diff --git a/bin/tests/system/statschannel/ns2/named.conf.in b/bin/tests/system/statschannel/ns2/named.conf.in
index 342d03b561..c2f4c1f278 100644
--- a/bin/tests/system/statschannel/ns2/named.conf.in
+++ b/bin/tests/system/statschannel/ns2/named.conf.in
@@ -24,6 +24,7 @@ options {
 	notify no;
 	minimal-responses no;
 	version none;  // make statistics independent of the version number
+	sig-signing-signatures 100;
 };
 
 statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; };
diff --git a/bin/tests/system/statschannel/ns2/named2.conf.in b/bin/tests/system/statschannel/ns2/named2.conf.in
index c726ae4220..f93bf94e75 100644
--- a/bin/tests/system/statschannel/ns2/named2.conf.in
+++ b/bin/tests/system/statschannel/ns2/named2.conf.in
@@ -24,6 +24,7 @@ options {
 	notify no;
 	minimal-responses no;
 	version none;  // make statistics independent of the version number
+	sig-signing-signatures 100;
 };
 
 statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; };
diff --git a/bin/tests/system/statschannel/ns2/sign.sh b/bin/tests/system/statschannel/ns2/sign.sh
index b9d2ed72d3..a4df397a2a 100644
--- a/bin/tests/system/statschannel/ns2/sign.sh
+++ b/bin/tests/system/statschannel/ns2/sign.sh
@@ -16,13 +16,18 @@
 
 set -e
 
+longago="now-1y"
+keytimes="-P ${longago} -A ${longago}"
+O="omnipresent"
+
 zone=dnssec.
 infile=dnssec.db.in
-zonefile=dnssec.db.signed
+zonefile=dnssec.db
+cp $infile $zonefile
 ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" -f KSK "$zone")
 zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" "$zone")
 # Sign deliberately with a very short expiration date.
-"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1
+"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" "$zonefile" >"signzone.out.$zone" 2>&1
 id=$(keyfile_to_key_id "$ksk")
 echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.ksk.id
 id=$(keyfile_to_key_id "$zsk")
@@ -30,16 +35,22 @@ echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.zsk.id
 
 zone=manykeys.
 infile=manykeys.db.in
-zonefile=manykeys.db.signed
-ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK "$zone")
-zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 "$zone")
+zonefile=manykeys.db
+cp $infile $zonefile
+ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK $keytimes -P sync $longago "$zone")
+zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 $keytimes "$zone")
+$SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$ksk8" >settime.out.$zone 2>&1
+$SETTIME -s -g $O -k $O $longago -z $O $longago "$zsk8" >settime.out.$zone 2>&1
+cat $ksk8.key $zsk8.key >>$zonefile
 ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 -f KSK "$zone")
 zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 "$zone")
+cat $ksk13.key $zsk13.key >>$zonefile
 ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 -f KSK "$zone")
 zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 "$zone")
+cat $ksk14.key $zsk14.key >>$zonefile
 # Sign deliberately with a very short expiration date.
 # Disable zone verification (-P) as records may expire before signing is complete
-"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1
+"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" "$zonefile" >"signzone.out.$zone" 2>&1
 id=$(keyfile_to_key_id "$ksk8")
 echo "8+$id" >manykeys.ksk8.id
 id=$(keyfile_to_key_id "$zsk8")
diff --git a/bin/tests/system/statschannel/tests.sh b/bin/tests/system/statschannel/tests.sh
index 8a343fe1b5..f681649331 100644
--- a/bin/tests/system/statschannel/tests.sh
+++ b/bin/tests/system/statschannel/tests.sh
@@ -392,22 +392,22 @@ ksk13_id=$(cat ns2/$zone.ksk13.id)
 zsk13_id=$(cat ns2/$zone.zsk13.id)
 ksk14_id=$(cat ns2/$zone.ksk14.id)
 zsk14_id=$(cat ns2/$zone.zsk14.id)
-# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and one
-# RRset (DNSKEY) with the KSKs. So starting named with signatures that expire
-# almost right away, this should trigger 10 zsk and 1 ksk sign operations per
-# key.
+# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and the
+# DNSKEY, CDS, and CDNSKEY RRsets with the KSKs. So starting named with
+# signatures that expire almost right away, this should trigger 10 zsk and 3
+# ksk sign operations per key.
 echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect
 echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect
 echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect
-echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect
-echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect
-echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect
+echo "${refresh_prefix} ${ksk8_id}: 3" >>zones.expect
+echo "${refresh_prefix} ${ksk13_id}: 3" >>zones.expect
+echo "${refresh_prefix} ${ksk14_id}: 3" >>zones.expect
 echo "${sign_prefix} ${zsk8_id}: 10" >>zones.expect
 echo "${sign_prefix} ${zsk13_id}: 10" >>zones.expect
 echo "${sign_prefix} ${zsk14_id}: 10" >>zones.expect
-echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect
-echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect
-echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect
+echo "${sign_prefix} ${ksk8_id}: 3" >>zones.expect
+echo "${sign_prefix} ${ksk13_id}: 3" >>zones.expect
+echo "${sign_prefix} ${ksk14_id}: 3" >>zones.expect
 cat zones.expect | sort >zones.expect.$n
 rm -f zones.expect
 # Fetch and check the dnssec sign statistics.
@@ -437,15 +437,15 @@ ret=0
 echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect
 echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect
 echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect
-echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect
-echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect
-echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect
+echo "${refresh_prefix} ${ksk8_id}: 3" >>zones.expect
+echo "${refresh_prefix} ${ksk13_id}: 3" >>zones.expect
+echo "${refresh_prefix} ${ksk14_id}: 3" >>zones.expect
 echo "${sign_prefix} ${zsk8_id}: 13" >>zones.expect
 echo "${sign_prefix} ${zsk13_id}: 13" >>zones.expect
 echo "${sign_prefix} ${zsk14_id}: 13" >>zones.expect
-echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect
-echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect
-echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect
+echo "${sign_prefix} ${ksk8_id}: 3" >>zones.expect
+echo "${sign_prefix} ${ksk13_id}: 3" >>zones.expect
+echo "${sign_prefix} ${ksk14_id}: 3" >>zones.expect
 cat zones.expect | sort >zones.expect.$n
 rm -f zones.expect
 # Fetch and check the dnssec sign statistics.
@@ -466,15 +466,15 @@ n=$((n + 1))
 ret=0
 copy_setports ns2/named2.conf.in ns2/named.conf
 $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/I:ns2 /'
-# This should trigger the resign of DNSKEY (+1 ksk), and SOA, NSEC,
-# TYPE65534 (+3 zsk). The dnssec-sign statistics for the removed keys should
-# be cleared and thus no longer visible. But NSEC and SOA are (mistakenly)
-# counted double, one time because of zone_resigninc and one time because of
-# zone_nsec3chain. So +5 zsk in total.
+# This should trigger the resign of DNSKEY, CDS, and CDNSKEY (+3 ksk),
+# and SOA, NSEC, TYPE65534 (+3 zsk). The dnssec-sign statistics for the
+# removed keys should be cleared and thus no longer visible. But NSEC and SOA
+# are (mistakenly) counted double, one time because of zone_resigninc and one
+# time because of zone_nsec3chain. So +5 zsk in total.
 echo "${refresh_prefix} ${zsk8_id}: 15" >zones.expect
-echo "${refresh_prefix} ${ksk8_id}: 2" >>zones.expect
+echo "${refresh_prefix} ${ksk8_id}: 6" >>zones.expect
 echo "${sign_prefix} ${zsk8_id}: 18" >>zones.expect
-echo "${sign_prefix} ${ksk8_id}: 2" >>zones.expect
+echo "${sign_prefix} ${ksk8_id}: 6" >>zones.expect
 cat zones.expect | sort >zones.expect.$n
 rm -f zones.expect
 # Fetch and check the dnssec sign statistics.
diff --git a/bin/tests/system/statschannel/tests_json.py b/bin/tests/system/statschannel/tests_json.py
index 21f2402243..6a2dbc9f96 100755
--- a/bin/tests/system/statschannel/tests_json.py
+++ b/bin/tests/system/statschannel/tests_json.py
@@ -31,8 +31,11 @@ pytestmark = [
             "ns2/dsset-*",
             "ns2/K*",
             "ns2/dnssec.db.signed",
+            "ns2/dnssec.db",
             "ns2/dnssec.*.id",
+            "ns2/manykeys.db",
             "ns2/manykeys.*.id",
+            "ns2/settime.out.*",
             "ns2/signzone.out.*",
             "ns3/_default.nzd",
             "ns3/example-tcp.db",
diff --git a/bin/tests/system/statschannel/tests_sh_statschannel.py b/bin/tests/system/statschannel/tests_sh_statschannel.py
index 2f7a826aa4..7b5788010d 100644
--- a/bin/tests/system/statschannel/tests_sh_statschannel.py
+++ b/bin/tests/system/statschannel/tests_sh_statschannel.py
@@ -31,11 +31,15 @@ pytestmark = pytest.mark.extra_artifacts(
         "zones*",
         "ns2/*.jnl",
         "ns2/*.signed",
+        "ns2/*.db",
         "ns2/dsset-*",
         "ns2/K*",
+        "ns2/dnssec.db",
         "ns2/dnssec.*.id",
+        "ns2/manykeys.db",
         "ns2/manykeys.*.id",
         "ns2/named.stats",
+        "ns2/settime.out.*",
         "ns2/signzone.out.*",
         "ns3/_default.nzf*",
         "ns3/_default.nzd*",
diff --git a/bin/tests/system/statschannel/tests_xml.py b/bin/tests/system/statschannel/tests_xml.py
index 796eea9d24..59fbcf0b06 100755
--- a/bin/tests/system/statschannel/tests_xml.py
+++ b/bin/tests/system/statschannel/tests_xml.py
@@ -31,8 +31,11 @@ pytestmark = [
             "ns2/*.jnl",
             "ns2/*.signed",
             "ns2/dsset-*",
+            "ns2/dnssec.db",
             "ns2/dnssec.*.id",
+            "ns2/manykeys.db",
             "ns2/manykeys.*.id",
+            "ns2/settime.out.*",
             "ns2/signzone.out.*",
             "ns3/_default.nzd",
             "ns3/example-tcp.db",