rpms / bind

Clone
Source Code
GIT

Blame SOURCES/bind99-fips-tests.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c2d2c5a1536637ed9999c117d1fd89e6a74b62d6
  2.   SOURCES
  3.   bind99-fips-tests.patch
Blob History Raw
2c0af7 
From 4a1bbbbe8ff1951dba9f5d6a69c42dcf274877d2 Mon Sep 17 00:00:00 2001
2c0af7 
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
2c0af7 
Date: Fri, 22 Jun 2018 14:05:43 +0200
2c0af7 
Subject: [PATCH 2/2] Squashed commit of the following:
2c0af7 
MIME-Version: 1.0
2c0af7 
Content-Type: text/plain; charset=UTF-8
2c0af7 
Content-Transfer-Encoding: 8bit
2c0af7
2c0af7 
commit d1de64d54126a9662b0f709adf1467f1ca3caa50
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Wed Jun 20 19:15:31 2018 +0200
2c0af7
2c0af7 
    Fix allow_query tests with hmac-256 keys
2c0af7
2c0af7 
commit 854606588f53ee403364461ad29dc1cfd29525a0
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Wed Mar 7 15:54:11 2018 +0100
2c0af7
2c0af7 
    Increase bitsize of DSA key to pass FIPS 140-2 mode.
2c0af7
2c0af7 
commit 98dae21d1f863fa26c125271392288730da52842
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Thu Apr 19 18:28:09 2018 +0200
2c0af7
2c0af7 
    Fix nsupdate, tsig and rndc tests.
2c0af7 
    Do not use md5 by default for rndc, skip gracefully md5 if not available.
2c0af7
2c0af7 
    Rename md5 keys to rndc*.conf, to pass util/merge_copyrights change.
2c0af7 
    Fix dynamic ports merge.
2c0af7
2c0af7 
commit 0ec5e2522aa32931cda5abd07a757035078840ea
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Wed Jun 20 19:34:20 2018 +0200
2c0af7
2c0af7 
    Use testcrypto for crypto detection. Generate random data per test into test directory.
2c0af7
2c0af7 
commit 0ca3c85fa6450ae8b347fa5585d0134ebe41682c
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Wed Mar 7 13:21:00 2018 +0100
2c0af7
2c0af7 
    Add md5 availability detection to featuretest
2c0af7
2c0af7 
commit c1b104ccf66a1ec37e941e303a56675c7dcccbaa
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Mon Jan 22 14:12:37 2018 +0100
2c0af7
2c0af7 
    Update system tests to detect MD5 disabled at runtime
2c0af7
2c0af7 
commit 743d24de87b6f022b99d14d3109958660b9ee07b
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Fri Feb 23 21:57:11 2018 +0100
2c0af7
2c0af7 
    Make testcrypto FIPS compatible
2c0af7
2c0af7 
    (cherry picked from commit 0e15cc7012c537a5d683c35534d33d23fcc4d942)
2c0af7
2c0af7 
commit 325dc1f4f37dc4b7133dd39d7780c10d183e4808
2c0af7 
Author: Evan Hunt <each@isc.org>
2c0af7 
Date:   Mon Oct 31 23:01:38 2016 -0700
2c0af7
2c0af7 
    [v9_9] 4496.   [func]          dig: add +idnout to control whether labels are
2c0af7 
                            display in punycode or not.  Requires idn support
2c0af7 
                            to be enabled at compile time. [RT #43398]
2c0af7
2c0af7 
    (cherry picked from commit 42470b0b87da24b18e0ff6ce78f3143e89df6d31)
2c0af7 
    (cherry picked from commit 6552f33198438390724c5823b8dbcf477ec9638c)
2c0af7 
    (cherry picked from commit 7aec46a5ef4074c3957d525643188257c7575841)
2c0af7
2c0af7 
    Skip IDN part and import only feature-test from system tests
2c0af7
2c0af7 
    (cherry picked from commit 61a01f48604ff6f5f84b64a5aaee722ebae8fadc)
2c0af7
2c0af7 
commit d435ac7bcf72117e75e534c23fca1852f4140eb8
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Wed Mar 7 10:44:23 2018 +0100
2c0af7
2c0af7 
    Use hmac-sha256 instead of default hmac-md5 for allow-query.
2c0af7 
    Do not use hmac-md5 in tests by default, make it pass with MD5 disabled.
2c0af7
2c0af7 
commit 067ca65156a9fadb191b7c9073904a43f57f1896
2c0af7 
Author: Evan Hunt <each@isc.org>
2c0af7 
Date:   Thu Feb 6 19:48:49 2014 -0800
2c0af7
2c0af7 
    [v9_9] add testcrypto.sh
2c0af7
2c0af7 
    (cherry picked from commit e9a2673e85173d93be168f561c5c77184d4e839d)
2c0af7
2c0af7 
commit 3fd542379fa381b54381e07d6625ce53f9f9b1f0
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Thu Jun 21 12:00:35 2018 +0200
2c0af7
2c0af7 
    Revert "4450.   [port]          Provide more nuanced HSM support which better matches"
2c0af7
2c0af7 
    This reverts commit f3b4d031c1f714ff6e862670663aa5a18650951e.
2c0af7
2c0af7 
    Revert PK11_MD5_DISABLED also from remaining files. Keep documentation
2c0af7 
    changes.
2c0af7
2c0af7 
commit f90934f734796595135cdd7a5008555a615dfe8e
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Wed Jun 20 19:31:19 2018 +0200
2c0af7
2c0af7 
    Fix rndc-confgen default algorithm, report true algorithm in usage.
2c0af7
2c0af7 
commit dd53212c12c6943a21a3c24d60995edd19e1d9f7
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Fri Feb 23 21:21:30 2018 +0100
2c0af7
2c0af7 
    Cleanup only if initialization was successful
2c0af7
2c0af7 
commit f163ea51c46bb22bf264a1ac983e2027e43845fa
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Mon Feb 5 12:19:28 2018 +0100
2c0af7
2c0af7 
    Ensure dst backend is initialized first even before hmac algorithms.
2c0af7
2c0af7 
commit 58751b60bd39168b7c8f817ede70473842432081
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Mon Feb 5 12:17:54 2018 +0100
2c0af7
2c0af7 
    Skip initialization of MD5 based algorithms if not available.
2c0af7
2c0af7 
commit 0572b98430d3c80f4a0b0c592b1e3bf7fde9b768
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Mon Feb 5 10:21:27 2018 +0100
2c0af7
2c0af7 
    Change secalgs skipping to be more safe
2c0af7
2c0af7 
commit 994f497a032930fce1370d507a265fbb293c66f4
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Wed Jan 31 18:26:11 2018 +0100
2c0af7
2c0af7 
    Skip MD5 algorithm also in case of NULL name
2c0af7
2c0af7 
commit abd82fbd2507c4b8f20e1ade202fd66d224fd646
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Wed Jan 31 16:54:29 2018 +0100
2c0af7
2c0af7 
    Revert part of commit 1b5c641416eb6de7fc232fc89d31a40a4d439f3d related
2c0af7 
    to SHA1.
2c0af7
2c0af7 
commit b3c832d53a14a0779f598869bb99685c8e4b2bc0
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Wed Jan 31 11:38:12 2018 +0100
2c0af7
2c0af7 
    Make MD5 behave like unknown algorithm in TSIG.
2c0af7
2c0af7 
commit a64a3d6962ee93d6f8699b29bd6507dba0c244ed
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Tue Nov 28 20:14:37 2017 +0100
2c0af7
2c0af7 
    Select token with most supported functions, instead of demanding it must support all functions
2c0af7
2c0af7 
    Initialize PKCS#11 always until successfully initialized
2c0af7
2c0af7 
commit db118c6368668099ea1b6e75860cc12e178afa3b
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Mon Jan 22 16:17:44 2018 +0100
2c0af7
2c0af7 
    Handle MD5 unavailability from DST
2c0af7
2c0af7 
commit 8f8824dca2f5b4d5a3a176d31ac3ee612321c4e3
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Mon Jan 22 14:11:16 2018 +0100
2c0af7
2c0af7 
    Check runtime flag from library and applications, fail gracefully.
2c0af7
2c0af7 
commit bd431384af7dcde8827e670c8749517ad677a967
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Mon Jan 22 08:39:08 2018 +0100
2c0af7
2c0af7 
    Modify libraries to use isc_md5_available() if PK11_MD5_DISABLE is not
2c0af7 
    defined.
2c0af7 
    TODO: pk11.c should accept slot without MD5 support.
2c0af7
2c0af7 
commit 160b13979ef3d0e92d2dd52d0987a3ec979be6cf
2c0af7 
Author: Petr Menšík <pemensik@redhat.com>
2c0af7 
Date:   Mon Jan 22 07:21:04 2018 +0100
2c0af7
2c0af7 
    Add runtime detection whether MD5 is useable.
2c0af7
2c0af7 
commit 23b27ce0f2ad496c331ae40349cc1074a1b11804
2c0af7 
Author: Mark Andrews <marka@isc.org>
2c0af7 
Date:   Fri Aug 19 08:25:54 2016 +1000
2c0af7
2c0af7 
    4450.   [port]          Provide more nuanced HSM support which better matches
2c0af7 
                            the specific PKCS11 providers capabilities. [RT #42458]
2c0af7
2c0af7 
    (cherry picked from commit 8ee6f289d87851a5b898b24a64587f0e6bc225bc)
2c0af7 
---
2c0af7 
 bin/tests/system/Makefile.in                  |  25 +++-
2c0af7 
 bin/tests/system/acl/ns2/named1.conf          |   4 +-
2c0af7 
 bin/tests/system/acl/ns2/named2.conf          |   4 +-
2c0af7 
 bin/tests/system/acl/ns2/named3.conf          |   6 +-
2c0af7 
 bin/tests/system/acl/ns2/named4.conf          |   4 +-
2c0af7 
 bin/tests/system/acl/ns2/named5.conf          |   4 +-
2c0af7 
 bin/tests/system/acl/tests.sh                 |  32 +++---
2c0af7 
 bin/tests/system/allow_query/ns2/named10.conf |   2 +-
2c0af7 
 bin/tests/system/allow_query/ns2/named11.conf |   4 +-
2c0af7 
 bin/tests/system/allow_query/ns2/named12.conf |   2 +-
2c0af7 
 bin/tests/system/allow_query/ns2/named30.conf |   2 +-
2c0af7 
 bin/tests/system/allow_query/ns2/named31.conf |   4 +-
2c0af7 
 bin/tests/system/allow_query/ns2/named32.conf |   2 +-
2c0af7 
 bin/tests/system/allow_query/ns2/named40.conf |   4 +-
2c0af7 
 bin/tests/system/allow_query/tests.sh         |  18 +--
2c0af7 
 bin/tests/system/checkconf/bad-tsig.conf      |   2 +-
2c0af7 
 bin/tests/system/conf.sh.in                   |   6 +-
2c0af7 
 bin/tests/system/digdelv/ns2/example.db       |  15 ++-
2c0af7 
 bin/tests/system/digdelv/tests.sh             |   4 +-
2c0af7 
 bin/tests/system/dlv/ns1/sign.sh              |   4 +-
2c0af7 
 bin/tests/system/dlv/ns2/sign.sh              |   4 +-
2c0af7 
 bin/tests/system/dlv/ns3/sign.sh              |  68 +++++------
2c0af7 
 bin/tests/system/dlv/ns6/sign.sh              |  64 +++++------
2c0af7 
 bin/tests/system/dnssec/ns2/sign.sh           |   8 +-
2c0af7 
 bin/tests/system/dnssec/prereq.sh             |  11 +-
2c0af7 
 bin/tests/system/feature-test.c               | 159 ++++++++++++++++++++++++++
2c0af7 
 bin/tests/system/filter-aaaa/ns1/sign.sh      |   4 +-
2c0af7 
 bin/tests/system/filter-aaaa/ns4/sign.sh      |   4 +-
2c0af7 
 bin/tests/system/keymgr/prereq.sh             |  15 +--
2c0af7 
 bin/tests/system/nsupdate/ns1/named.conf      |   2 +-
2c0af7 
 bin/tests/system/nsupdate/ns2/named.conf      |   2 +-
2c0af7 
 bin/tests/system/nsupdate/setup.sh            |   7 +-
2c0af7 
 bin/tests/system/nsupdate/tests.sh            |  11 +-
2c0af7 
 bin/tests/system/rndc/setup.sh                |   4 +-
2c0af7 
 bin/tests/system/rndc/tests.sh                |  22 ++--
2c0af7 
 bin/tests/system/testcrypto.sh                |  71 ++++++++++++
2c0af7 
 bin/tests/system/tkey/keycreate.c             |   3 +
2c0af7 
 bin/tests/system/tkey/keydelete.c             |  18 ++-
2c0af7 
 bin/tests/system/tkey/prereq.sh               |  11 +-
2c0af7 
 bin/tests/system/tsig/clean.sh                |   1 +
2c0af7 
 bin/tests/system/tsig/ns1/named.conf          |  12 +-
2c0af7 
 bin/tests/system/tsig/ns1/rndc5.conf.in       |  22 ++++
2c0af7 
 bin/tests/system/tsig/setup.sh                |  25 ++++
2c0af7 
 bin/tests/system/tsig/tests.sh                |  75 +++++++-----
2c0af7 
 bin/tests/system/tsiggss/setup.sh             |   2 +-
2c0af7 
 bin/tests/system/upforwd/ns1/named.conf       |   2 +-
2c0af7 
 bin/tests/system/upforwd/tests.sh             |   2 +-
2c0af7 
 47 files changed, 547 insertions(+), 230 deletions(-)
2c0af7 
 create mode 100644 bin/tests/system/feature-test.c
2c0af7 
 create mode 100644 bin/tests/system/testcrypto.sh
2c0af7 
 create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
2c0af7 
 create mode 100644 bin/tests/system/tsig/setup.sh
2c0af7
2c0af7 
diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in
2c0af7 
index 0c7fdffd01..afee71b2bb 100644
2c0af7 
--- a/bin/tests/system/Makefile.in
2c0af7 
+++ b/bin/tests/system/Makefile.in
2c0af7 
@@ -23,10 +23,31 @@ top_srcdir =	@top_srcdir@
2c0af7
2c0af7 
 SUBDIRS =	dlzexternal dyndb filter-aaaa geoip lwresd rpz rrl \
2c0af7 
 		rsabigexponent tkey tsiggss
2c0af7 
-TARGETS =
2c0af7 
+CINCLUDES =	${ISC_INCLUDES} ${DNS_INCLUDES}
2c0af7 
+
2c0af7 
+CDEFINES =	@USE_GSSAPI@
2c0af7 
+CWARNINGS =
2c0af7 
+
2c0af7 
+DNSLIBS =
2c0af7 
+ISCLIBS =	../../../lib/isc/libisc.@A@
2c0af7 
+
2c0af7 
+DNSDEPLIBS =
2c0af7 
+ISCDEPLIBS =
2c0af7 
+
2c0af7 
+DEPLIBS =
2c0af7 
+
2c0af7 
+LIBS =		@LIBS@
2c0af7 
+
2c0af7 
+OBJS =		feature-test.@O@
2c0af7 
+SRCS =		feature-test.c
2c0af7 
+
2c0af7 
+TARGETS =	feature-test@EXEEXT@
2c0af7
2c0af7 
 @BIND9_MAKE_RULES@
2c0af7
2c0af7 
+feature-test@EXEEXT@: feature-test.@O@
2c0af7 
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
2c0af7 
+
2c0af7 
 # Running the scripts below is bypassed when a separate
2c0af7 
 # build directory is used.
2c0af7
2c0af7 
@@ -38,6 +59,8 @@ test: subdirs
2c0af7 
 testclean clean distclean::
2c0af7 
 	if test -f ./cleanall.sh; then sh ./cleanall.sh; fi
2c0af7 
 	rm -f systests.output
2c0af7 
+	rm -f ${TARGETS}
2c0af7 
+	rm -f ${OBJS}
2c0af7
2c0af7 
 distclean::
2c0af7 
 	rm -f conf.sh
2c0af7 
diff --git a/bin/tests/system/acl/ns2/named1.conf b/bin/tests/system/acl/ns2/named1.conf
2c0af7 
index b70d1dd761..9037a15c9d 100644
2c0af7 
--- a/bin/tests/system/acl/ns2/named1.conf
2c0af7 
+++ b/bin/tests/system/acl/ns2/named1.conf
2c0af7 
@@ -35,12 +35,12 @@ options {
2c0af7 
 include "../../common/controls.conf";
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
 key two {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/acl/ns2/named2.conf b/bin/tests/system/acl/ns2/named2.conf
2c0af7 
index bcd7e0df19..648c5fdbdc 100644
2c0af7 
--- a/bin/tests/system/acl/ns2/named2.conf
2c0af7 
+++ b/bin/tests/system/acl/ns2/named2.conf
2c0af7 
@@ -35,12 +35,12 @@ options {
2c0af7 
 include "../../common/controls.conf";
2c0af7
2c0af7 
 key one {
2c0af7 
-	algorithm hmac-md5;
2c0af7 
+	algorithm hmac-sha256;
2c0af7 
 	secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
 key two {
2c0af7 
-	algorithm hmac-md5;
2c0af7 
+	algorithm hmac-sha256;
2c0af7 
 	secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/acl/ns2/named3.conf b/bin/tests/system/acl/ns2/named3.conf
2c0af7 
index ea2cbcb44a..546ecf6af4 100644
2c0af7 
--- a/bin/tests/system/acl/ns2/named3.conf
2c0af7 
+++ b/bin/tests/system/acl/ns2/named3.conf
2c0af7 
@@ -35,17 +35,17 @@ options {
2c0af7 
 include "../../common/controls.conf";
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
 key two {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
 key three {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/acl/ns2/named4.conf b/bin/tests/system/acl/ns2/named4.conf
2c0af7 
index 99edf7ebe5..4c84d0f163 100644
2c0af7 
--- a/bin/tests/system/acl/ns2/named4.conf
2c0af7 
+++ b/bin/tests/system/acl/ns2/named4.conf
2c0af7 
@@ -35,12 +35,12 @@ options {
2c0af7 
 include "../../common/controls.conf";
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
 key two {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/acl/ns2/named5.conf b/bin/tests/system/acl/ns2/named5.conf
2c0af7 
index d17e1cf7b7..52ae56300e 100644
2c0af7 
--- a/bin/tests/system/acl/ns2/named5.conf
2c0af7 
+++ b/bin/tests/system/acl/ns2/named5.conf
2c0af7 
@@ -36,12 +36,12 @@ options {
2c0af7 
 include "../../common/controls.conf";
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
 key two {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
2c0af7 
index 7207c5a1d3..753f9f6743 100644
2c0af7 
--- a/bin/tests/system/acl/tests.sh
2c0af7 
+++ b/bin/tests/system/acl/tests.sh
2c0af7 
@@ -28,13 +28,13 @@ echo "I:testing basic ACL processing"
2c0af7 
 # key "one" should fail
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # any other key should be fine
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 cp -f ns2/named2.conf ns2/named.conf
2c0af7 
@@ -44,18 +44,18 @@ sleep 5
2c0af7 
 # prefix 10/8 should fail
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # any other address should work, as long as it sends key "one"
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 echo "I:testing nested ACL processing"
2c0af7 
@@ -67,31 +67,31 @@ sleep 5
2c0af7 
 # should succeed
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # should succeed
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # should succeed
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # should succeed
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # but only one or the other should fail
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 t=`expr $t + 1`
2c0af7 
@@ -102,7 +102,7 @@ grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $tt failed" ; status=1; }
2c0af7 
 # and other values? right out
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
2c0af7 
@@ -113,31 +113,31 @@ sleep 5
2c0af7 
 # should succeed
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # should succeed
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # should fail
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # should fail
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 # should fail
2c0af7 
 t=`expr $t + 1`
2c0af7 
 $DIG $DIGOPTS tsigzone. \
2c0af7 
-    	@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 -p 5300 > dig.out
2c0af7 
+    	@10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
2c0af7 
 grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
2c0af7
2c0af7 
 echo "I:testing allow-query-on ACL processing"
2c0af7 
diff --git a/bin/tests/system/allow_query/ns2/named10.conf b/bin/tests/system/allow_query/ns2/named10.conf
2c0af7 
index 17786e6f87..918b185671 100644
2c0af7 
--- a/bin/tests/system/allow_query/ns2/named10.conf
2c0af7 
+++ b/bin/tests/system/allow_query/ns2/named10.conf
2c0af7 
@@ -20,7 +20,7 @@
2c0af7 
 controls { /* empty */ };
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/allow_query/ns2/named11.conf b/bin/tests/system/allow_query/ns2/named11.conf
2c0af7 
index 3d225bd9a2..2ccd8d4b3f 100644
2c0af7 
--- a/bin/tests/system/allow_query/ns2/named11.conf
2c0af7 
+++ b/bin/tests/system/allow_query/ns2/named11.conf
2c0af7 
@@ -20,12 +20,12 @@
2c0af7 
 controls { /* empty */ };
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
 key two {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234efgh8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/allow_query/ns2/named12.conf b/bin/tests/system/allow_query/ns2/named12.conf
2c0af7 
index e5e64184c8..fd322bb709 100644
2c0af7 
--- a/bin/tests/system/allow_query/ns2/named12.conf
2c0af7 
+++ b/bin/tests/system/allow_query/ns2/named12.conf
2c0af7 
@@ -19,7 +19,7 @@
2c0af7 
 controls { /* empty */ };
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/allow_query/ns2/named30.conf b/bin/tests/system/allow_query/ns2/named30.conf
2c0af7 
index 9182f21af3..585436f1d9 100644
2c0af7 
--- a/bin/tests/system/allow_query/ns2/named30.conf
2c0af7 
+++ b/bin/tests/system/allow_query/ns2/named30.conf
2c0af7 
@@ -20,7 +20,7 @@
2c0af7 
 controls { /* empty */ };
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/allow_query/ns2/named31.conf b/bin/tests/system/allow_query/ns2/named31.conf
2c0af7 
index 19efdf397e..d7f0e80616 100644
2c0af7 
--- a/bin/tests/system/allow_query/ns2/named31.conf
2c0af7 
+++ b/bin/tests/system/allow_query/ns2/named31.conf
2c0af7 
@@ -20,12 +20,12 @@
2c0af7 
 controls { /* empty */ };
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
 key two {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234efgh8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/allow_query/ns2/named32.conf b/bin/tests/system/allow_query/ns2/named32.conf
2c0af7 
index 3c207f3422..4d66a3812d 100644
2c0af7 
--- a/bin/tests/system/allow_query/ns2/named32.conf
2c0af7 
+++ b/bin/tests/system/allow_query/ns2/named32.conf
2c0af7 
@@ -19,7 +19,7 @@
2c0af7 
 controls { /* empty */ };
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/allow_query/ns2/named40.conf b/bin/tests/system/allow_query/ns2/named40.conf
2c0af7 
index cb81c79e5d..c581c5eefd 100644
2c0af7 
--- a/bin/tests/system/allow_query/ns2/named40.conf
2c0af7 
+++ b/bin/tests/system/allow_query/ns2/named40.conf
2c0af7 
@@ -23,12 +23,12 @@ acl accept { 10.53.0.2; };
2c0af7 
 acl badaccept { 10.53.0.1; };
2c0af7
2c0af7 
 key one {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
 key two {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha256;
2c0af7 
         secret "1234efgh8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/allow_query/tests.sh b/bin/tests/system/allow_query/tests.sh
2c0af7 
index 0592c342d4..c5ef867451 100644
2c0af7 
--- a/bin/tests/system/allow_query/tests.sh
2c0af7 
+++ b/bin/tests/system/allow_query/tests.sh
2c0af7 
@@ -195,7 +195,7 @@ sleep 5
2c0af7
2c0af7 
 echo "I:test $n: key allowed - query allowed"
2c0af7 
 ret=0
2c0af7 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
@@ -209,7 +209,7 @@ sleep 5
2c0af7
2c0af7 
 echo "I:test $n: key not allowed - query refused"
2c0af7 
 ret=0
2c0af7 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
2c0af7 
 if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
@@ -223,7 +223,7 @@ sleep 5
2c0af7
2c0af7 
 echo "I:test $n: key disallowed - query refused"
2c0af7 
 ret=0
2c0af7 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
2c0af7 
 if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
@@ -366,7 +366,7 @@ sleep 5
2c0af7
2c0af7 
 echo "I:test $n: views key allowed - query allowed"
2c0af7 
 ret=0
2c0af7 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
@@ -380,7 +380,7 @@ sleep 5
2c0af7
2c0af7 
 echo "I:test $n: views key not allowed - query refused"
2c0af7 
 ret=0
2c0af7 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
2c0af7 
 if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
@@ -394,7 +394,7 @@ sleep 5
2c0af7
2c0af7 
 echo "I:test $n: views key disallowed - query refused"
2c0af7 
 ret=0
2c0af7 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
2c0af7 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
2c0af7 
 if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
@@ -530,7 +530,7 @@ status=`expr $status + $ret`
2c0af7 
 n=`expr $n + 1`
2c0af7 
 echo "I:test $n: zone key allowed - query allowed"
2c0af7 
 ret=0
2c0af7 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
2c0af7 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
2c0af7 
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
@@ -540,7 +540,7 @@ status=`expr $status + $ret`
2c0af7 
 n=`expr $n + 1`
2c0af7 
 echo "I:test $n: zone key not allowed - query refused"
2c0af7 
 ret=0
2c0af7 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
2c0af7 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
2c0af7 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
2c0af7 
 if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
@@ -550,7 +550,7 @@ status=`expr $status + $ret`
2c0af7 
 n=`expr $n + 1`
2c0af7 
 echo "I:test $n: zone key disallowed - query refused"
2c0af7 
 ret=0
2c0af7 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
2c0af7 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
2c0af7 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
2c0af7 
 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
2c0af7 
 if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
2c0af7 
index 8f0ecf7ea0..0e4718994f 100644
2c0af7 
--- a/bin/tests/system/checkconf/bad-tsig.conf
2c0af7 
+++ b/bin/tests/system/checkconf/bad-tsig.conf
2c0af7 
@@ -18,7 +18,7 @@
2c0af7
2c0af7 
 /* Bad secret */
2c0af7 
 key "badtsig" {
2c0af7 
-	algorithm hmac-md5;
2c0af7 
+	algorithm hmac-sha256;
2c0af7 
 	secret "jEdD+BPKg==";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
2c0af7 
index 930928b429..420320c737 100644
2c0af7 
--- a/bin/tests/system/conf.sh.in
2c0af7 
+++ b/bin/tests/system/conf.sh.in
2c0af7 
@@ -56,6 +56,10 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint
2c0af7 
 VERIFY=$TOP/bin/dnssec/dnssec-verify
2c0af7 
 ARPANAME=$TOP/bin/tools/arpaname
2c0af7 
 SAMPLE=$TOP/lib/export/samples/sample
2c0af7 
+GENRANDOM=$TOP/bin/tools/genrandom
2c0af7 
+FEATURETEST=$TOP/bin/tests/system/feature-test
2c0af7 
+
2c0af7 
+RANDFILE=$TOP/bin/tests/system/random.data
2c0af7
2c0af7 
 # The "stress" test is not run by default since it creates enough
2c0af7 
 # load on the machine to make it unusable to other users.
2c0af7 
@@ -89,4 +93,4 @@ fi
2c0af7
2c0af7 
 export NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL \
2c0af7 
        PERL PYTHON SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6 \
2c0af7 
-       JOURNALPRINT ARPANAME SAMPLE
2c0af7 
+       JOURNALPRINT ARPANAME SAMPLE FEATURETEST
2c0af7 
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
2c0af7 
index 0a1aa5d615..fd3ed3a045 100644
2c0af7 
--- a/bin/tests/system/digdelv/ns2/example.db
2c0af7 
+++ b/bin/tests/system/digdelv/ns2/example.db
2c0af7 
@@ -41,10 +41,13 @@ foo			SSHFP	2 1 123456789abcdef67890123456789abcdef67890
2c0af7 
 ;;
2c0af7 
 ;; we are not testing DNSSEC behavior, so we don't care about the semantics
2c0af7 
 ;; of the following records.
2c0af7 
-dnskey                  300     DNSKEY  256 3 1 (
2c0af7 
-                                        AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg
2c0af7 
-                                        +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD
2c0af7 
-                                        Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R
2c0af7 
-                                        b9VIE5x7KNHAYTvTO5d4S8M=
2c0af7 
-                                        )
2c0af7 
+dnskey                  300     DNSKEY 256 3 8 (
2c0af7 
+                    AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo
2c0af7 
+                    EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba
2c0af7 
+                    zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R
2c0af7 
+                    qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/
2c0af7 
+                    KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld
2c0af7 
+                    QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG
2c0af7 
+                    /idCeeQlaLU=
2c0af7 
+                    )
2c0af7
2c0af7 
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
2c0af7 
index a19256cde3..bdfacf9fb4 100644
2c0af7 
--- a/bin/tests/system/digdelv/tests.sh
2c0af7 
+++ b/bin/tests/system/digdelv/tests.sh
2c0af7 
@@ -59,7 +59,7 @@ if [ -x ${DIG} ] ; then
2c0af7 
   echo "I:checking dig +rrcomments works for DNSKEY($n)"
2c0af7 
   ret=0
2c0af7 
   $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
2c0af7 
-  grep "; ZSK; alg = RSAMD5 *; key id = 30795" < dig.out.test$n > /dev/null || ret=1
2c0af7 
+  grep "; ZSK; alg = RSASHA256 *; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
2c0af7 
   if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
   status=`expr $status + $ret`
2c0af7
2c0af7 
@@ -146,7 +146,7 @@ if [ -n "${DELV}" -a -x "${DELV}" ] ; then
2c0af7 
   echo "I:checking delv +rrcomments works for DNSKEY($n)"
2c0af7 
   ret=0
2c0af7 
   $DELV $DELVOPTS @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
2c0af7 
-  grep "; ZSK; alg = RSAMD5 *; key id = 30795" < delv.out.test$n > /dev/null || ret=1
2c0af7 
+  grep "; ZSK; alg = RSASHA256 *; key id = 36895" < dig.out.test$n > /dev/null || ret=1
2c0af7 
   if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
   status=`expr $status + $ret`
2c0af7
2c0af7 
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
2c0af7 
index 9854f5b7ce..cf261c136c 100755
2c0af7 
--- a/bin/tests/system/dlv/ns1/sign.sh
2c0af7 
+++ b/bin/tests/system/dlv/ns1/sign.sh
2c0af7 
@@ -30,8 +30,8 @@ infile=root.db.in
2c0af7 
 zonefile=root.db
2c0af7 
 outfile=root.signed
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
2c0af7 
index edcc8f21d4..4e142b00d8 100755
2c0af7 
--- a/bin/tests/system/dlv/ns2/sign.sh
2c0af7 
+++ b/bin/tests/system/dlv/ns2/sign.sh
2c0af7 
@@ -31,8 +31,8 @@ zonefile=druz.db
2c0af7 
 outfile=druz.pre
2c0af7 
 dlvzone=utld.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
2c0af7 
index 6bdc2f6cc5..64c5846f7d 100755
2c0af7 
--- a/bin/tests/system/dlv/ns3/sign.sh
2c0af7 
+++ b/bin/tests/system/dlv/ns3/sign.sh
2c0af7 
@@ -34,8 +34,8 @@ zonefile=child1.utld.db
2c0af7 
 outfile=child1.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
2c0af7
2c0af7 
@@ -49,8 +49,8 @@ zonefile=child3.utld.db
2c0af7 
 outfile=child3.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
2c0af7
2c0af7 
@@ -64,8 +64,8 @@ zonefile=child4.utld.db
2c0af7 
 outfile=child4.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -79,8 +79,8 @@ zonefile=child5.utld.db
2c0af7 
 outfile=child5.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
2c0af7
2c0af7 
@@ -93,8 +93,8 @@ infile=child.db.in
2c0af7 
 zonefile=child7.utld.db
2c0af7 
 outfile=child7.signed
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
2c0af7
2c0af7 
@@ -107,8 +107,8 @@ infile=child.db.in
2c0af7 
 zonefile=child8.utld.db
2c0af7 
 outfile=child8.signed
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -122,8 +122,8 @@ zonefile=child9.utld.db
2c0af7 
 outfile=child9.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -136,8 +136,8 @@ zonefile=child10.utld.db
2c0af7 
 outfile=child10.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -151,8 +151,8 @@ outfile=child1.druz.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7 
 dssets="$dssets dsset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
2c0af7
2c0af7 
@@ -167,8 +167,8 @@ outfile=child3.druz.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7 
 dssets="$dssets dsset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
2c0af7
2c0af7 
@@ -183,8 +183,8 @@ outfile=child4.druz.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7 
 dssets="$dssets dsset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -199,8 +199,8 @@ outfile=child5.druz.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7 
 dssets="$dssets dsset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
2c0af7
2c0af7 
@@ -214,8 +214,8 @@ zonefile=child7.druz.db
2c0af7 
 outfile=child7.druz.signed
2c0af7 
 dssets="$dssets dsset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
2c0af7
2c0af7 
@@ -228,8 +228,8 @@ infile=child.db.in
2c0af7 
 zonefile=child8.druz.db
2c0af7 
 outfile=child8.druz.signed
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -243,8 +243,8 @@ zonefile=child9.druz.db
2c0af7 
 outfile=child9.druz.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -258,8 +258,8 @@ outfile=child10.druz.signed
2c0af7 
 dlvsets="$dlvsets dlvset-$zone"
2c0af7 
 dssets="$dssets dsset-$zone"
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -272,8 +272,8 @@ infile=dlv.db.in
2c0af7 
 zonefile=dlv.utld.db
2c0af7 
 outfile=dlv.signed
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
2c0af7 
index 2bc133e5d6..227c1cb69f 100755
2c0af7 
--- a/bin/tests/system/dlv/ns6/sign.sh
2c0af7 
+++ b/bin/tests/system/dlv/ns6/sign.sh
2c0af7 
@@ -28,8 +28,8 @@ infile=child.db.in
2c0af7 
 zonefile=grand.child1.utld.db
2c0af7 
 outfile=grand.child1.signed
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -43,8 +43,8 @@ zonefile=grand.child3.utld.db
2c0af7 
 outfile=grand.child3.signed
2c0af7 
 dlvzone=dlv.utld.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -58,8 +58,8 @@ zonefile=grand.child4.utld.db
2c0af7 
 outfile=grand.child4.signed
2c0af7 
 dlvzone=dlv.utld.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -73,8 +73,8 @@ zonefile=grand.child5.utld.db
2c0af7 
 outfile=grand.child5.signed
2c0af7 
 dlvzone=dlv.utld.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -88,8 +88,8 @@ zonefile=grand.child7.utld.db
2c0af7 
 outfile=grand.child7.signed
2c0af7 
 dlvzone=dlv.utld.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -103,8 +103,8 @@ zonefile=grand.child8.utld.db
2c0af7 
 outfile=grand.child8.signed
2c0af7 
 dlvzone=dlv.utld.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -118,8 +118,8 @@ zonefile=grand.child9.utld.db
2c0af7 
 outfile=grand.child9.signed
2c0af7 
 dlvzone=dlv.utld.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -132,8 +132,8 @@ zonefile=grand.child10.utld.db
2c0af7 
 outfile=grand.child10.signed
2c0af7 
 dlvzone=dlv.utld.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -145,8 +145,8 @@ infile=child.db.in
2c0af7 
 zonefile=grand.child1.druz.db
2c0af7 
 outfile=grand.child1.druz.signed
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -160,8 +160,8 @@ zonefile=grand.child3.druz.db
2c0af7 
 outfile=grand.child3.druz.signed
2c0af7 
 dlvzone=dlv.druz.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -175,8 +175,8 @@ zonefile=grand.child4.druz.db
2c0af7 
 outfile=grand.child4.druz.signed
2c0af7 
 dlvzone=dlv.druz.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -190,8 +190,8 @@ zonefile=grand.child5.druz.db
2c0af7 
 outfile=grand.child5.druz.signed
2c0af7 
 dlvzone=dlv.druz.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -205,8 +205,8 @@ zonefile=grand.child7.druz.db
2c0af7 
 outfile=grand.child7.druz.signed
2c0af7 
 dlvzone=dlv.druz.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -220,8 +220,8 @@ zonefile=grand.child8.druz.db
2c0af7 
 outfile=grand.child8.druz.signed
2c0af7 
 dlvzone=dlv.druz.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -235,8 +235,8 @@ zonefile=grand.child9.druz.db
2c0af7 
 outfile=grand.child9.druz.signed
2c0af7 
 dlvzone=dlv.druz.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -249,8 +249,8 @@ zonefile=grand.child10.druz.db
2c0af7 
 outfile=grand.child10.druz.signed
2c0af7 
 dlvzone=dlv.druz.
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
2c0af7 
index 118b8a6d6b..0c4dcb4b19 100644
2c0af7 
--- a/bin/tests/system/dnssec/ns2/sign.sh
2c0af7 
+++ b/bin/tests/system/dnssec/ns2/sign.sh
2c0af7 
@@ -38,8 +38,8 @@ do
2c0af7 
 	cp ../ns3/dsset-$subdomain.example. .
2c0af7 
 done
2c0af7
2c0af7 
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
2c0af7 
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
2c0af7 
+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
2c0af7 
+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
@@ -98,7 +98,7 @@ privzone=private.secure.example.
2c0af7 
 privinfile=private.secure.example.db.in
2c0af7 
 privzonefile=private.secure.example.db
2c0af7
2c0af7 
-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
2c0af7 
+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $privzone`
2c0af7
2c0af7 
 cat $privinfile $privkeyname.key >$privzonefile
2c0af7
2c0af7 
@@ -111,7 +111,7 @@ dlvzone=dlv.
2c0af7 
 dlvinfile=dlv.db.in
2c0af7 
 dlvzonefile=dlv.db
2c0af7
2c0af7 
-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
2c0af7 
+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $dlvzone`
2c0af7
2c0af7 
 cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
2c0af7
2c0af7 
diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh
2c0af7 
index 113e372c28..84630d8abc 100644
2c0af7 
--- a/bin/tests/system/dnssec/prereq.sh
2c0af7 
+++ b/bin/tests/system/dnssec/prereq.sh
2c0af7 
@@ -17,13 +17,4 @@
2c0af7
2c0af7 
 # $Id: prereq.sh,v 1.13 2009/10/28 00:27:10 marka Exp $
2c0af7
2c0af7 
-../../../tools/genrandom 400 random.data
2c0af7 
-
2c0af7 
-if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
2c0af7 
-then
2c0af7 
-    rm -f Kfoo*
2c0af7 
-else
2c0af7 
-    echo "I:This test requires cryptography" >&2
2c0af7 
-    echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
2c0af7 
-    exit 1
2c0af7 
-fi
2c0af7 
+exec $SHELL ../testcrypto.sh
2c0af7 
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
2c0af7 
new file mode 100644
2c0af7 
index 0000000000..495f46a32a
2c0af7 
--- /dev/null
2c0af7 
+++ b/bin/tests/system/feature-test.c
2c0af7 
@@ -0,0 +1,159 @@
2c0af7 
+/*
2c0af7 
+ * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
2c0af7 
+ *
2c0af7 
+ * This Source Code Form is subject to the terms of the Mozilla Public
2c0af7 
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
2c0af7 
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
2c0af7 
+ */
2c0af7 
+
2c0af7 
+#include <config.h>
2c0af7 
+
2c0af7 
+#include <unistd.h>
2c0af7 
+#include <stdio.h>
2c0af7 
+#include <stdlib.h>
2c0af7 
+#include <string.h>
2c0af7 
+
2c0af7 
+#include <isc/print.h>
2c0af7 
+#include <isc/util.h>
2c0af7 
+#include <isc/md5.h>
2c0af7 
+
2c0af7 
+#ifdef WIN32
2c0af7 
+#include <Winsock2.h>
2c0af7 
+#endif
2c0af7 
+
2c0af7 
+#ifndef MAXHOSTNAMELEN
2c0af7 
+#ifdef HOST_NAME_MAX
2c0af7 
+#define MAXHOSTNAMELEN HOST_NAME_MAX
2c0af7 
+#else
2c0af7 
+#define MAXHOSTNAMELEN 256
2c0af7 
+#endif
2c0af7 
+#endif
2c0af7 
+
2c0af7 
+static void
2c0af7 
+usage() {
2c0af7 
+	fprintf(stderr, "usage: feature-test <arg>\n");
2c0af7 
+	fprintf(stderr, "args:\n");
2c0af7 
+	fprintf(stderr, "	--enable-filter-aaaa\n");
2c0af7 
+	fprintf(stderr, "	--gethostname\n");
2c0af7 
+	fprintf(stderr, "	--gssapi\n");
2c0af7 
+	fprintf(stderr, "	--have-dlopen\n");
2c0af7 
+	fprintf(stderr, "	--have-geoip\n");
2c0af7 
+	fprintf(stderr, "	--have-libxml2\n");
2c0af7 
+	fprintf(stderr, "	--md5\n");
2c0af7 
+	fprintf(stderr, "	--rpz-nsip\n");
2c0af7 
+	fprintf(stderr, "	--rpz-nsdname\n");
2c0af7 
+	fprintf(stderr, "	--with-idn\n");
2c0af7 
+}
2c0af7 
+
2c0af7 
+int
2c0af7 
+main(int argc, char **argv) {
2c0af7 
+	if (argc != 2) {
2c0af7 
+		usage();
2c0af7 
+		return (1);
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	if (strcmp(argv[1], "--enable-filter-aaaa") == 0) {
2c0af7 
+#ifdef ALLOW_FILTER_AAAA
2c0af7 
+		return (0);
2c0af7 
+#else
2c0af7 
+		return (1);
2c0af7 
+#endif
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	if (strcmp(argv[1], "--gethostname") == 0) {
2c0af7 
+		char hostname[MAXHOSTNAMELEN];
2c0af7 
+		int n;
2c0af7 
+#ifdef WIN32
2c0af7 
+		/* From lwres InitSocket() */
2c0af7 
+		WORD wVersionRequested;
2c0af7 
+		WSADATA wsaData;
2c0af7 
+		int err;
2c0af7 
+
2c0af7 
+		wVersionRequested = MAKEWORD(2, 0);
2c0af7 
+		err = WSAStartup( wVersionRequested, &wsaData );
2c0af7 
+		if (err != 0) {
2c0af7 
+			fprintf(stderr, "WSAStartup() failed: %d\n", err);
2c0af7 
+			exit(1);
2c0af7 
+		}
2c0af7 
+#endif
2c0af7 
+
2c0af7 
+		n = gethostname(hostname, sizeof(hostname));
2c0af7 
+		if (n == -1) {
2c0af7 
+			perror("gethostname");
2c0af7 
+			return(1);
2c0af7 
+		}
2c0af7 
+		fprintf(stdout, "%s\n", hostname);
2c0af7 
+#ifdef WIN32
2c0af7 
+		WSACleanup();
2c0af7 
+#endif
2c0af7 
+		return (0);
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	if (strcmp(argv[1], "--gssapi") == 0) {
2c0af7 
+#if defined(GSSAPI)
2c0af7 
+		return (0);
2c0af7 
+#else
2c0af7 
+		return (1);
2c0af7 
+#endif
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	if (strcmp(argv[1], "--have-dlopen") == 0) {
2c0af7 
+#if defined(HAVE_DLOPEN) && defined(ISC_DLZ_DLOPEN)
2c0af7 
+		return (0);
2c0af7 
+#else
2c0af7 
+		return (1);
2c0af7 
+#endif
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	if (strcmp(argv[1], "--have-geoip") == 0) {
2c0af7 
+#ifdef HAVE_GEOIP
2c0af7 
+		return (0);
2c0af7 
+#else
2c0af7 
+		return (1);
2c0af7 
+#endif
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	if (strcmp(argv[1], "--have-libxml2") == 0) {
2c0af7 
+#ifdef HAVE_LIBXML2
2c0af7 
+		return (0);
2c0af7 
+#else
2c0af7 
+		return (1);
2c0af7 
+#endif
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	if (strcmp(argv[1], "--md5") == 0) {
2c0af7 
+		if (isc_md5_available()) {
2c0af7 
+			return (0);
2c0af7 
+		} else {
2c0af7 
+			return (1);
2c0af7 
+		}
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	if (strcmp(argv[1], "--rpz-nsip") == 0) {
2c0af7 
+#ifdef ENABLE_RPZ_NSIP
2c0af7 
+		return (0);
2c0af7 
+#else
2c0af7 
+		return (1);
2c0af7 
+#endif
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	if (strcmp(argv[1], "--rpz-nsdname") == 0) {
2c0af7 
+#ifdef ENABLE_RPZ_NSDNAME
2c0af7 
+		return (0);
2c0af7 
+#else
2c0af7 
+		return (1);
2c0af7 
+#endif
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	if (strcmp(argv[1], "--with-idn") == 0) {
2c0af7 
+#ifdef WITH_IDN
2c0af7 
+		return (0);
2c0af7 
+#else
2c0af7 
+		return (1);
2c0af7 
+#endif
2c0af7 
+	}
2c0af7 
+
2c0af7 
+	fprintf(stderr, "unknown arg: %s\n", argv[1]);
2c0af7 
+	usage();
2c0af7 
+	return (1);
2c0af7 
+}
2c0af7 
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
2c0af7 
index 203e37ebfb..e0c696b986 100755
2c0af7 
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
2c0af7 
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
2c0af7 
@@ -27,8 +27,8 @@ infile=signed.db.in
2c0af7 
 zonefile=signed.db.signed
2c0af7 
 outfile=signed.db.signed
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
2c0af7 
index ff33b10a19..74d755763a 100755
2c0af7 
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
2c0af7 
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
2c0af7 
@@ -27,8 +27,8 @@ infile=signed.db.in
2c0af7 
 zonefile=signed.db.signed
2c0af7 
 outfile=signed.db.signed
2c0af7
2c0af7 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
2c0af7 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
2c0af7
2c0af7 
 cat $infile $keyname1.key $keyname2.key >$zonefile
2c0af7
2c0af7 
diff --git a/bin/tests/system/keymgr/prereq.sh b/bin/tests/system/keymgr/prereq.sh
2c0af7 
index be2546ec59..e71cc9f03a 100644
2c0af7 
--- a/bin/tests/system/keymgr/prereq.sh
2c0af7 
+++ b/bin/tests/system/keymgr/prereq.sh
2c0af7 
@@ -14,17 +14,4 @@
2c0af7 
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2c0af7 
 # PERFORMANCE OF THIS SOFTWARE.
2c0af7
2c0af7 
-SYSTEMTESTTOP=..
2c0af7 
-. $SYSTEMTESTTOP/conf.sh
2c0af7 
-
2c0af7 
-../../../tools/genrandom 400 random.data
2c0af7 
-
2c0af7 
-if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
2c0af7 
-then
2c0af7 
-    rm -f Kfoo*
2c0af7 
-else
2c0af7 
-    echo "I:This test requires cryptography" >&2
2c0af7 
-    echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
2c0af7 
-    exit 1
2c0af7 
-fi
2c0af7 
-#exec $SHELL ../testcrypto.sh
2c0af7 
+exec $SHELL ../testcrypto.sh
2c0af7 
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
2c0af7 
index 86fe91d070..c53da11685 100644
2c0af7 
--- a/bin/tests/system/nsupdate/ns1/named.conf
2c0af7 
+++ b/bin/tests/system/nsupdate/ns1/named.conf
2c0af7 
@@ -42,7 +42,7 @@ controls {
2c0af7 
 };
2c0af7
2c0af7 
 key altkey {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha512;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/nsupdate/ns2/named.conf b/bin/tests/system/nsupdate/ns2/named.conf
2c0af7 
index 6db32202ff..68022656ec 100644
2c0af7 
--- a/bin/tests/system/nsupdate/ns2/named.conf
2c0af7 
+++ b/bin/tests/system/nsupdate/ns2/named.conf
2c0af7 
@@ -33,7 +33,7 @@ options {
2c0af7 
 };
2c0af7
2c0af7 
 key altkey {
2c0af7 
-        algorithm hmac-md5;
2c0af7 
+        algorithm hmac-sha512;
2c0af7 
         secret "1234abcd8765";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
2c0af7 
index bb015142da..e97406956a 100644
2c0af7 
--- a/bin/tests/system/nsupdate/setup.sh
2c0af7 
+++ b/bin/tests/system/nsupdate/setup.sh
2c0af7 
@@ -53,8 +53,13 @@ EOF
2c0af7
2c0af7 
 ../../../tools/genrandom 400 random.data
2c0af7 
 $DDNSCONFGEN -q -r random.data -z example.nil > ns1/ddns.key
2c0af7 
+if $FEATURETEST --md5; then
2c0af7 
+	$DDNSCONFGEN -q -r random.data -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
2c0af7 
+else
2c0af7 
+	echo -n > ns1/md5.key
2c0af7 
+fi
2c0af7 
+
2c0af7
2c0af7 
-$DDNSCONFGEN -q -r random.data -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
2c0af7 
 $DDNSCONFGEN -q -r random.data -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
2c0af7 
 $DDNSCONFGEN -q -r random.data -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
2c0af7 
 $DDNSCONFGEN -q -r random.data -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
2c0af7 
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
2c0af7 
index b9a1c90536..821d7a65e2 100644
2c0af7 
--- a/bin/tests/system/nsupdate/tests.sh
2c0af7 
+++ b/bin/tests/system/nsupdate/tests.sh
2c0af7 
@@ -516,7 +516,14 @@ fi
2c0af7 
 n=`expr $n + 1`
2c0af7 
 ret=0
2c0af7 
 echo "I:check TSIG key algorithms ($n)"
2c0af7 
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
2c0af7 
+if $FEATURETEST --md5
2c0af7 
+then
2c0af7 
+	ALGS="md5 sha1 sha224 sha256 sha384 sha512"
2c0af7 
+else
2c0af7 
+	ALGS="sha1 sha224 sha256 sha384 sha512"
2c0af7 
+	echo_i "skipping disabled md5 algorithm"
2c0af7 
+fi
2c0af7 
+for alg in $ALGS; do
2c0af7 
     $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
2c0af7 
 server 10.53.0.1 5300
2c0af7 
 update add ${alg}.keytests.nil. 600 A 10.10.10.3
2c0af7 
@@ -524,7 +531,7 @@ send
2c0af7 
 END
2c0af7 
 done
2c0af7 
 sleep 2
2c0af7 
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
2c0af7 
+for alg in $ALGS; do
2c0af7 
     $DIG +short @10.53.0.1 -p 5300 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
2c0af7 
 done
2c0af7 
 if [ $ret -ne 0 ]; then
2c0af7 
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
2c0af7 
index ce80005faf..a7c66841cc 100644
2c0af7 
--- a/bin/tests/system/rndc/setup.sh
2c0af7 
+++ b/bin/tests/system/rndc/setup.sh
2c0af7 
@@ -22,7 +22,7 @@ SYSTEMTESTTOP=..
2c0af7
2c0af7 
 sh clean.sh
2c0af7
2c0af7 
-../../../tools/genrandom 400 random.data
2c0af7 
+../../../tools/genrandom 800 random.data
2c0af7
2c0af7 
 sh ../genzone.sh 2 >ns2/nil.db
2c0af7 
 sh ../genzone.sh 2 >ns2/other.db
2c0af7 
@@ -37,7 +37,7 @@ make_key () {
2c0af7 
             sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
2c0af7 
 }
2c0af7
2c0af7 
-make_key 1 hmac-md5
2c0af7 
+$FEATURETEST --md5 && make_key 1 hmac-md5
2c0af7 
 make_key 2 hmac-sha1
2c0af7 
 make_key 3 hmac-sha224
2c0af7 
 make_key 4 hmac-sha256
2c0af7 
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
2c0af7 
index 01dbc811ae..20a90850d1 100644
2c0af7 
--- a/bin/tests/system/rndc/tests.sh
2c0af7 
+++ b/bin/tests/system/rndc/tests.sh
2c0af7 
@@ -246,14 +246,20 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
 status=`expr $status + $ret`
2c0af7
2c0af7 
 echo "I:testing rndc with hmac-md5"
2c0af7 
-ret=0
2c0af7 
-$RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
2c0af7 
-for i in 2 3 4 5 6
2c0af7 
-do
2c0af7 
-        $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
2c0af7 
-done
2c0af7 
-if [ $ret != 0 ]; then echo "I:failed"; fi
2c0af7 
-status=`expr $status + $ret`
2c0af7 
+if $FEATURETEST --md5
2c0af7 
+then
2c0af7 
+        echo "I:testing rndc with hmac-md5"
2c0af7 
+        ret=0
2c0af7 
+        $RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
2c0af7 
+        for i in 2 3 4 5 6
2c0af7 
+        do
2c0af7 
+                $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
2c0af7 
+        done
2c0af7 
+        if [ $ret != 0 ]; then echo_i "failed"; fi
2c0af7 
+        status=`expr $status + $ret`
2c0af7 
+else
2c0af7 
+        echo "W:skipping rndc with hmac-md5"
2c0af7 
+fi
2c0af7
2c0af7 
 echo "I:testing rndc with hmac-sha1"
2c0af7 
 ret=0
2c0af7 
diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh
2c0af7 
new file mode 100644
2c0af7 
index 0000000000..e21f18b5f5
2c0af7 
--- /dev/null
2c0af7 
+++ b/bin/tests/system/testcrypto.sh
2c0af7 
@@ -0,0 +1,71 @@
2c0af7 
+#!/bin/sh
2c0af7 
+#
2c0af7 
+# Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
2c0af7 
+#
2c0af7 
+# Permission to use, copy, modify, and/or distribute this software for any
2c0af7 
+# purpose with or without fee is hereby granted, provided that the above
2c0af7 
+# copyright notice and this permission notice appear in all copies.
2c0af7 
+#
2c0af7 
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2c0af7 
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2c0af7 
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2c0af7 
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2c0af7 
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2c0af7 
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2c0af7 
+# PERFORMANCE OF THIS SOFTWARE.
2c0af7 
+
2c0af7 
+SYSTEMTESTTOP=${SYSTEMTESTTOP:=..}
2c0af7 
+. $SYSTEMTESTTOP/conf.sh
2c0af7 
+
2c0af7 
+# Unlike 9.11, keep generated data in current directory
2c0af7 
+RANDFILE=random.data
2c0af7 
+
2c0af7 
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
2c0af7 
+
2c0af7 
+prog=$0
2c0af7 
+
2c0af7 
+args="-r $RANDFILE"
2c0af7 
+alg="-a RSASHA1 -b 2048"
2c0af7 
+quiet=0
2c0af7 
+
2c0af7 
+msg1="cryptography"
2c0af7 
+msg2="--with-openssl, or --enable-native-pkcs11 --with-pkcs11"
2c0af7 
+while test "$#" -gt 0; do
2c0af7 
+        case $1 in
2c0af7 
+        -q)
2c0af7 
+                args="$args -q"
2c0af7 
+                quiet=1
2c0af7 
+                ;;
2c0af7 
+        rsa|RSA)
2c0af7 
+                alg=""
2c0af7 
+                msg1="RSA cryptography"
2c0af7 
+                ;;
2c0af7 
+        gost|GOST)
2c0af7 
+                alg="-a eccgost"
2c0af7 
+                msg1="GOST cryptography"
2c0af7 
+                msg2="--with-gost"
2c0af7 
+                ;;
2c0af7 
+        ecdsa|ECDSA)
2c0af7 
+                alg="-a ecdsap256sha256"
2c0af7 
+                msg1="ECDSA cryptography"
2c0af7 
+                msg2="--with-ecdsa"
2c0af7 
+                ;;
2c0af7 
+        *)
2c0af7 
+                echo "${prog}: unknown argument"
2c0af7 
+                exit 1
2c0af7 
+                ;;
2c0af7 
+        esac
2c0af7 
+        shift
2c0af7 
+done
2c0af7 
+
2c0af7 
+
2c0af7 
+if $KEYGEN $args $alg foo > /dev/null 2>&1
2c0af7 
+then
2c0af7 
+    rm -f Kfoo*
2c0af7 
+else
2c0af7 
+    if test $quiet -eq 0; then
2c0af7 
+        echo "I:This test requires support for $msg1" >&2
2c0af7 
+        echo "I:configure with $msg2" >&2
2c0af7 
+    fi
2c0af7 
+    exit 255
2c0af7 
+fi
2c0af7 
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
2c0af7 
index af17582096..b61b5d0796 100644
2c0af7 
--- a/bin/tests/system/tkey/keycreate.c
2c0af7 
+++ b/bin/tests/system/tkey/keycreate.c
2c0af7 
@@ -27,6 +27,7 @@
2c0af7 
 #include <isc/entropy.h>
2c0af7 
 #include <isc/hash.h>
2c0af7 
 #include <isc/log.h>
2c0af7 
+#include <isc/md5.h>
2c0af7 
 #include <isc/mem.h>
2c0af7 
 #include <isc/sockaddr.h>
2c0af7 
 #include <isc/socket.h>
2c0af7 
@@ -143,6 +144,8 @@ sendquery(isc_task_t *task, isc_event_t *event) {
2c0af7 
 	static char keystr[] = "0123456789ab";
2c0af7
2c0af7 
 	isc_event_free(&event);
2c0af7 
+	if (isc_md5_available() == ISC_FALSE)
2c0af7 
+		CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
2c0af7
2c0af7 
 	result = ISC_R_FAILURE;
2c0af7 
 	if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1)
2c0af7 
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
2c0af7 
index 1bb33e85fe..da4b1c3c09 100644
2c0af7 
--- a/bin/tests/system/tkey/keydelete.c
2c0af7 
+++ b/bin/tests/system/tkey/keydelete.c
2c0af7 
@@ -228,12 +228,18 @@ main(int argc, char **argv) {
2c0af7 
 	type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
2c0af7 
 	result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
2c0af7 
 	CHECK("dst_key_fromnamedfile", result);
2c0af7 
-	result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
2c0af7 
-					   DNS_TSIG_HMACMD5_NAME,
2c0af7 
-					   dstkey, ISC_TRUE, NULL, 0, 0,
2c0af7 
-					   mctx, ring, &tsigkey);
2c0af7 
-	dst_key_free(&dstkey);
2c0af7 
-	CHECK("dns_tsigkey_createfromkey", result);
2c0af7 
+	if (isc_md5_available()) {
2c0af7 
+		result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
2c0af7 
+						   DNS_TSIG_HMACMD5_NAME,
2c0af7 
+						   dstkey, ISC_TRUE,
2c0af7 
+						   NULL, 0, 0,
2c0af7 
+						   mctx, ring, &tsigkey);
2c0af7 
+		dst_key_free(&dstkey);
2c0af7 
+		CHECK("dns_tsigkey_createfromkey", result);
2c0af7 
+	} else {
2c0af7 
+		dst_key_free(&dstkey);
2c0af7 
+		CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
2c0af7 
+	}
2c0af7
2c0af7 
 	(void)isc_app_run();
2c0af7
2c0af7 
diff --git a/bin/tests/system/tkey/prereq.sh b/bin/tests/system/tkey/prereq.sh
2c0af7 
index 66295fee90..310849f08e 100644
2c0af7 
--- a/bin/tests/system/tkey/prereq.sh
2c0af7 
+++ b/bin/tests/system/tkey/prereq.sh
2c0af7 
@@ -17,13 +17,4 @@
2c0af7
2c0af7 
 # $Id: prereq.sh,v 1.12 2009/03/02 23:47:43 tbox Exp $
2c0af7
2c0af7 
-../../../tools/genrandom 400 random.data
2c0af7 
-
2c0af7 
-if $KEYGEN -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
2c0af7 
-then
2c0af7 
-    rm -f foo*
2c0af7 
-else
2c0af7 
-    echo "I:This test requires cryptography" >&2
2c0af7 
-    echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
2c0af7 
-    exit 1
2c0af7 
-fi
2c0af7 
+exec $SHELL ../testcrypto.sh
2c0af7 
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
2c0af7 
index 0e98b4047b..b11a378006 100644
2c0af7 
--- a/bin/tests/system/tsig/clean.sh
2c0af7 
+++ b/bin/tests/system/tsig/clean.sh
2c0af7 
@@ -23,3 +23,4 @@
2c0af7 
 rm -f dig.out.*
2c0af7 
 rm -f */named.memstats
2c0af7 
 rm -f */named.run
2c0af7 
+rm -f ns1/rndc5.conf
2c0af7 
diff --git a/bin/tests/system/tsig/ns1/named.conf b/bin/tests/system/tsig/ns1/named.conf
2c0af7 
index b48de835f4..e7e568acc7 100644
2c0af7 
--- a/bin/tests/system/tsig/ns1/named.conf
2c0af7 
+++ b/bin/tests/system/tsig/ns1/named.conf
2c0af7 
@@ -30,10 +30,7 @@ options {
2c0af7 
 	notify no;
2c0af7 
 };
2c0af7
2c0af7 
-key "md5" {
2c0af7 
-	secret "97rnFx24Tfna4mHPfgnerA==";
2c0af7 
-	algorithm hmac-md5;
2c0af7 
-};
2c0af7 
+# md5 key included from rndc5.conf
2c0af7
2c0af7 
 key "sha1" {
2c0af7 
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
2c0af7 
@@ -60,10 +57,7 @@ key "sha512" {
2c0af7 
 	algorithm hmac-sha512;
2c0af7 
 };
2c0af7
2c0af7 
-key "md5-trunc" {
2c0af7 
-	secret "97rnFx24Tfna4mHPfgnerA==";
2c0af7 
-	algorithm hmac-md5-80;
2c0af7 
-};
2c0af7 
+# md5-trunc key included from rndc5.conf
2c0af7
2c0af7 
 key "sha1-trunc" {
2c0af7 
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
2c0af7 
@@ -94,3 +88,5 @@ zone "example.nil" {
2c0af7 
 	type master;
2c0af7 
 	file "example.db";
2c0af7 
 };
2c0af7 
+
2c0af7 
+include "rndc5.conf";
2c0af7 
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
2c0af7 
new file mode 100644
2c0af7 
index 0000000000..f9b17d6e8e
2c0af7 
--- /dev/null
2c0af7 
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
2c0af7 
@@ -0,0 +1,22 @@
2c0af7 
+/*
2c0af7 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2c0af7 
+ *
2c0af7 
+ * This Source Code Form is subject to the terms of the Mozilla Public
2c0af7 
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
2c0af7 
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
2c0af7 
+ *
2c0af7 
+ * See the COPYRIGHT file distributed with this work for additional
2c0af7 
+ * information regarding copyright ownership.
2c0af7 
+ */
2c0af7 
+
2c0af7 
+/* These md5 keys are used only when MD5 is not disabled in build */
2c0af7 
+key "md5" {
2c0af7 
+	secret "97rnFx24Tfna4mHPfgnerA==";
2c0af7 
+	algorithm hmac-md5;
2c0af7 
+};
2c0af7 
+
2c0af7 
+key "md5-trunc" {
2c0af7 
+	secret "97rnFx24Tfna4mHPfgnerA==";
2c0af7 
+	algorithm hmac-md5-80;
2c0af7 
+};
2c0af7 
+
2c0af7 
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
2c0af7 
new file mode 100644
2c0af7 
index 0000000000..7f9049ae76
2c0af7 
--- /dev/null
2c0af7 
+++ b/bin/tests/system/tsig/setup.sh
2c0af7 
@@ -0,0 +1,25 @@
2c0af7 
+#!/bin/sh
2c0af7 
+#
2c0af7 
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2c0af7 
+#
2c0af7 
+# This Source Code Form is subject to the terms of the Mozilla Public
2c0af7 
+# License, v. 2.0. If a copy of the MPL was not distributed with this
2c0af7 
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
2c0af7 
+#
2c0af7 
+# See the COPYRIGHT file distributed with this work for additional
2c0af7 
+# information regarding copyright ownership.
2c0af7 
+
2c0af7 
+SYSTEMTESTTOP=..
2c0af7 
+. $SYSTEMTESTTOP/conf.sh
2c0af7 
+
2c0af7 
+$SHELL clean.sh
2c0af7 
+
2c0af7 
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
2c0af7 
+
2c0af7 
+if $FEATURETEST --md5
2c0af7 
+then
2c0af7 
+	# Include MD5 keys only if it is
2c0af7 
+	cp ns1/rndc5.conf.in ns1/rndc5.conf
2c0af7 
+else
2c0af7 
+	echo "# MD5 disabled" > ns1/rndc5.conf
2c0af7 
+fi
2c0af7 
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
2c0af7 
index 50ac8d23e6..bd502dd718 100644
2c0af7 
--- a/bin/tests/system/tsig/tests.sh
2c0af7 
+++ b/bin/tests/system/tsig/tests.sh
2c0af7 
@@ -31,22 +31,27 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
2c0af7
2c0af7 
 status=0
2c0af7
2c0af7 
-echo "I:fetching using hmac-md5 (old form)"
2c0af7 
-ret=0
2c0af7 
-$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
2c0af7 
-	-y "md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.old || ret=1
2c0af7 
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
2c0af7 
-if [ $ret -eq 1 ] ; then
2c0af7 
-	echo "I: failed"; status=1
2c0af7 
-fi
2c0af7 
-
2c0af7 
-echo "I:fetching using hmac-md5 (new form)"
2c0af7 
-ret=0
2c0af7 
-$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
2c0af7 
-	-y "hmac-md5:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.new || ret=1
2c0af7 
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
2c0af7 
-if [ $ret -eq 1 ] ; then
2c0af7 
-	echo "I: failed"; status=1
2c0af7 
+if $FEATURETEST --md5
2c0af7 
+then
2c0af7 
+	echo "I:fetching using hmac-md5 (old form)"
2c0af7 
+	ret=0
2c0af7 
+	$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
2c0af7 
+		-y "md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.old || ret=1
2c0af7 
+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
2c0af7 
+	if [ $ret -eq 1 ] ; then
2c0af7 
+		echo "I: failed"; status=1
2c0af7 
+	fi
2c0af7 
+
2c0af7 
+	echo "I:fetching using hmac-md5 (new form)"
2c0af7 
+	ret=0
2c0af7 
+	$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
2c0af7 
+		-y "hmac-md5:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.new || ret=1
2c0af7 
+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
2c0af7 
+	if [ $ret -eq 1 ] ; then
2c0af7 
+		echo_i "failed"; status=1
2c0af7 
+	fi
2c0af7 
+else
2c0af7 
+	echo_i "skipping using hmac-md5"
2c0af7 
 fi
2c0af7
2c0af7 
 echo "I:fetching using hmac-sha1"
2c0af7 
@@ -99,13 +104,19 @@ fi
2c0af7 
 #	Truncated TSIG
2c0af7 
 #
2c0af7 
 #
2c0af7 
+
2c0af7 
+if $FEATURETEST --md5
2c0af7 
+then
2c0af7 
 echo "I:fetching using hmac-md5 (trunc)"
2c0af7 
-ret=0
2c0af7 
-$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
2c0af7 
-	-y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.trunc || ret=1
2c0af7 
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
2c0af7 
-if [ $ret -eq 1 ] ; then
2c0af7 
-	echo "I: failed"; status=1
2c0af7 
+	ret=0
2c0af7 
+	$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
2c0af7 
+		-y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.trunc || ret=1
2c0af7 
+	grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
2c0af7 
+	if [ $ret -eq 1 ] ; then
2c0af7 
+		echo "I: failed"; status=1
2c0af7 
+	fi
2c0af7 
+else
2c0af7 
+	echo "W:skipping using hmac-md5 (trunc)"
2c0af7 
 fi
2c0af7
2c0af7 
 echo "I:fetching using hmac-sha1 (trunc)"
2c0af7 
@@ -159,13 +170,19 @@ fi
2c0af7 
 #	Check for bad truncation.
2c0af7 
 #
2c0af7 
 #
2c0af7 
-echo "I:fetching using hmac-md5-80 (BADTRUNC)"
2c0af7 
-ret=0
2c0af7 
-$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
2c0af7 
-	-y "hmac-md5-80:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5-80 || ret=1
2c0af7 
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
2c0af7 
-if [ $ret -eq 1 ] ; then
2c0af7 
-	echo "I: failed"; status=1
2c0af7 
+
2c0af7 
+if $FEATURETEST --md5
2c0af7 
+then
2c0af7 
+	echo "I:fetching using hmac-md5-80 (BADTRUNC)"
2c0af7 
+	ret=0
2c0af7 
+	$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
2c0af7 
+		-y "hmac-md5-80:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5-80 || ret=1
2c0af7 
+	grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
2c0af7 
+	if [ $ret -eq 1 ] ; then
2c0af7 
+		echo "I: failed"; status=1
2c0af7 
+	fi
2c0af7 
+else
2c0af7 
+	echo "W:skipping using hmac-md5-80 (BADTRUNC)"
2c0af7 
 fi
2c0af7
2c0af7 
 echo "I:fetching using hmac-sha1-80 (BADTRUNC)"
2c0af7 
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
2c0af7 
index 00222bad05..e795df3bff 100644
2c0af7 
--- a/bin/tests/system/tsiggss/setup.sh
2c0af7 
+++ b/bin/tests/system/tsiggss/setup.sh
2c0af7 
@@ -26,5 +26,5 @@ rm -f ns1/*.jnl ns1/K*.key ns1/K*.private ns1/_default.tsigkeys
2c0af7
2c0af7 
 ../../../tools/genrandom 400 $RANDFILE
2c0af7
2c0af7 
-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.`
2c0af7 
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
2c0af7 
 cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
2c0af7 
diff --git a/bin/tests/system/upforwd/ns1/named.conf b/bin/tests/system/upforwd/ns1/named.conf
2c0af7 
index 8d9d2fa0d9..c3c0238073 100644
2c0af7 
--- a/bin/tests/system/upforwd/ns1/named.conf
2c0af7 
+++ b/bin/tests/system/upforwd/ns1/named.conf
2c0af7 
@@ -18,7 +18,7 @@
2c0af7 
 /* $Id: named.conf,v 1.11 2007/06/18 23:47:31 tbox Exp $ */
2c0af7
2c0af7 
 key "update.example." {
2c0af7 
-	algorithm "hmac-md5";
2c0af7 
+	algorithm "hmac-sha256";
2c0af7 
 	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
2c0af7 
 };
2c0af7
2c0af7 
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
2c0af7 
index a138649ac3..e14a592db6 100644
2c0af7 
--- a/bin/tests/system/upforwd/tests.sh
2c0af7 
+++ b/bin/tests/system/upforwd/tests.sh
2c0af7 
@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi
2c0af7
2c0af7 
 echo "I:updating zone (signed)"
2c0af7 
 ret=0
2c0af7 
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <
2c0af7 
+$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <
2c0af7 
 server 10.53.0.3 5300
2c0af7 
 update add updated.example. 600 A 10.10.10.1
2c0af7 
 update add updated.example. 600 TXT Foo
2c0af7 
--
2c0af7 
2.14.4
2c0af7

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation