # Testing omnipresent state.
 #
 set_zone "omnipresent.kasp"
-set_policy "timing-metadata" "2" "300" "2"
+set_policy "timing-metadata" "2" "300"
 set_server "ns3" "10.53.0.3"

 # Key properties, timings and metadata should be the same as legacy keys above.
@ -952,7 +952,7 @@ set_keytimes_view_migration() {

 # Zone view.rsasha256.kasp (external)
 set_zone "view-rsasha256.kasp"
-set_policy "rsasha256" "2" "300" "2"
+set_policy "rsasha256" "2" "300"
 set_server "ns4" "10.53.0.4"
 init_view_migration
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
@ -982,7 +982,7 @@ _migrate_ext8_zsk=$(key_get KEY2 ID)

 # Zone view.rsasha256.kasp (internal)
 set_zone "view-rsasha256.kasp"
-set_policy "rsasha256" "2" "300" "2"
+set_policy "rsasha256" "2" "300"
 set_server "ns4" "10.53.0.4"
 init_view_migration
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
@ -1024,7 +1024,7 @@ echo_i "${time_passed} seconds passed between start of tests and reconfig"
 # Testing migration (RSASHA256, views).
 #
 set_zone "view-rsasha256.kasp"
-set_policy "rsasha256" "3" "300" "2"
+set_policy "rsasha256" "3" "300"
 set_server "ns4" "10.53.0.4"
 init_migration_keys "8" "RSASHA256" "2048" "2048"
 init_migration_states "omnipresent" "rumoured"
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@ -41,7 +41,8 @@ set_zone_policy() {
 	DNSKEY_TTL=$4
 	# The CDS digest type in these tests are all the default,
 	# which is SHA-256 (2).
-	DIGEST_TYPE=2
+	CDS_SHA256="yes"
+	CDS_SHA384="no"
 }
 # Set expected NSEC3 parameters: flags ($1), iterations ($2), and
 # salt length ($3).
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -6257,12 +6257,12 @@ retired when the existing key's lifetime ends.

 The following options can be specified in a :any:`dnssec-policy` statement:

-.. namedconf:statement:: cds-digest-type
+.. namedconf:statement:: cds-digest-types
   :tags: dnssec
-   :short: Specifies the digest type to use for CDS resource records.
+   :short: Specifies the digest types to use for CDS resource records.

-    This indicates the digest type to use when generating CDS resource
-    records. The default is SHA-256.
+    This indicates the digest types to use when generating CDS resource
+    records. The default is SHA-256 only.

 .. namedconf:statement:: dnskey-ttl
   :tags: dnssec
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@ -18,7 +18,7 @@ dnssec-policy "default" {
 	};

 	// Key timings
-	cds-digest-type 2;
+	cds-digest-types { 2; };
 	dnskey-ttl 3600;
 	publish-safety 1h;
 	retire-safety 1h;
--- a/doc/misc/options
+++ b/doc/misc/options
@ -11,7 +11,7 @@ dlz <string> {
 }; // may occur multiple times

 dnssec-policy <string> {
-	cds-digest-type <string>;
+	cds-digest-types { <string>; ... };
 	dnskey-ttl <duration>;
 	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
 	max-zone-ttl <duration>;
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@ -1959,6 +1959,41 @@ exists(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 	return (false);
 }

+static isc_result_t
+add_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
+	dns_rdataset_t *cds, unsigned int digesttype, dns_ttl_t ttl,
+	dns_diff_t *diff, isc_mem_t *mctx) {
+	isc_result_t r = ISC_R_SUCCESS;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	dns_rdata_t cdsrdata = DNS_RDATA_INIT;
+	dns_name_t *origin = dst_key_name(key->key);
+
+	r = dns_ds_buildrdata(origin, keyrdata, digesttype, dsbuf, &cdsrdata);
+	if (r != ISC_R_SUCCESS) {
+		char algbuf[DNS_DSDIGEST_FORMATSIZE];
+		dns_dsdigest_format(digesttype, algbuf,
+				    DNS_DSDIGEST_FORMATSIZE);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_ERROR,
+			      "build rdata CDS (%s) for key %s failed", algbuf,
+			      keystr);
+		return (r);
+	}
+
+	cdsrdata.type = dns_rdatatype_cds;
+	if (!dns_rdataset_isassociated(cds) || !exists(cds, &cdsrdata)) {
+		char algbuf[DNS_DSDIGEST_FORMATSIZE];
+		dns_dsdigest_format(digesttype, algbuf,
+				    DNS_DSDIGEST_FORMATSIZE);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+			      "CDS (%s) for key %s is now published", algbuf,
+			      keystr);
+		r = addrdata(&cdsrdata, diff, origin, ttl, mctx);
+	}
+	return (r);
+}
+
 static isc_result_t
 delete_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
 	   dns_rdataset_t *cds, unsigned int digesttype, dns_diff_t *diff,
@ -1990,36 +2025,36 @@ delete_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
 isc_result_t
 dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
 		      dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
-		      isc_stdtime_t now, unsigned int digesttype, dns_ttl_t ttl,
-		      dns_diff_t *diff, isc_mem_t *mctx) {
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+		      isc_stdtime_t now, dns_kasp_digestlist_t *digests,
+		      dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx) {
 	unsigned char keybuf[DST_KEY_MAXSIZE];
 	isc_result_t result;
 	dns_dnsseckey_t *key;

+	REQUIRE(digests != NULL);
+
 	for (key = ISC_LIST_HEAD(*keys); key != NULL;
 	     key = ISC_LIST_NEXT(key, link))
 	{
-		dns_rdata_t cdsrdata = DNS_RDATA_INIT;
 		dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
 		dns_name_t *origin = dst_key_name(key->key);

 		RETERR(make_dnskey(key->key, keybuf, sizeof(keybuf),
 				   &cdnskeyrdata));
-		RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata, digesttype,
-					 dsbuf, &cdsrdata));
-
-		/*
-		 * Now that the we have created the DS records convert
-		 * the rdata to CDNSKEY and CDS for comparison.
-		 */
 		cdnskeyrdata.type = dns_rdatatype_cdnskey;
-		cdsrdata.type = dns_rdatatype_cds;

 		if (syncpublish(key->key, now)) {
 			char keystr[DST_KEY_FORMATSIZE];
 			dst_key_format(key->key, keystr, sizeof(keystr));

+			for (dns_kasp_digest_t *alg = ISC_LIST_HEAD(*digests);
+			     alg != NULL; alg = ISC_LIST_NEXT(alg, link))
+			{
+				RETERR(add_cds(key, &cdnskeyrdata,
+					       (const char *)keystr, cds,
+					       alg->digest, ttl, diff, mctx));
+			}
+
 			if (!dns_rdataset_isassociated(cdnskey) ||
 			    !exists(cdnskey, &cdnskeyrdata))
 			{
@ -2031,18 +2066,6 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
 				RETERR(addrdata(&cdnskeyrdata, diff, origin,
 						ttl, mctx));
 			}
-
-			if (!dns_rdataset_isassociated(cds) ||
-			    !exists(cds, &cdsrdata))
-			{
-				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-					      DNS_LOGMODULE_DNSSEC,
-					      ISC_LOG_INFO,
-					      "CDS for key %s is now published",
-					      keystr);
-				RETERR(addrdata(&cdsrdata, diff, origin, ttl,
-						mctx));
-			}
 		}

 		if (syncdelete(key->key, now)) {
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@ -351,7 +351,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 isc_result_t
 dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
 		      dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
-		      isc_stdtime_t now, unsigned int digesttype,
+		      isc_stdtime_t now, dns_kasp_digestlist_t *digests,
 		      dns_ttl_t hint_ttl, dns_diff_t *diff, isc_mem_t *mctx);
 /*%<
 * Update the CDS and CDNSKEY RRsets, adding and removing keys as needed.
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@ -34,6 +34,12 @@

 ISC_LANG_BEGINDECLS

+/* For storing a list of digest types */
+struct dns_kasp_digest {
+	dns_dsdigest_t digest;
+	ISC_LINK(dns_kasp_digest_t) link;
+};
+
 /* Stores a KASP key */
 struct dns_kasp_key {
 	isc_mem_t *mctx;
@ -80,9 +86,9 @@ struct dns_kasp {
 	uint32_t signatures_validity_dnskey;

 	/* Configuration: Keys */
-	dns_kasp_keylist_t keys;
-	dns_ttl_t	   dnskey_ttl;
-	unsigned int	   cds_digesttype;
+	dns_kasp_digestlist_t digests;
+	dns_kasp_keylist_t    keys;
+	dns_ttl_t	      dnskey_ttl;

 	/* Configuration: Denial of existence */
 	bool		      nsec3;
@ -310,31 +316,6 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl);
 *\li   'kasp' is a valid, thawed kasp.
 */

-unsigned int
-dns_kasp_cdsdigesttype(dns_kasp_t *kasp);
-/*%<
- * Get CDS digest-type.
- *
- * Requires:
- *
- *\li   'kasp' is a valid, frozen kasp.
- *
- * Returns:
- *
- *\li   CDS digest-type.
- */
-
-void
-dns_kasp_setcdsdigesttype(dns_kasp_t *kasp, unsigned int digesttype);
-/*%<
- * Set CDS digest-type.
- * If 'digesttype' is not supported, this will not change the digest-type.
- *
- * Requires:
- *
- *\li   'kasp' is a valid, thawed kasp.
- */
-
 uint32_t
 dns_kasp_purgekeys(dns_kasp_t *kasp);
 /*%<
@ -737,4 +718,31 @@ dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
 *
 */

+dns_kasp_digestlist_t
+dns_kasp_digests(dns_kasp_t *kasp);
+/*%<
+ * Get the list of kasp CDS digest types.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li  #ISC_R_SUCCESS
+ *\li  #ISC_R_NOMEMORY
+ *
+ *\li  Other errors are possible.
+ */
+
+void
+dns_kasp_adddigest(dns_kasp_t *kasp, dns_dsdigest_t alg);
+/*%<
+ * Add a digest type.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 ISC_LANG_ENDDECLS
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@ -95,6 +95,8 @@ typedef struct dns_iptable	   dns_iptable_t;
 typedef uint32_t		   dns_iterations_t;
 typedef struct dns_kasp		   dns_kasp_t;
 typedef ISC_LIST(dns_kasp_t) dns_kasplist_t;
+typedef struct dns_kasp_digest dns_kasp_digest_t;
+typedef ISC_LIST(dns_kasp_digest_t) dns_kasp_digestlist_t;
 typedef struct dns_kasp_key dns_kasp_key_t;
 typedef ISC_LIST(dns_kasp_key_t) dns_kasp_keylist_t;
 typedef struct dns_kasp_nsec3param dns_kasp_nsec3param_t;
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@ -715,6 +715,8 @@ dns_zone_getkasp(dns_zone_t *zone);

 void
 dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp);
+void
+dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp);
 /*%<
 *	Set kasp for zone.  If a kasp is already set, it will be detached.
 *
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@ -34,6 +34,9 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
 	dns_kasp_t *kasp;
 	dns_kasp_t k = {
 		.magic = DNS_KASP_MAGIC,
+		.digests = ISC_LIST_INITIALIZER,
+		.keys = ISC_LIST_INITIALIZER,
+		.link = ISC_LINK_INITIALIZER,
 	};

 	REQUIRE(name != NULL);
@ -48,9 +51,6 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
 	isc_mutex_init(&kasp->lock);
 	isc_refcount_init(&kasp->references, 1);

-	ISC_LINK_INIT(kasp, link);
-	ISC_LIST_INIT(kasp->keys);
-
 	*kaspp = kasp;
 	return (ISC_R_SUCCESS);
 }
@ -66,8 +66,8 @@ dns_kasp_attach(dns_kasp_t *source, dns_kasp_t **targetp) {

 static void
 destroy(dns_kasp_t *kasp) {
-	dns_kasp_key_t *key;
-	dns_kasp_key_t *key_next;
+	dns_kasp_key_t *key, *key_next;
+	dns_kasp_digest_t *digest, *digest_next;

 	REQUIRE(!ISC_LINK_LINKED(kasp, link));

@ -78,6 +78,15 @@ destroy(dns_kasp_t *kasp) {
 	}
 	INSIST(ISC_LIST_EMPTY(kasp->keys));

+	for (digest = ISC_LIST_HEAD(kasp->digests); digest != NULL;
+	     digest = digest_next)
+	{
+		digest_next = ISC_LIST_NEXT(digest, link);
+		ISC_LIST_UNLINK(kasp->digests, digest, link);
+		isc_mem_put(kasp->mctx, digest, sizeof(*digest));
+	}
+	INSIST(ISC_LIST_EMPTY(kasp->digests));
+
 	isc_mutex_destroy(&kasp->lock);
 	isc_mem_free(kasp->mctx, kasp->name);
 	isc_mem_putanddetach(&kasp->mctx, kasp, sizeof(*kasp));
@ -190,24 +199,6 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
 	kasp->dnskey_ttl = ttl;
 }

-unsigned int
-dns_kasp_cdsdigesttype(dns_kasp_t *kasp) {
-	REQUIRE(DNS_KASP_VALID(kasp));
-	REQUIRE(kasp->frozen);
-
-	return (kasp->cds_digesttype);
-}
-
-void
-dns_kasp_setcdsdigesttype(dns_kasp_t *kasp, unsigned int digesttype) {
-	REQUIRE(DNS_KASP_VALID(kasp));
-	REQUIRE(!kasp->frozen);
-
-	if (dst_ds_digest_supported(digesttype)) {
-		kasp->cds_digesttype = digesttype;
-	}
-}
-
 uint32_t
 dns_kasp_purgekeys(dns_kasp_t *kasp) {
 	REQUIRE(DNS_KASP_VALID(kasp));
@ -527,3 +518,25 @@ dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
 	kasp->nsec3param.optout = optout;
 	kasp->nsec3param.saltlen = saltlen;
 }
+
+dns_kasp_digestlist_t
+dns_kasp_digests(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->digests);
+}
+
+void
+dns_kasp_adddigest(dns_kasp_t *kasp, dns_dsdigest_t alg) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	if (dst_ds_digest_supported(alg)) {
+		dns_kasp_digest_t *digest = isc_mem_get(kasp->mctx,
+							sizeof(*digest));
+		digest->digest = alg;
+		ISC_LINK_INIT(digest, link);
+		ISC_LIST_APPEND(kasp->digests, digest, link);
+	}
+}
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -352,6 +352,7 @@ struct dns_zone {
 	dns_view_t *view;
 	dns_view_t *prev_view;
 	dns_kasp_t *kasp;
+	dns_kasp_t *defaultkasp;
 	dns_checkmxfunc_t checkmx;
 	dns_checksrvfunc_t checksrv;
 	dns_checknsfunc_t checkns;
@ -1118,6 +1119,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx, unsigned int tid) {
 	zone->primaries = r;
 	zone->parentals = r;
 	zone->notify = r;
+	zone->defaultkasp = NULL;

 	result = isc_stats_create(mctx, &zone->gluecachestats,
 				  dns_gluecachestatscounter_max);
@ -1230,6 +1232,9 @@ zone_free(dns_zone_t *zone) {
 	if (zone->kasp != NULL) {
 		dns_kasp_detach(&zone->kasp);
 	}
+	if (zone->defaultkasp != NULL) {
+		dns_kasp_detach(&zone->defaultkasp);
+	}
 	if (!ISC_LIST_EMPTY(zone->checkds_ok)) {
 		clear_keylist(&zone->checkds_ok, zone->mctx);
 	}
@ -5714,6 +5719,20 @@ dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
 	UNLOCK_ZONE(zone);
 }

+void
+dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->defaultkasp != NULL) {
+		dns_kasp_t *oldkasp = zone->defaultkasp;
+		zone->defaultkasp = NULL;
+		dns_kasp_detach(&oldkasp);
+	}
+	zone->defaultkasp = kasp;
+	UNLOCK_ZONE(zone);
+}
+
 dns_kasp_t *
 dns_zone_getkasp(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
@ -20462,7 +20481,7 @@ zone_rekey(dns_zone_t *zone) {
 	KASP_UNLOCK(kasp);

 	if (result == ISC_R_SUCCESS) {
-		unsigned int cds_digesttype = DNS_DSDIGEST_SHA256;
+		dns_kasp_digestlist_t digests;
 		bool cdsdel = false;
 		bool cdnskeydel = false;
 		bool sane_diff, sane_dnskey;
@ -20477,7 +20496,7 @@ zone_rekey(dns_zone_t *zone) {
 				cdsdel = true;
 				cdnskeydel = true;
 			}
-			cds_digesttype = dns_kasp_cdsdigesttype(kasp);
+			digests = dns_kasp_digests(kasp);
 		} else {
 			/* Check if there is a CDS DELETE record. */
 			if (dns_rdataset_isassociated(&cdsset)) {
@ -20528,6 +20547,8 @@ zone_rekey(dns_zone_t *zone) {
 					}
 				}
 			}
+
+			digests = dns_kasp_digests(zone->defaultkasp);
 		}

 		/*
@ -20555,8 +20576,8 @@ zone_rekey(dns_zone_t *zone) {
 		 * Update CDS / CDNSKEY records.
 		 */
 		result = dns_dnssec_syncupdate(&dnskeys, &rmkeys, &cdsset,
-					       &cdnskeyset, now, cds_digesttype,
-					       ttl, &diff, mctx);
+					       &cdnskeyset, now, &digests, ttl,
+					       &diff, mctx);
 		if (result != ISC_R_SUCCESS) {
 			dnssec_log(zone, ISC_LOG_ERROR,
 				   "zone_rekey:couldn't update CDS/CDNSKEY: %s",
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@ -298,6 +298,32 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 	return (ISC_R_SUCCESS);
 }

+static isc_result_t
+add_digest(dns_kasp_t *kasp, const cfg_obj_t *digest, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_textregion_t r;
+	dns_dsdigest_t alg;
+	const char *str = cfg_obj_asstring(digest);
+
+	DE_CONST(str, r.base);
+	r.length = strlen(str);
+	result = dns_dsdigest_fromtext(&alg, &r);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(digest, logctx, ISC_LOG_ERROR,
+			    "dnssec-policy: bad cds digest-type %s", str);
+		result = DNS_R_BADALG;
+	} else if (!dst_ds_digest_supported(alg)) {
+		cfg_obj_log(digest, logctx, ISC_LOG_ERROR,
+			    "dnssec-policy: unsupported cds "
+			    "digest-type %s",
+			    str);
+		result = DST_R_UNSUPPORTEDALG;
+	} else {
+		dns_kasp_adddigest(kasp, alg);
+	}
+	return (result);
+}
+
 isc_result_t
 cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 		    isc_mem_t *mctx, isc_log_t *logctx,
@ -312,7 +338,6 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	const char *kaspname = NULL;
 	dns_kasp_t *kasp = NULL;
 	size_t i = 0;
-	unsigned int cds_digesttype = DNS_DSDIGEST_SHA256;
 	uint32_t sigrefresh = 0, sigvalidity = 0;
 	uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0;
 	uint32_t publishsafety = 0, retiresafety = 0;
@ -410,33 +435,20 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	dns_kasp_setparentpropagationdelay(kasp, parentpropdelay);

 	/* Configuration: Keys */
-	(void)confget(maps, "cds-digest-type", &obj);
+	(void)confget(maps, "cds-digest-types", &obj);
 	if (obj != NULL) {
-		isc_textregion_t r;
-		dns_dsdigest_t alg;
-		const char *str = cfg_obj_asstring(obj);
-
-		DE_CONST(str, r.base);
-		r.length = strlen(str);
-		result = dns_dsdigest_fromtext(&alg, &r);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "dnssec-policy: bad cds digest-type %s",
-				    str);
-			result = DNS_R_BADALG;
-			goto cleanup;
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			result = add_digest(kasp, cfg_listelt_value(element),
+					    logctx);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
 		}
-		if (!dst_ds_digest_supported(alg)) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "dnssec-policy: unsupported cds "
-				    "digest-type %s",
-				    str);
-			result = DST_R_UNSUPPORTEDALG;
-			goto cleanup;
-		}
-		cds_digesttype = (unsigned int)alg;
+	} else {
+		dns_kasp_adddigest(kasp, DNS_DSDIGEST_SHA256);
 	}
-	dns_kasp_setcdsdigesttype(kasp, cds_digesttype);

 	dnskeyttl = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL);
 	dns_kasp_setdnskeyttl(kasp, dnskeyttl);
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -2193,7 +2193,7 @@ static cfg_type_t cfg_type_validityinterval = {
 * Clauses that can be found in a 'dnssec-policy' statement.
 */
 static cfg_clausedef_t dnssecpolicy_clauses[] = {
-	{ "cds-digest-type", &cfg_type_astring, 0 },
+	{ "cds-digest-types", &cfg_type_algorithmlist, 0 },
 	{ "dnskey-ttl", &cfg_type_duration, 0 },
 	{ "keys", &cfg_type_kaspkeys, 0 },
 	{ "max-zone-ttl", &cfg_type_duration, 0 },