diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh
index 637e5e0ce7..1ed1c80f0d 100644
--- a/bin/tests/system/kasp/clean.sh
+++ b/bin/tests/system/kasp/clean.sh
@@ -18,6 +18,7 @@ rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp
 rm -rf ./keys/
 rm -f dig.out* rrsig.out.* keyevent.out.*
 rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns*/named-fips.conf
 rm -f ns*/policies/*.conf
 rm -f ns*/*.jnl ns*/*.jbk
 rm -f ns*/K*.private ns*/K*.key ns*/K*.state
diff --git a/bin/tests/system/kasp/kasp.conf b/bin/tests/system/kasp/kasp.conf
index b706558f7f..e7a2eab966 100644
--- a/bin/tests/system/kasp/kasp.conf
+++ b/bin/tests/system/kasp/kasp.conf
@@ -21,7 +21,7 @@ dnssec-policy "kasp" {
 	keys {
 		csk key-directory lifetime P1Y  algorithm 13;
 		ksk key-directory lifetime P1Y  algorithm 8;
-		zsk key-directory lifetime P30D algorithm 8 1024;
-		zsk key-directory lifetime P6M  algorithm 8 2000;
+		zsk key-directory lifetime P30D algorithm 8 2048;
+		zsk key-directory lifetime P6M  algorithm 8 3072;
 	};
 };
diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in
new file mode 100644
index 0000000000..8b4e9903f1
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/named-fips.conf.in
@@ -0,0 +1,451 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "policies/kasp.conf";
+include "policies/autosign.conf";
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	dnssec-policy "rsasha256";
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* Zones that are getting initially signed */
+
+/* The default case: No keys created, using default policy. */
+zone "default.kasp" {
+	type primary;
+	file "default.kasp.db";
+	dnssec-policy "default";
+};
+
+/* checkds: Zone with one KSK. */
+zone "checkds-ksk.kasp" {
+	type primary;
+	file "checkds-ksk.kasp.db";
+	dnssec-policy "checkds-ksk";
+};
+
+/* checkds: Zone with two KSKs. */
+zone "checkds-doubleksk.kasp" {
+	type primary;
+	file "checkds-doubleksk.kasp.db";
+	dnssec-policy "checkds-doubleksk";
+};
+
+/* checkds: Zone with one CSK. */
+zone "checkds-csk.kasp" {
+	type primary;
+	file "checkds-csk.kasp.db";
+	dnssec-policy "checkds-csk";
+};
+
+/* Key lifetime unlimited. */
+zone "unlimited.kasp" {
+	type primary;
+	file "unlimited.kasp.db";
+	dnssec-policy "unlimited";
+};
+
+/* Manual rollover. */
+zone "manual-rollover.kasp" {
+	type primary;
+	file "manual-rollover.kasp.db";
+	dnssec-policy "manual-rollover";
+};
+
+/* A zone that inherits dnssec-policy. */
+zone "inherit.kasp" {
+	type primary;
+	file "inherit.kasp.db";
+};
+
+/* A zone that overrides dnssec-policy. */
+zone "unsigned.kasp" {
+	type primary;
+	file "unsigned.kasp.db";
+	dnssec-policy "none";
+};
+
+/* A zone that is initially set to insecure. */
+zone "insecure.kasp" {
+	type primary;
+	file "insecure.kasp.db";
+	dnssec-policy "insecure";
+};
+
+/* A primary zone with dnssec-policy but keys already created. */
+zone "dnssec-keygen.kasp" {
+	type primary;
+	file "dnssec-keygen.kasp.db";
+	dnssec-policy "rsasha256";
+};
+
+/* A secondary zone with dnssec-policy. */
+zone "secondary.kasp" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "secondary.kasp.db";
+	dnssec-policy "rsasha256";
+};
+
+/* A dynamic zone with dnssec-policy. */
+zone "dynamic.kasp" {
+	type primary;
+	file "dynamic.kasp.db";
+	dnssec-policy "default";
+	allow-update { any; };
+};
+
+/* A dynamic inline-signed zone with dnssec-policy. */
+zone "dynamic-inline-signing.kasp" {
+	type primary;
+	file "dynamic-inline-signing.kasp.db";
+	dnssec-policy "default";
+	allow-update { any; };
+	inline-signing yes;
+};
+
+/* An inline-signed zone with dnssec-policy. */
+zone "inline-signing.kasp" {
+	type primary;
+	file "inline-signing.kasp.db";
+	dnssec-policy "default";
+	inline-signing yes;
+};
+
+/*
+ * A configured dnssec-policy but some keys already created.
+ */
+zone "some-keys.kasp" {
+	type primary;
+	file "some-keys.kasp.db";
+	dnssec-policy "rsasha256";
+};
+
+/*
+ * A configured dnssec-policy but some keys already in use.
+ */
+zone "legacy-keys.kasp" {
+	type primary;
+	file "legacy-keys.kasp.db";
+	dnssec-policy "migrate-to-dnssec-policy";
+};
+
+/*
+ * A configured dnssec-policy with (too) many keys pregenerated.
+ */
+zone "pregenerated.kasp" {
+	type primary;
+	file "pregenerated.kasp.db";
+	dnssec-policy "rsasha256";
+};
+
+/*
+ * A configured dnssec-policy with one rumoured key.
+ * Bugfix case for GL #1593.
+ */
+zone "rumoured.kasp" {
+	type primary;
+	file "rumoured.kasp.db";
+	dnssec-policy "rsasha256";
+};
+
+/* RFC 8901 Multi-signer Model 2. */
+zone "multisigner-model2.kasp" {
+	type primary;
+	file "multisigner-model2.kasp.db";
+	dnssec-policy "multisigner-model2";
+	allow-update { any; };
+};
+
+/*
+ * Different algorithms.
+ */
+zone "rsasha256.kasp" {
+	type primary;
+	file "rsasha256.kasp.db";
+	dnssec-policy "rsasha256";
+};
+zone "rsasha512.kasp" {
+	type primary;
+	file "rsasha512.kasp.db";
+	dnssec-policy "rsasha512";
+};
+zone "ecdsa256.kasp" {
+	type primary;
+	file "ecdsa256.kasp.db";
+	dnssec-policy "ecdsa256";
+};
+zone "ecdsa384.kasp" {
+	type primary;
+	file "ecdsa384.kasp.db";
+	dnssec-policy "ecdsa384";
+};
+
+/*
+ * Zone with too high TTL.
+ */
+zone "max-zone-ttl.kasp" {
+	type primary;
+	file "max-zone-ttl.kasp.db";
+	dnssec-policy "ttl";
+};
+
+/*
+ * Zones in different signing states.
+ */
+
+/*
+ * Zone that has expired signatures.
+ */
+zone "expired-sigs.autosign" {
+	type primary;
+	file "expired-sigs.autosign.db";
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has valid, fresh signatures.
+ */
+zone "fresh-sigs.autosign" {
+	type primary;
+	file "fresh-sigs.autosign.db";
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has unfresh signatures.
+ */
+zone "unfresh-sigs.autosign" {
+	type primary;
+	file "unfresh-sigs.autosign.db";
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has missing private KSK.
+ */
+zone "ksk-missing.autosign" {
+	type primary;
+	file "ksk-missing.autosign.db";
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has missing private ZSK.
+ */
+zone "zsk-missing.autosign" {
+	type primary;
+	file "zsk-missing.autosign.db";
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has inactive ZSK.
+ */
+zone "zsk-retired.autosign" {
+	type primary;
+	file "zsk-retired.autosign.db";
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zones for testing enabling DNSSEC.
+ */
+zone "step1.enable-dnssec.autosign" {
+	type primary;
+	file "step1.enable-dnssec.autosign.db";
+	dnssec-policy "enable-dnssec";
+};
+zone "step2.enable-dnssec.autosign" {
+	type primary;
+	file "step2.enable-dnssec.autosign.db";
+	dnssec-policy "enable-dnssec";
+};
+zone "step3.enable-dnssec.autosign" {
+	type primary;
+	file "step3.enable-dnssec.autosign.db";
+	dnssec-policy "enable-dnssec";
+};
+zone "step4.enable-dnssec.autosign" {
+	type primary;
+	file "step4.enable-dnssec.autosign.db";
+	dnssec-policy "enable-dnssec";
+};
+
+/*
+ * Zones for testing ZSK Pre-Publication steps.
+ */
+zone "step1.zsk-prepub.autosign" {
+	type primary;
+	file "step1.zsk-prepub.autosign.db";
+	dnssec-policy "zsk-prepub";
+};
+zone "step2.zsk-prepub.autosign" {
+	type primary;
+	file "step2.zsk-prepub.autosign.db";
+	dnssec-policy "zsk-prepub";
+};
+zone "step3.zsk-prepub.autosign" {
+	type primary;
+	file "step3.zsk-prepub.autosign.db";
+	dnssec-policy "zsk-prepub";
+};
+zone "step4.zsk-prepub.autosign" {
+	type primary;
+	file "step4.zsk-prepub.autosign.db";
+	dnssec-policy "zsk-prepub";
+};
+zone "step5.zsk-prepub.autosign" {
+	type primary;
+	file "step5.zsk-prepub.autosign.db";
+	dnssec-policy "zsk-prepub";
+};
+zone "step6.zsk-prepub.autosign" {
+	type primary;
+	file "step6.zsk-prepub.autosign.db";
+	dnssec-policy "zsk-prepub";
+};
+
+/*
+ * Zones for testing KSK Double-KSK steps.
+ */
+zone "step1.ksk-doubleksk.autosign" {
+	type primary;
+	file "step1.ksk-doubleksk.autosign.db";
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step2.ksk-doubleksk.autosign" {
+	type primary;
+	file "step2.ksk-doubleksk.autosign.db";
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step3.ksk-doubleksk.autosign" {
+	type primary;
+	file "step3.ksk-doubleksk.autosign.db";
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step4.ksk-doubleksk.autosign" {
+	type primary;
+	file "step4.ksk-doubleksk.autosign.db";
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step5.ksk-doubleksk.autosign" {
+	type primary;
+	file "step5.ksk-doubleksk.autosign.db";
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step6.ksk-doubleksk.autosign" {
+	type primary;
+	file "step6.ksk-doubleksk.autosign.db";
+	dnssec-policy "ksk-doubleksk";
+};
+
+/*
+ * Zones for testing CSK rollover steps.
+ */
+zone "step1.csk-roll.autosign" {
+	type primary;
+	file "step1.csk-roll.autosign.db";
+	dnssec-policy "csk-roll";
+};
+zone "step2.csk-roll.autosign" {
+	type primary;
+	file "step2.csk-roll.autosign.db";
+	dnssec-policy "csk-roll";
+};
+zone "step3.csk-roll.autosign" {
+	type primary;
+	file "step3.csk-roll.autosign.db";
+	dnssec-policy "csk-roll";
+};
+zone "step4.csk-roll.autosign" {
+	type primary;
+	file "step4.csk-roll.autosign.db";
+	dnssec-policy "csk-roll";
+};
+zone "step5.csk-roll.autosign" {
+	type primary;
+	file "step5.csk-roll.autosign.db";
+	dnssec-policy "csk-roll";
+};
+zone "step6.csk-roll.autosign" {
+	type primary;
+	file "step6.csk-roll.autosign.db";
+	dnssec-policy "csk-roll";
+};
+zone "step7.csk-roll.autosign" {
+	type primary;
+	file "step7.csk-roll.autosign.db";
+	dnssec-policy "csk-roll";
+};
+zone "step8.csk-roll.autosign" {
+	type primary;
+	file "step8.csk-roll.autosign.db";
+	dnssec-policy "csk-roll";
+};
+
+zone "step1.csk-roll2.autosign" {
+	type primary;
+	file "step1.csk-roll2.autosign.db";
+	dnssec-policy "csk-roll2";
+};
+zone "step2.csk-roll2.autosign" {
+	type primary;
+	file "step2.csk-roll2.autosign.db";
+	dnssec-policy "csk-roll2";
+};
+zone "step3.csk-roll2.autosign" {
+	type primary;
+	file "step3.csk-roll2.autosign.db";
+	dnssec-policy "csk-roll2";
+};
+zone "step4.csk-roll2.autosign" {
+	type primary;
+	file "step4.csk-roll2.autosign.db";
+	dnssec-policy "csk-roll2";
+};
+zone "step5.csk-roll2.autosign" {
+	type primary;
+	file "step5.csk-roll2.autosign.db";
+	dnssec-policy "csk-roll2";
+};
+zone "step6.csk-roll2.autosign" {
+	type primary;
+	file "step6.csk-roll2.autosign.db";
+	dnssec-policy "csk-roll2";
+};
+zone "step7.csk-roll2.autosign" {
+	type primary;
+	file "step7.csk-roll2.autosign.db";
+	dnssec-policy "csk-roll2";
+};
diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
index b77f463df7..921ecc89d1 100644
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -13,451 +13,16 @@
 
 // NS3
 
-include "policies/kasp.conf";
-include "policies/autosign.conf";
+include "named-fips.conf";
 
-options {
-	query-source address 10.53.0.3;
-	notify-source 10.53.0.3;
-	transfer-source 10.53.0.3;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.3; };
-	listen-on-v6 { none; };
-	allow-transfer { any; };
-	recursion no;
-	dnssec-policy "rsasha1";
-};
-
-key rndc_key {
-        secret "1234abcd8765";
-        algorithm @DEFAULT_HMAC@;
-};
-
-controls {
-        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-/* Zones that are getting initially signed */
-
-/* The default case: No keys created, using default policy. */
-zone "default.kasp" {
-	type primary;
-	file "default.kasp.db";
-	dnssec-policy "default";
-};
-
-/* checkds: Zone with one KSK. */
-zone "checkds-ksk.kasp" {
-	type primary;
-	file "checkds-ksk.kasp.db";
-	dnssec-policy "checkds-ksk";
-};
-
-/* checkds: Zone with two KSKs. */
-zone "checkds-doubleksk.kasp" {
-	type primary;
-	file "checkds-doubleksk.kasp.db";
-	dnssec-policy "checkds-doubleksk";
-};
-
-/* checkds: Zone with one CSK. */
-zone "checkds-csk.kasp" {
-	type primary;
-	file "checkds-csk.kasp.db";
-	dnssec-policy "checkds-csk";
-};
-
-/* Key lifetime unlimited. */
-zone "unlimited.kasp" {
-	type primary;
-	file "unlimited.kasp.db";
-	dnssec-policy "unlimited";
-};
-
-/* Manual rollover. */
-zone "manual-rollover.kasp" {
-	type primary;
-	file "manual-rollover.kasp.db";
-	dnssec-policy "manual-rollover";
-};
-
-/* A primary zone with dnssec-policy, no keys created. */
 zone "rsasha1.kasp" {
 	type primary;
 	file "rsasha1.kasp.db";
 	dnssec-policy "rsasha1";
 };
 
-/* A zone that inherits dnssec-policy. */
-zone "inherit.kasp" {
-	type primary;
-	file "inherit.kasp.db";
-};
-
-/* A zone that overrides dnssec-policy. */
-zone "unsigned.kasp" {
-	type primary;
-	file "unsigned.kasp.db";
-	dnssec-policy "none";
-};
-
-/* A zone that is initially set to insecure. */
-zone "insecure.kasp" {
-	type primary;
-	file "insecure.kasp.db";
-	dnssec-policy "insecure";
-};
-
-/* A primary zone with dnssec-policy but keys already created. */
-zone "dnssec-keygen.kasp" {
-	type primary;
-	file "dnssec-keygen.kasp.db";
-	dnssec-policy "rsasha1";
-};
-
-/* A secondary zone with dnssec-policy. */
-zone "secondary.kasp" {
-	type secondary;
-	primaries { 10.53.0.2; };
-	file "secondary.kasp.db";
-	dnssec-policy "rsasha1";
-};
-
-/* A dynamic zone with dnssec-policy. */
-zone "dynamic.kasp" {
-	type primary;
-	file "dynamic.kasp.db";
-	dnssec-policy "default";
-	allow-update { any; };
-};
-
-/* A dynamic inline-signed zone with dnssec-policy. */
-zone "dynamic-inline-signing.kasp" {
-	type primary;
-	file "dynamic-inline-signing.kasp.db";
-	dnssec-policy "default";
-	allow-update { any; };
-	inline-signing yes;
-};
-
-/* An inline-signed zone with dnssec-policy. */
-zone "inline-signing.kasp" {
-	type primary;
-	file "inline-signing.kasp.db";
-	dnssec-policy "default";
-	inline-signing yes;
-};
-
-/*
- * A configured dnssec-policy but some keys already created.
- */
-zone "some-keys.kasp" {
-	type primary;
-	file "some-keys.kasp.db";
-	dnssec-policy "rsasha1";
-};
-
-/*
- * A configured dnssec-policy but some keys already in use.
- */
-zone "legacy-keys.kasp" {
-	type primary;
-	file "legacy-keys.kasp.db";
-	dnssec-policy "migrate-to-dnssec-policy";
-};
-
-/*
- * A configured dnssec-policy with (too) many keys pregenerated.
- */
-zone "pregenerated.kasp" {
-	type primary;
-	file "pregenerated.kasp.db";
-	dnssec-policy "rsasha1";
-};
-
-/*
- * A configured dnssec-policy with one rumoured key.
- * Bugfix case for GL #1593.
- */
-zone "rumoured.kasp" {
-	type primary;
-	file "rumoured.kasp.db";
-	dnssec-policy "rsasha1";
-};
-
-/* RFC 8901 Multi-signer Model 2. */
-zone "multisigner-model2.kasp" {
-	type primary;
-	file "multisigner-model2.kasp.db";
-	dnssec-policy "multisigner-model2";
-	allow-update { any; };
-};
-
-/*
- * Different algorithms.
- */
 zone "rsasha1-nsec3.kasp" {
 	type primary;
 	file "rsasha1-nsec3.kasp.db";
 	dnssec-policy "rsasha1-nsec3";
 };
-zone "rsasha256.kasp" {
-	type primary;
-	file "rsasha256.kasp.db";
-	dnssec-policy "rsasha256";
-};
-zone "rsasha512.kasp" {
-	type primary;
-	file "rsasha512.kasp.db";
-	dnssec-policy "rsasha512";
-};
-zone "ecdsa256.kasp" {
-	type primary;
-	file "ecdsa256.kasp.db";
-	dnssec-policy "ecdsa256";
-};
-zone "ecdsa384.kasp" {
-	type primary;
-	file "ecdsa384.kasp.db";
-	dnssec-policy "ecdsa384";
-};
-
-/*
- * Zone with too high TTL.
- */
-zone "max-zone-ttl.kasp" {
-	type primary;
-	file "max-zone-ttl.kasp.db";
-	dnssec-policy "ttl";
-};
-
-/*
- * Zones in different signing states.
- */
-
-/*
- * Zone that has expired signatures.
- */
-zone "expired-sigs.autosign" {
-	type primary;
-	file "expired-sigs.autosign.db";
-	dnssec-policy "autosign";
-};
-
-/*
- * Zone that has valid, fresh signatures.
- */
-zone "fresh-sigs.autosign" {
-	type primary;
-	file "fresh-sigs.autosign.db";
-	dnssec-policy "autosign";
-};
-
-/*
- * Zone that has unfresh signatures.
- */
-zone "unfresh-sigs.autosign" {
-	type primary;
-	file "unfresh-sigs.autosign.db";
-	dnssec-policy "autosign";
-};
-
-/*
- * Zone that has missing private KSK.
- */
-zone "ksk-missing.autosign" {
-	type primary;
-	file "ksk-missing.autosign.db";
-	dnssec-policy "autosign";
-};
-
-/*
- * Zone that has missing private ZSK.
- */
-zone "zsk-missing.autosign" {
-	type primary;
-	file "zsk-missing.autosign.db";
-	dnssec-policy "autosign";
-};
-
-/*
- * Zone that has inactive ZSK.
- */
-zone "zsk-retired.autosign" {
-	type primary;
-	file "zsk-retired.autosign.db";
-	dnssec-policy "autosign";
-};
-
-/*
- * Zones for testing enabling DNSSEC.
- */
-zone "step1.enable-dnssec.autosign" {
-	type primary;
-	file "step1.enable-dnssec.autosign.db";
-	dnssec-policy "enable-dnssec";
-};
-zone "step2.enable-dnssec.autosign" {
-	type primary;
-	file "step2.enable-dnssec.autosign.db";
-	dnssec-policy "enable-dnssec";
-};
-zone "step3.enable-dnssec.autosign" {
-	type primary;
-	file "step3.enable-dnssec.autosign.db";
-	dnssec-policy "enable-dnssec";
-};
-zone "step4.enable-dnssec.autosign" {
-	type primary;
-	file "step4.enable-dnssec.autosign.db";
-	dnssec-policy "enable-dnssec";
-};
-
-/*
- * Zones for testing ZSK Pre-Publication steps.
- */
-zone "step1.zsk-prepub.autosign" {
-	type primary;
-	file "step1.zsk-prepub.autosign.db";
-	dnssec-policy "zsk-prepub";
-};
-zone "step2.zsk-prepub.autosign" {
-	type primary;
-	file "step2.zsk-prepub.autosign.db";
-	dnssec-policy "zsk-prepub";
-};
-zone "step3.zsk-prepub.autosign" {
-	type primary;
-	file "step3.zsk-prepub.autosign.db";
-	dnssec-policy "zsk-prepub";
-};
-zone "step4.zsk-prepub.autosign" {
-	type primary;
-	file "step4.zsk-prepub.autosign.db";
-	dnssec-policy "zsk-prepub";
-};
-zone "step5.zsk-prepub.autosign" {
-	type primary;
-	file "step5.zsk-prepub.autosign.db";
-	dnssec-policy "zsk-prepub";
-};
-zone "step6.zsk-prepub.autosign" {
-	type primary;
-	file "step6.zsk-prepub.autosign.db";
-	dnssec-policy "zsk-prepub";
-};
-
-/*
- * Zones for testing KSK Double-KSK steps.
- */
-zone "step1.ksk-doubleksk.autosign" {
-	type primary;
-	file "step1.ksk-doubleksk.autosign.db";
-	dnssec-policy "ksk-doubleksk";
-};
-zone "step2.ksk-doubleksk.autosign" {
-	type primary;
-	file "step2.ksk-doubleksk.autosign.db";
-	dnssec-policy "ksk-doubleksk";
-};
-zone "step3.ksk-doubleksk.autosign" {
-	type primary;
-	file "step3.ksk-doubleksk.autosign.db";
-	dnssec-policy "ksk-doubleksk";
-};
-zone "step4.ksk-doubleksk.autosign" {
-	type primary;
-	file "step4.ksk-doubleksk.autosign.db";
-	dnssec-policy "ksk-doubleksk";
-};
-zone "step5.ksk-doubleksk.autosign" {
-	type primary;
-	file "step5.ksk-doubleksk.autosign.db";
-	dnssec-policy "ksk-doubleksk";
-};
-zone "step6.ksk-doubleksk.autosign" {
-	type primary;
-	file "step6.ksk-doubleksk.autosign.db";
-	dnssec-policy "ksk-doubleksk";
-};
-
-/*
- * Zones for testing CSK rollover steps.
- */
-zone "step1.csk-roll.autosign" {
-	type primary;
-	file "step1.csk-roll.autosign.db";
-	dnssec-policy "csk-roll";
-};
-zone "step2.csk-roll.autosign" {
-	type primary;
-	file "step2.csk-roll.autosign.db";
-	dnssec-policy "csk-roll";
-};
-zone "step3.csk-roll.autosign" {
-	type primary;
-	file "step3.csk-roll.autosign.db";
-	dnssec-policy "csk-roll";
-};
-zone "step4.csk-roll.autosign" {
-	type primary;
-	file "step4.csk-roll.autosign.db";
-	dnssec-policy "csk-roll";
-};
-zone "step5.csk-roll.autosign" {
-	type primary;
-	file "step5.csk-roll.autosign.db";
-	dnssec-policy "csk-roll";
-};
-zone "step6.csk-roll.autosign" {
-	type primary;
-	file "step6.csk-roll.autosign.db";
-	dnssec-policy "csk-roll";
-};
-zone "step7.csk-roll.autosign" {
-	type primary;
-	file "step7.csk-roll.autosign.db";
-	dnssec-policy "csk-roll";
-};
-zone "step8.csk-roll.autosign" {
-	type primary;
-	file "step8.csk-roll.autosign.db";
-	dnssec-policy "csk-roll";
-};
-
-zone "step1.csk-roll2.autosign" {
-	type primary;
-	file "step1.csk-roll2.autosign.db";
-	dnssec-policy "csk-roll2";
-};
-zone "step2.csk-roll2.autosign" {
-	type primary;
-	file "step2.csk-roll2.autosign.db";
-	dnssec-policy "csk-roll2";
-};
-zone "step3.csk-roll2.autosign" {
-	type primary;
-	file "step3.csk-roll2.autosign.db";
-	dnssec-policy "csk-roll2";
-};
-zone "step4.csk-roll2.autosign" {
-	type primary;
-	file "step4.csk-roll2.autosign.db";
-	dnssec-policy "csk-roll2";
-};
-zone "step5.csk-roll2.autosign" {
-	type primary;
-	file "step5.csk-roll2.autosign.db";
-	dnssec-policy "csk-roll2";
-};
-zone "step6.csk-roll2.autosign" {
-	type primary;
-	file "step6.csk-roll2.autosign.db";
-	dnssec-policy "csk-roll2";
-};
-zone "step7.csk-roll2.autosign" {
-	type primary;
-	file "step7.csk-roll2.autosign.db";
-	dnssec-policy "csk-roll2";
-};
diff --git a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in
new file mode 100644
index 0000000000..90a92a223c
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "unlimited" {
+	dnskey-ttl 1234;
+
+	keys {
+		csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "manual-rollover" {
+	dnskey-ttl 3600;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "multisigner-model2" {
+	dnskey-ttl 3600;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "migrate-to-dnssec-policy" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P6M algorithm 8;
+		zsk key-directory lifetime P6M algorithm 8;
+	};
+};
+
+dnssec-policy "rsasha256" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P10Y algorithm 8;
+		zsk key-directory lifetime P5Y  algorithm 8;
+		zsk key-directory lifetime P1Y  algorithm 8 3072;
+	};
+};
+
+dnssec-policy "rsasha512" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P10Y algorithm 10;
+		zsk key-directory lifetime P5Y  algorithm 10;
+		zsk key-directory lifetime P1Y  algorithm 10 3072;
+	};
+};
+
+dnssec-policy "ecdsa256" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P10Y algorithm 13;
+		zsk key-directory lifetime P5Y  algorithm 13;
+		zsk key-directory lifetime P1Y  algorithm 13 256;
+	};
+};
+
+dnssec-policy "ecdsa384" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P10Y algorithm 14;
+		zsk key-directory lifetime P5Y  algorithm 14;
+		zsk key-directory lifetime P1Y  algorithm 14 384;
+	};
+};
+
+dnssec-policy "checkds-ksk" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "checkds-doubleksk" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "checkds-csk" {
+	dnskey-ttl 303;
+
+	keys {
+		csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "ttl" {
+	max-zone-ttl 299;
+};
diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
index 17b900c7b3..cb045bcb07 100644
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf.in
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
@@ -11,31 +11,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-policy "unlimited" {
-	dnskey-ttl 1234;
-
-	keys {
-		csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-	};
-};
-
-dnssec-policy "manual-rollover" {
-	dnskey-ttl 3600;
-
-	keys {
-		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-	};
-};
-
-dnssec-policy "multisigner-model2" {
-	dnskey-ttl 3600;
-
-	keys {
-		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-	};
-};
+include "policies/kasp-fips.conf";
 
 dnssec-policy "rsasha1" {
 	dnskey-ttl 1234;
@@ -47,15 +23,6 @@ dnssec-policy "rsasha1" {
 	};
 };
 
-dnssec-policy "migrate-to-dnssec-policy" {
-	dnskey-ttl 1234;
-
-	keys {
-		ksk key-directory lifetime P6M algorithm 5;
-		zsk key-directory lifetime P6M algorithm 5;
-	};
-};
-
 dnssec-policy "rsasha1-nsec3" {
 	dnskey-ttl 1234;
 
@@ -65,74 +32,3 @@ dnssec-policy "rsasha1-nsec3" {
 		zsk key-directory lifetime P1Y  algorithm 7 2000;
 	};
 };
-
-dnssec-policy "rsasha256" {
-	dnskey-ttl 1234;
-
-	keys {
-		ksk key-directory lifetime P10Y algorithm 8;
-		zsk key-directory lifetime P5Y  algorithm 8;
-		zsk key-directory lifetime P1Y  algorithm 8 2000;
-	};
-};
-
-dnssec-policy "rsasha512" {
-	dnskey-ttl 1234;
-
-	keys {
-		ksk key-directory lifetime P10Y algorithm 10;
-		zsk key-directory lifetime P5Y  algorithm 10;
-		zsk key-directory lifetime P1Y  algorithm 10 2000;
-	};
-};
-
-dnssec-policy "ecdsa256" {
-	dnskey-ttl 1234;
-
-	keys {
-		ksk key-directory lifetime P10Y algorithm 13;
-		zsk key-directory lifetime P5Y  algorithm 13;
-		zsk key-directory lifetime P1Y  algorithm 13 256;
-	};
-};
-
-dnssec-policy "ecdsa384" {
-	dnskey-ttl 1234;
-
-	keys {
-		ksk key-directory lifetime P10Y algorithm 14;
-		zsk key-directory lifetime P5Y  algorithm 14;
-		zsk key-directory lifetime P1Y  algorithm 14 384;
-	};
-};
-
-dnssec-policy "checkds-ksk" {
-	dnskey-ttl 303;
-
-	keys {
-		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-	};
-};
-
-dnssec-policy "checkds-doubleksk" {
-	dnskey-ttl 303;
-
-	keys {
-		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-	};
-};
-
-dnssec-policy "checkds-csk" {
-	dnskey-ttl 303;
-
-	keys {
-		csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-	};
-};
-
-dnssec-policy "ttl" {
-	max-zone-ttl 299;
-};
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 1842f5064f..84fbb9c170 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -42,8 +42,8 @@ U="UNRETENTIVE"
 #
 # Set up zones that will be initially signed.
 #
-for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
-	  rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \
+for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
+	  rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
 	  dynamic dynamic-inline-signing inline-signing \
 	  checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
 	  manual-rollover multisigner-model2
@@ -52,6 +52,22 @@ do
 	cp template.db.in "$zonefile"
 done
 
+#
+# Set up RSASHA1 based zones
+#
+for zn in rsasha1 rsasha1-nsec3
+do
+	if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
+	then
+		setup "${zn}.kasp"
+		cp template.db.in "$zonefile"
+	else
+		# don't add to zones.
+		echo_i "setting up zone: ${zn}.kasp"
+		cp template.db.in "${zn}.kasp.db"
+	fi
+done
+
 if [ -f ../ed25519-supported.file ]; then
 	setup "ed25519.kasp"
 	cp template.db.in "$zonefile"
@@ -78,31 +94,31 @@ done
 # Some of these zones already have keys.
 zone="dnssec-keygen.kasp"
 echo_i "setting up zone: $zone"
-$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
+$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
 
 zone="some-keys.kasp"
 echo_i "setting up zone: $zone"
-$KEYGEN -G -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1
-$KEYGEN -G -a RSASHA1 -f KSK  -L 1234 $zone > keygen.out.$zone.2 2>&1
+$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1
+$KEYGEN -G -a RSASHA256 -f KSK  -L 1234 $zone > keygen.out.$zone.2 2>&1
 
 zone="legacy-keys.kasp"
 echo_i "setting up zone: $zone"
-ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1)
-KSK=$($KEYGEN -a RSASHA1 -f KSK  -L 1234 $zone 2> keygen.out.$zone.2)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1)
+KSK=$($KEYGEN -a RSASHA256 -f KSK  -L 1234 $zone 2> keygen.out.$zone.2)
 echo $ZSK > legacy-keys.kasp.zsk
 echo $KSK > legacy-keys.kasp.ksk
 # Predecessor keys:
 Tact="now-9mo"
 Tret="now-3mo"
-ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3)
-KSK=$($KEYGEN -a RSASHA1 -f KSK  -L 1234 $zone 2> keygen.out.$zone.4)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3)
+KSK=$($KEYGEN -a RSASHA256 -f KSK  -L 1234 $zone 2> keygen.out.$zone.4)
 $SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK"  > settime.out.$zone.1 2>&1
 $SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK"  > settime.out.$zone.2 2>&1
 
 zone="pregenerated.kasp"
 echo_i "setting up zone: $zone"
-$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
-$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
+$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
+$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
 
 zone="multisigner-model2.kasp"
 echo_i "setting up zone: $zone"
@@ -122,9 +138,9 @@ echo_i "setting up zone: $zone"
 Tpub="now"
 Tact="now+1d"
 keytimes="-P ${Tpub} -A ${Tact}"
-KSK=$($KEYGEN  -a RSASHA1 -f KSK  -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a RSASHA1         -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
+KSK=$($KEYGEN  -a RSASHA256 -f KSK  -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a RSASHA256         -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
 $SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub  "$KSK"  > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $R $Tpub -z $R $Tpub              "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $R $Tpub -z $R $Tpub              "$ZSK2" > settime.out.$zone.2 2>&1
diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in
index b258241185..9cfc6462be 100644
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@@ -62,7 +62,7 @@ zone "step1.going-straight-to-none.kasp" {
 zone "step1.algorithm-roll.kasp" {
 	type primary;
 	file "step1.algorithm-roll.kasp.db";
-	dnssec-policy "rsasha1";
+	dnssec-policy "rsasha256";
 };
 
 zone "step1.csk-algorithm-roll.kasp" {
diff --git a/bin/tests/system/kasp/ns6/policies/csk1.conf.in b/bin/tests/system/kasp/ns6/policies/csk1.conf.in
index ebaca8835b..a5ff042db8 100644
--- a/bin/tests/system/kasp/ns6/policies/csk1.conf.in
+++ b/bin/tests/system/kasp/ns6/policies/csk1.conf.in
@@ -17,7 +17,7 @@ dnssec-policy "csk-algoroll" {
 	signatures-validity-dnskey 30d;
 
 	keys {
-		csk lifetime unlimited algorithm rsasha1;
+		csk lifetime unlimited algorithm rsasha256;
 	};
 
 	dnskey-ttl 1h;
diff --git a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
new file mode 100644
index 0000000000..683c9ef500
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "unsigning" {
+	dnskey-ttl 7200;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "rsasha256" {
+	signatures-refresh P5D;
+	signatures-validity 30d;
+	signatures-validity-dnskey 30d;
+
+	keys {
+		ksk lifetime unlimited algorithm rsasha256;
+		zsk lifetime unlimited algorithm rsasha256;
+	};
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 2h;
+	zone-propagation-delay 3600;
+	max-zone-ttl 6h;
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
+
+dnssec-policy "ecdsa256" {
+	signatures-refresh P5D;
+	signatures-validity 30d;
+	signatures-validity-dnskey 30d;
+
+	keys {
+		ksk lifetime unlimited algorithm ecdsa256;
+		zsk lifetime unlimited algorithm ecdsa256;
+	};
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 2h;
+	zone-propagation-delay 3600;
+	max-zone-ttl 6h;
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf.in b/bin/tests/system/kasp/ns6/policies/kasp.conf.in
index 2caae022d2..d634b76ffe 100644
--- a/bin/tests/system/kasp/ns6/policies/kasp.conf.in
+++ b/bin/tests/system/kasp/ns6/policies/kasp.conf.in
@@ -11,14 +11,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-policy "unsigning" {
-	dnskey-ttl 7200;
-
-	keys {
-		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
-	};
-};
+include "policies/kasp-fips.conf";
 
 dnssec-policy "rsasha1" {
 	signatures-refresh P5D;
@@ -38,22 +31,3 @@ dnssec-policy "rsasha1" {
 	parent-propagation-delay pt1h;
 	parent-ds-ttl 7200;
 };
-
-dnssec-policy "ecdsa256" {
-	signatures-refresh P5D;
-	signatures-validity 30d;
-	signatures-validity-dnskey 30d;
-
-	keys {
-		ksk lifetime unlimited algorithm ecdsa256;
-		zsk lifetime unlimited algorithm ecdsa256;
-	};
-
-	dnskey-ttl 1h;
-	publish-safety PT1H;
-	retire-safety 2h;
-	zone-propagation-delay 3600;
-	max-zone-ttl 6h;
-	parent-propagation-delay pt1h;
-	parent-ds-ttl 7200;
-};
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index d24965a958..3f3f193a66 100644
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -92,13 +92,13 @@ echo "$zone" >> zones
 TactN="now"
 ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
 zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA1 -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
+KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $TactN -z $O $TactN              "$ZSK" > settime.out.$zone.2 2>&1
 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 5 "$KSK" >> "$infile"
-private_type_record $zone 5 "$ZSK" >> "$infile"
+private_type_record $zone 8 "$KSK" >> "$infile"
+private_type_record $zone 8 "$ZSK" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Step 2:
@@ -114,8 +114,8 @@ ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I now"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I now"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1            -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1            -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK1=$($KEYGEN -a RSASHA256          -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256          -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
@@ -126,8 +126,8 @@ $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.ou
 echo "Lifetime: 0" >> "${KSK1}.state"
 echo "Lifetime: 0" >> "${ZSK1}.state"
 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 5  "$KSK1" >> "$infile"
-private_type_record $zone 5  "$ZSK1" >> "$infile"
+private_type_record $zone 8  "$KSK1" >> "$infile"
+private_type_record $zone 8  "$ZSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@@ -144,8 +144,8 @@ ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1            -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1            -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK1=$($KEYGEN -a RSASHA256          -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256          -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
@@ -156,8 +156,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.ou
 echo "Lifetime: 0" >> "${KSK1}.state"
 echo "Lifetime: 0" >> "${ZSK1}.state"
 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 5  "$KSK1" >> "$infile"
-private_type_record $zone 5  "$ZSK1" >> "$infile"
+private_type_record $zone 8  "$KSK1" >> "$infile"
+private_type_record $zone 8  "$ZSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@@ -175,8 +175,8 @@ ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1            -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1            -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK1=$($KEYGEN -a RSASHA256          -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256          -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
@@ -187,8 +187,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1                             "$ZSK2
 echo "Lifetime: 0" >> "${KSK1}.state"
 echo "Lifetime: 0" >> "${ZSK1}.state"
 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 5  "$KSK1" >> "$infile"
-private_type_record $zone 5  "$ZSK1" >> "$infile"
+private_type_record $zone 8  "$KSK1" >> "$infile"
+private_type_record $zone 8  "$ZSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@@ -207,8 +207,8 @@ ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1            -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1            -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK1=$($KEYGEN -a RSASHA256          -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256          -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
@@ -219,8 +219,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.ou
 echo "Lifetime: 0" >> "${KSK1}.state"
 echo "Lifetime: 0" >> "${ZSK1}.state"
 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 5  "$KSK1" >> "$infile"
-private_type_record $zone 5  "$ZSK1" >> "$infile"
+private_type_record $zone 8  "$KSK1" >> "$infile"
+private_type_record $zone 8  "$ZSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@@ -240,8 +240,8 @@ ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1            -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1            -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK1=$($KEYGEN -a RSASHA256          -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256          -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $H $TremN  -r $U $TdeaN  -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
@@ -252,8 +252,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.ou
 echo "Lifetime: 0" >> "${KSK1}.state"
 echo "Lifetime: 0" >> "${ZSK1}.state"
 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 5  "$KSK1" >> "$infile"
-private_type_record $zone 5  "$ZSK1" >> "$infile"
+private_type_record $zone 8  "$KSK1" >> "$infile"
+private_type_record $zone 8  "$ZSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh
index bab8a41a6b..67cfa92e7d 100644
--- a/bin/tests/system/kasp/setup.sh
+++ b/bin/tests/system/kasp/setup.sh
@@ -21,7 +21,13 @@ $SHELL clean.sh
 mkdir keys
 
 copy_setports ns2/named.conf.in ns2/named.conf
-copy_setports ns3/named.conf.in ns3/named.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1
+then
+	copy_setports ns3/named-fips.conf.in ns3/named.conf
+else
+	copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
+	copy_setports ns3/named.conf.in ns3/named.conf
+fi
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
@@ -35,11 +41,21 @@ if $SHELL ../testcrypto.sh ed448; then
 fi
 
 copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf
+copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf
 copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1
+then
+	cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf
+fi
 
 copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf
 copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf
+copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf
 copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1
+then
+	cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf
+fi
 
 # Setup zones
 (
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index bd2e4896d3..eefe12e541 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -83,13 +83,13 @@ set_zonesigning  "KEY2" "no"
 
 set_keyrole      "KEY3" "zsk"
 set_keylifetime  "KEY3" "2592000"
-set_keyalgorithm "KEY3" "8" "RSASHA256" "1024"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
 set_keysigning   "KEY3" "no"
 set_zonesigning  "KEY3" "yes"
 
 set_keyrole      "KEY4" "zsk"
 set_keylifetime  "KEY4" "16070400"
-set_keyalgorithm "KEY4" "8" "RSASHA256" "2000"
+set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
 set_keysigning   "KEY4" "no"
 set_zonesigning  "KEY4" "yes"
 
@@ -787,55 +787,58 @@ set_keytimes_algorithm_policy() {
 #
 # Zone: rsasha1.kasp.
 #
-set_zone "rsasha1.kasp"
-set_policy "rsasha1" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-key_clear        "KEY1"
-set_keyrole      "KEY1" "ksk"
-set_keylifetime  "KEY1" "315360000"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
-set_keysigning   "KEY1" "yes"
-set_zonesigning  "KEY1" "no"
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+	set_zone "rsasha1.kasp"
+	set_policy "rsasha1" "3" "1234"
+	set_server "ns3" "10.53.0.3"
+	# Key properties.
+	key_clear        "KEY1"
+	set_keyrole      "KEY1" "ksk"
+	set_keylifetime  "KEY1" "315360000"
+	set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+	set_keysigning   "KEY1" "yes"
+	set_zonesigning  "KEY1" "no"
 
-key_clear        "KEY2"
-set_keyrole      "KEY2" "zsk"
-set_keylifetime  "KEY2" "157680000"
-set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
-set_keysigning   "KEY2" "no"
-set_zonesigning  "KEY2" "yes"
+	key_clear        "KEY2"
+	set_keyrole      "KEY2" "zsk"
+	set_keylifetime  "KEY2" "157680000"
+	set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+	set_keysigning   "KEY2" "no"
+	set_zonesigning  "KEY2" "yes"
 
-key_clear        "KEY3"
-set_keyrole      "KEY3" "zsk"
-set_keylifetime  "KEY3" "31536000"
-set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
-set_keysigning   "KEY3" "no"
-set_zonesigning  "KEY3" "yes"
+	key_clear        "KEY3"
+	set_keyrole      "KEY3" "zsk"
+	set_keylifetime  "KEY3" "31536000"
+	set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
+	set_keysigning   "KEY3" "no"
+	set_zonesigning  "KEY3" "yes"
 
-# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
-# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL"         "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS"     "hidden"
+	# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
+	# ZSK: DNSKEY, RRSIG (zsk) published.
+	set_keystate "KEY1" "GOAL"         "omnipresent"
+	set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+	set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+	set_keystate "KEY1" "STATE_DS"     "hidden"
 
-set_keystate "KEY2" "GOAL"         "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+	set_keystate "KEY2" "GOAL"         "omnipresent"
+	set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+	set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
 
-set_keystate "KEY3" "GOAL"         "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
-# Three keys only.
-key_clear "KEY4"
+	set_keystate "KEY3" "GOAL"         "omnipresent"
+	set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+	set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
+	# Three keys only.
+	key_clear "KEY4"
 
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
+	check_keys
+	check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+	set_keytimes_algorithm_policy
+	check_keytimes
+	check_apex
+	check_subdomain
+	dnssec_verify
+fi
 
 #
 # Zone: unsigned.kasp.
@@ -909,28 +912,28 @@ dnssec_verify
 # Zone: inherit.kasp.
 #
 set_zone "inherit.kasp"
-set_policy "rsasha1" "3" "1234"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 
 # Key properties.
 key_clear        "KEY1"
 set_keyrole      "KEY1" "ksk"
 set_keylifetime  "KEY1" "315360000"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
 set_keysigning   "KEY1" "yes"
 set_zonesigning  "KEY1" "no"
 
 key_clear        "KEY2"
 set_keyrole      "KEY2" "zsk"
 set_keylifetime  "KEY2" "157680000"
-set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
 set_keysigning   "KEY2" "no"
 set_zonesigning  "KEY2" "yes"
 
 key_clear        "KEY3"
 set_keyrole      "KEY3" "zsk"
 set_keylifetime  "KEY3" "31536000"
-set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
 set_keysigning   "KEY3" "no"
 set_zonesigning  "KEY3" "yes"
 # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
@@ -962,7 +965,7 @@ dnssec_verify
 # Zone: dnssec-keygen.kasp.
 #
 set_zone "dnssec-keygen.kasp"
-set_policy "rsasha1" "3" "1234"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -978,7 +981,7 @@ dnssec_verify
 # Zone: some-keys.kasp.
 #
 set_zone "some-keys.kasp"
-set_policy "rsasha1" "3" "1234"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -996,7 +999,7 @@ dnssec_verify
 # There are more pregenerated keys than needed, hence the number of keys is
 # six, not three.
 set_zone "pregenerated.kasp"
-set_policy "rsasha1" "6" "1234"
+set_policy "rsasha256" "6" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -1013,7 +1016,7 @@ dnssec_verify
 #
 # There are three keys in rumoured state.
 set_zone "rumoured.kasp"
-set_policy "rsasha1" "3" "1234"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -1039,7 +1042,7 @@ dnssec_verify
 # Zone: secondary.kasp.
 #
 set_zone "secondary.kasp"
-set_policy "rsasha1" "3" "1234"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -1083,22 +1086,25 @@ status=$((status+ret))
 #
 # Zone: rsasha1-nsec3.kasp.
 #
-set_zone "rsasha1-nsec3.kasp"
-set_policy "rsasha1-nsec3" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
-set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
-set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
-# Key timings and states same as above.
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+	set_zone "rsasha1-nsec3.kasp"
+	set_policy "rsasha1-nsec3" "3" "1234"
+	set_server "ns3" "10.53.0.3"
+	# Key properties.
+	set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
+	set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
+	set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
+	# Key timings and states same as above.
 
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
+	check_keys
+	check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+	set_keytimes_algorithm_policy
+	check_keytimes
+	check_apex
+	check_subdomain
+	dnssec_verify
+fi
 
 #
 # Zone: rsasha256.kasp.
@@ -1109,7 +1115,7 @@ set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
 set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keyalgorithm "KEY3" "8" "RSASHA256" "2000"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
 # Key timings and states same as above.
 
 check_keys
@@ -1129,7 +1135,7 @@ set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyalgorithm "KEY1" "10" "RSASHA512" "2048"
 set_keyalgorithm "KEY2" "10" "RSASHA512" "2048"
-set_keyalgorithm "KEY3" "10" "RSASHA512" "2000"
+set_keyalgorithm "KEY3" "10" "RSASHA512" "3072"
 # Key timings and states same as above.
 
 check_keys
@@ -1529,14 +1535,14 @@ set_server "ns3" "10.53.0.3"
 key_clear        "KEY1"
 set_keyrole      "KEY1" "ksk"
 set_keylifetime  "KEY1" "16070400"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
 set_keysigning   "KEY1" "yes"
 set_zonesigning  "KEY1" "no"
 
 key_clear        "KEY2"
 set_keyrole      "KEY2" "zsk"
 set_keylifetime  "KEY2" "16070400"
-set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
 set_keysigning   "KEY2" "no"
 set_zonesigning  "KEY2" "yes"
 # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
@@ -3546,20 +3552,20 @@ IretZSK=0
 # Zone: step1.algorithm-roll.kasp
 #
 set_zone "step1.algorithm-roll.kasp"
-set_policy "rsasha1" "2" "3600"
+set_policy "rsasha256" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 key_clear        "KEY1"
 set_keyrole      "KEY1" "ksk"
 set_keylifetime  "KEY1" "0"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
 set_keysigning   "KEY1" "yes"
 set_zonesigning  "KEY1" "no"
 
 key_clear        "KEY2"
 set_keyrole      "KEY2" "zsk"
 set_keylifetime  "KEY2" "0"
-set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
 set_keysigning   "KEY2" "no"
 set_zonesigning  "KEY2" "yes"
 key_clear "KEY3"
@@ -3600,7 +3606,7 @@ set_server "ns6" "10.53.0.6"
 key_clear        "KEY1"
 set_keyrole      "KEY1" "csk"
 set_keylifetime  "KEY1" "0"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
 set_keysigning   "KEY1" "yes"
 set_zonesigning  "KEY1" "yes"
 key_clear "KEY2"
@@ -3992,14 +3998,14 @@ set_server "ns6" "10.53.0.6"
 key_clear        "KEY1"
 set_keyrole      "KEY1" "ksk"
 set_keylifetime  "KEY1" "0"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
 set_keysigning   "KEY1" "yes"
 set_zonesigning  "KEY1" "no"
 
 key_clear        "KEY2"
 set_keyrole      "KEY2" "zsk"
 set_keylifetime  "KEY2" "0"
-set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
 set_keysigning   "KEY2" "no"
 set_zonesigning  "KEY2" "yes"
 # New ECDSAP256SHA256 keys.
@@ -4394,7 +4400,7 @@ set_server "ns6" "10.53.0.6"
 key_clear	 "KEY1"
 set_keyrole      "KEY1" "csk"
 set_keylifetime  "KEY1" "0"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
 set_keysigning   "KEY1" "yes"
 set_zonesigning  "KEY1" "yes"
 # New ECDSAP256SHA256 key.