diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 9f9c3b5b08..c3b98ce0a5 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -256,7 +256,7 @@ progress(int p) {
 
 static void
 kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name,
-	       const char *engine, dns_kasp_t **kaspp) {
+	       const char *keydir, const char *engine, dns_kasp_t **kaspp) {
 	isc_result_t result = ISC_R_NOTFOUND;
 	const cfg_listelt_t *element;
 	const cfg_obj_t *kasps = NULL;
@@ -289,6 +289,10 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name,
 	ks = NULL;
 	(void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks);
 	INSIST(ks != NULL);
+	if (keydir != NULL) {
+		/* '-K keydir' takes priority */
+		dns_keystore_setdirectory(ks, keydir);
+	}
 	dns_keystore_detach(&ks);
 
 	(void)cfg_map_get(config, "dnssec-policy", &kasps);
@@ -1328,7 +1332,8 @@ main(int argc, char **argv) {
 				      ctx.policy, ctx.configfile);
 			}
 
-			kasp_from_conf(config, mctx, ctx.policy, engine, &kasp);
+			kasp_from_conf(config, mctx, ctx.policy, ctx.directory,
+				       engine, &kasp);
 			if (kasp == NULL) {
 				fatal("failed to load dnssec-policy '%s'",
 				      ctx.policy);
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index e0eb143385..b6c80b8311 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -97,6 +97,7 @@ set_zonesigning "KEY4" "yes"
 
 lines=$(get_keyids "$DIR" "$ZONE" | wc -l)
 test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids"
+status=$((status + ret))
 
 ids=$(get_keyids "$DIR" "$ZONE")
 for id in $ids; do