diff --git a/bind-9.11-fips-code.patch b/bind-9.11-fips-code.patch
new file mode 100644
index 0000000..2dccdea
--- /dev/null
+++ b/bind-9.11-fips-code.patch
@@ -0,0 +1,1516 @@
+From fb8665aebd79ea33cb255f578544e1738f5bbb58 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 2 Aug 2018 23:34:45 +0200
+Subject: [PATCH 1/2] Squashed commit of the following:
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit b49f70ce0575b6b52a71b90fe0376dbf16f92c6b
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Mon Jan 22 14:12:37 2018 +0100
+
+ Update system tests to detect MD5 disabled at runtime
+
+commit 80ceffee4860c24baf70bc9a8653d92731eda2e4
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Thu Aug 2 14:53:54 2018 +0200
+
+ Avoid warning about undefined parameters
+
+commit e4ad4363e3d1acaac58456117579f02761f38fdc
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Jun 20 19:31:19 2018 +0200
+
+ Fix rndc-confgen default algorithm, report true algorithm in usage.
+
+commit 7e629a351010cb75e0589ec361f720085675998c
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Fri Feb 23 21:21:30 2018 +0100
+
+ Cleanup only if initialization was successful
+
+commit 2101b948c77cbcbe07eb4a1e60f3e693b2245ec6
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Mon Feb 5 12:19:28 2018 +0100
+
+ Ensure dst backend is initialized first even before hmac algorithms.
+
+commit 7567c7edde7519115a9ae7e20818c835d3eb1ffe
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Mon Feb 5 12:17:54 2018 +0100
+
+ Skip initialization of MD5 based algorithms if not available.
+
+commit 5782137df6b45a6d900d5a1c250c1257227e917a
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Mon Feb 5 10:21:27 2018 +0100
+
+ Change secalgs skipping to be more safe
+
+commit f2d78729898182d2d19d5064de1bec9b66817159
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Jan 31 18:26:11 2018 +0100
+
+ Skip MD5 algorithm also in case of NULL name
+
+commit 32a2ad4abc7aaca1c257730319ad3c27405d3407
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Jan 31 11:38:12 2018 +0100
+
+ Make MD5 behave like unknown algorithm in TSIG.
+
+commit 13cd3f704dce568fdf24a567be5802b58ac6007b
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Tue Nov 28 20:14:37 2017 +0100
+
+ Select token with most supported functions, instead of demanding it must support all functions
+
+ Initialize PKCS#11 always until successfully initialized
+
+commit a71df74abdca4fe63bcdf542b81a109cf1f495b4
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Mon Jan 22 16:17:44 2018 +0100
+
+ Handle MD5 unavailability from DST
+
+commit dd82cb263efa2753d3ee772972726ea08bcc639b
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Mon Jan 22 14:11:16 2018 +0100
+
+ Check runtime flag from library and applications, fail gracefully.
+
+commit c7b2f87f07ecae75b821a908e29f08a42371e32e
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Mon Jan 22 08:39:08 2018 +0100
+
+ Modify libraries to use isc_md5_available() if PK11_MD5_DISABLE is not
+ defined.
+ TODO: pk11.c should accept slot without MD5 support.
+
+commit 0b8e470ec636b9e350b5ec3203eb2b4091415fde
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Mon Jan 22 07:21:04 2018 +0100
+
+ Add runtime detection whether MD5 is useable.
+---
+ bin/confgen/keygen.c | 10 ++++-
+ bin/confgen/rndc-confgen.c | 36 +++++-------------
+ bin/dig/dig.c | 7 ++--
+ bin/dig/dighost.c | 14 +++++--
+ bin/dnssec/dnssec-keygen.c | 14 +++++++
+ bin/named/config.c | 25 ++++++++++++-
+ bin/nsupdate/nsupdate.c | 24 +++++++-----
+ bin/rndc/rndc.c | 3 +-
+ bin/tests/optional/hash_test.c | 78 ++++++++++++++++++++-------------------
+ bin/tests/system/tkey/keycreate.c | 3 ++
+ bin/tests/system/tkey/keydelete.c | 18 ++++++---
+ lib/bind9/check.c | 10 +++++
+ lib/dns/dst_api.c | 23 ++++++++----
+ lib/dns/dst_internal.h | 3 +-
+ lib/dns/dst_parse.c | 18 +++++++--
+ lib/dns/hmac_link.c | 20 +++-------
+ lib/dns/opensslrsa_link.c | 6 +++
+ lib/dns/pkcs11rsa_link.c | 33 +++++++++++++++--
+ lib/dns/rcode.c | 21 ++++++++++-
+ lib/dns/tests/rsa_test.c | 29 ++++++++-------
+ lib/dns/tests/tsig_test.c | 1 +
+ lib/dns/tkey.c | 9 +++++
+ lib/dns/tsec.c | 8 +++-
+ lib/dns/tsig.c | 17 +++++----
+ lib/isc/include/isc/md5.h | 3 ++
+ lib/isc/md5.c | 59 +++++++++++++++++++++++++++++
+ lib/isc/pk11.c | 58 ++++++++++++++++++++---------
+ lib/isc/tests/hash_test.c | 9 +++--
+ lib/isccc/cc.c | 42 +++++++++++++--------
+ 29 files changed, 424 insertions(+), 177 deletions(-)
+
+diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
+index 453c641dba..11cc54dd46 100644
+--- a/bin/confgen/keygen.c
++++ b/bin/confgen/keygen.c
+@@ -22,6 +22,7 @@
+ #include <isc/entropy.h>
+ #include <isc/file.h>
+ #include <isc/keyboard.h>
++#include <isc/md5.h>
+ #include <isc/mem.h>
+ #include <isc/print.h>
+ #include <isc/result.h>
+@@ -73,7 +74,7 @@ alg_fromtext(const char *name) {
+ p = &name[5];
+
+ #ifndef PK11_MD5_DISABLE
+- if (strcasecmp(p, "md5") == 0)
++ if (strcasecmp(p, "md5") == 0 && isc_md5_available())
+ return DST_ALG_HMACMD5;
+ #endif
+ if (strcasecmp(p, "sha1") == 0)
+@@ -132,6 +133,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+ switch (alg) {
+ #ifndef PK11_MD5_DISABLE
+ case DST_ALG_HMACMD5:
++ if (isc_md5_available() == ISC_FALSE) {
++ fatal("unsupported algorithm %d\n", alg);
++ } else if (keysize < 1 || keysize > 512) {
++ fatal("keysize %d out of range (must be 1-512)\n",
++ keysize);
++ }
++ break;
+ #endif
+ case DST_ALG_HMACSHA1:
+ case DST_ALG_HMACSHA224:
+diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
+index 2925baf32f..d7d8418073 100644
+--- a/bin/confgen/rndc-confgen.c
++++ b/bin/confgen/rndc-confgen.c
+@@ -35,6 +35,7 @@
+ #include <isc/file.h>
+ #include <isc/keyboard.h>
+ #include <isc/mem.h>
++#include <isc/md5.h>
+ #include <isc/net.h>
+ #include <isc/print.h>
+ #include <isc/result.h>
+@@ -62,7 +63,7 @@ const char *progname;
+
+ isc_boolean_t verbose = ISC_FALSE;
+
+-const char *keyfile, *keydef;
++const char *keyfile, *keydef, *algdef;
+
+ ISC_PLATFORM_NORETURN_PRE static void
+ usage(int status) ISC_PLATFORM_NORETURN_POST;
+@@ -70,13 +71,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
+ static void
+ usage(int status) {
+
+-#ifndef PK11_MD5_DISABLE
+ fprintf(stderr, "\
+ Usage:\n\
+ %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
+ [-s addr] [-t chrootdir] [-u user]\n\
+ -a: generate just the key clause and write it to keyfile (%s)\n\
+- -A alg: algorithm (default hmac-md5)\n\
++ -A alg: algorithm (default %s)\n\
+ -b bits: from 1 through 512, default 256; total length of the secret\n\
+ -c keyfile: specify an alternate key file (requires -a)\n\
+ -k keyname: the name as it will be used in named.conf and rndc.conf\n\
+@@ -85,24 +85,7 @@ Usage:\n\
+ -s addr: the address to which rndc should connect\n\
+ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
+ -u user: set the keyfile owner to \"user\" (requires -a)\n",
+- progname, keydef);
+-#else
+- fprintf(stderr, "\
+-Usage:\n\
+- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
+-[-s addr] [-t chrootdir] [-u user]\n\
+- -a: generate just the key clause and write it to keyfile (%s)\n\
+- -A alg: algorithm (default hmac-sha256)\n\
+- -b bits: from 1 through 512, default 256; total length of the secret\n\
+- -c keyfile: specify an alternate key file (requires -a)\n\
+- -k keyname: the name as it will be used in named.conf and rndc.conf\n\
+- -p port: the port named will listen on and rndc will connect to\n\
+- -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+- -s addr: the address to which rndc should connect\n\
+- -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
+- -u user: set the keyfile owner to \"user\" (requires -a)\n",
+- progname, keydef);
+-#endif
++ progname, keydef, algdef);
+
+ exit (status);
+ }
+@@ -138,13 +121,14 @@ main(int argc, char **argv) {
+ progname = program;
+
+ keyname = DEFAULT_KEYNAME;
+-#ifndef PK11_MD5_DISABLE
+- alg = DST_ALG_HMACMD5;
+-#else
+- alg = DST_ALG_HMACSHA256;
+-#endif
+ serveraddr = DEFAULT_SERVER;
+ port = DEFAULT_PORT;
++ alg = DST_ALG_HMACSHA256;
++#ifndef PK11_MD5_DISABLE
++ if (isc_md5_available())
++ alg = DST_ALG_HMACMD5;
++#endif
++ algdef = alg_totext(alg);
+
+ isc_commandline_errprint = ISC_FALSE;
+
+diff --git a/bin/dig/dig.c b/bin/dig/dig.c
+index d4808ada67..9dff7c8ecd 100644
+--- a/bin/dig/dig.c
++++ b/bin/dig/dig.c
+@@ -17,6 +17,7 @@
+ #include <ctype.h>
+
+ #include <isc/app.h>
++#include <isc/md5.h>
+ #include <isc/netaddr.h>
+ #include <isc/parseint.h>
+ #include <isc/platform.h>
+@@ -1757,10 +1758,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
+ ptr = ptr2;
+ ptr2 = ptr3;
+ } else {
+-#ifndef PK11_MD5_DISABLE
+- hmacname = DNS_TSIG_HMACMD5_NAME;
+-#else
+ hmacname = DNS_TSIG_HMACSHA256_NAME;
++#ifndef PK11_MD5_DISABLE
++ if (isc_md5_available())
++ hmacname = DNS_TSIG_HMACMD5_NAME;
+ #endif
+ digestbits = 0;
+ }
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index ecefc98453..94c428ed30 100644
+--- a/bin/dig/dighost.c
++++ b/bin/dig/dighost.c
+@@ -77,6 +77,7 @@
+ #include <isc/hex.h>
+ #include <isc/lang.h>
+ #include <isc/log.h>
++#include <isc/md5.h>
+ #include <isc/netaddr.h>
+ #include <isc/netdb.h>
+ #include <isc/parseint.h>
+@@ -1243,9 +1244,10 @@ parse_hmac(const char *hmac) {
+ digestbits = 0;
+
+ #ifndef PK11_MD5_DISABLE
+- if (strcasecmp(buf, "hmac-md5") == 0) {
++ if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) {
+ hmacname = DNS_TSIG_HMACMD5_NAME;
+- } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
++ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0 &&
++ isc_md5_available()) {
+ hmacname = DNS_TSIG_HMACMD5_NAME;
+ digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
+ } else
+@@ -1365,7 +1367,13 @@ setup_file_key(void) {
+ switch (dst_key_alg(dstkey)) {
+ #ifndef PK11_MD5_DISABLE
+ case DST_ALG_HMACMD5:
+- hmacname = DNS_TSIG_HMACMD5_NAME;
++ if (isc_md5_available()) {
++ hmacname = DNS_TSIG_HMACMD5_NAME;
++ } else {
++ printf(";; Couldn't create key %s: bad algorithm\n",
++ keynametext);
++ goto failure;
++ }
+ break;
+ #endif
+ case DST_ALG_HMACSHA1:
+diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
+index 6fc3ab0979..fc04356ed4 100644
+--- a/bin/dnssec/dnssec-keygen.c
++++ b/bin/dnssec/dnssec-keygen.c
+@@ -34,6 +34,7 @@
+ #include <isc/buffer.h>
+ #include <isc/commandline.h>
+ #include <isc/entropy.h>
++#include <isc/md5.h>
+ #include <isc/mem.h>
+ #include <isc/print.h>
+ #include <isc/region.h>
+@@ -560,6 +561,19 @@ main(int argc, char **argv) {
+ "\"-a RSAMD5\"\n");
+ INSIST(freeit == NULL);
+ return (1);
++ } else if (strcasecmp(algname, "HMAC-MD5") == 0) {
++ if (isc_md5_available()) {
++ alg = DST_ALG_HMACMD5;
++ } else {
++ fprintf(stderr,
++ "The use of HMAC-MD5 was disabled\n");
++ return (1);
++ }
++ } else if (strcasecmp(algname, "RSAMD5") == 0 &&
++ isc_md5_available() == ISC_FALSE) {
++ fprintf(stderr, "The use of RSAMD5 was disabled\n");
++ INSIST(freeit == NULL);
++ return (1);
+ } else if (strcasecmp(algname, "HMAC-MD5") == 0) {
+ alg = DST_ALG_HMACMD5;
+ #else
+diff --git a/bin/named/config.c b/bin/named/config.c
+index 54bc37fff7..c50f759ddd 100644
+--- a/bin/named/config.c
++++ b/bin/named/config.c
+@@ -17,6 +17,7 @@
+
+ #include <isc/buffer.h>
+ #include <isc/log.h>
++#include <isc/md5.h>
+ #include <isc/mem.h>
+ #include <isc/parseint.h>
+ #include <isc/region.h>
+@@ -966,6 +967,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
+ return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
+ }
+
++static inline int
++algorithms_start() {
++#ifndef PK11_MD5_DISABLE
++ if (isc_md5_available() == ISC_FALSE) {
++ int i = 0;
++ while (algorithms[i].str != NULL &&
++ algorithms[i].hmac == hmacmd5) {
++ i++;
++ }
++ return i;
++ }
++#endif
++ return 0;
++}
++
+ isc_result_t
+ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+ unsigned int *typep, isc_uint16_t *digestbits)
+@@ -975,7 +991,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+ isc_uint16_t bits;
+ isc_result_t result;
+
+- for (i = 0; algorithms[i].str != NULL; i++) {
++ for (i = algorithms_start(); algorithms[i].str != NULL; i++) {
+ len = strlen(algorithms[i].str);
+ if (strncasecmp(algorithms[i].str, str, len) == 0 &&
+ (str[len] == '\0' ||
+@@ -998,7 +1014,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+ if (name != NULL) {
+ switch (algorithms[i].hmac) {
+ #ifndef PK11_MD5_DISABLE
+- case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
++ case hmacmd5:
++ if (isc_md5_available()) {
++ *name = dns_tsig_hmacmd5_name; break;
++ } else {
++ return (ISC_R_NOTFOUND);
++ }
+ #endif
+ case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
+ case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
+diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
+index 6967b49754..bb5d50038f 100644
+--- a/bin/nsupdate/nsupdate.c
++++ b/bin/nsupdate/nsupdate.c
+@@ -29,6 +29,7 @@
+ #include <isc/hash.h>
+ #include <isc/lex.h>
+ #include <isc/log.h>
++#include <isc/md5.h>
+ #include <isc/mem.h>
+ #include <isc/parseint.h>
+ #include <isc/print.h>
+@@ -474,9 +475,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len,
+ strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf)));
+
+ #ifndef PK11_MD5_DISABLE
+- if (strcasecmp(buf, "hmac-md5") == 0) {
++ if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) {
+ *hmac = DNS_TSIG_HMACMD5_NAME;
+- } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
++ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0 &&
++ isc_md5_available()) {
+ *hmac = DNS_TSIG_HMACMD5_NAME;
+ result = isc_parse_uint16(&digestbits, &buf[9], 10);
+ if (result != ISC_R_SUCCESS || digestbits > 128) {
+@@ -589,10 +591,10 @@ setup_keystr(void) {
+ exit(1);
+ }
+ } else {
+-#ifndef PK11_MD5_DISABLE
+- hmacname = DNS_TSIG_HMACMD5_NAME;
+-#else
+ hmacname = DNS_TSIG_HMACSHA256_NAME;
++#ifndef PK11_MD5_DISABLE
++ if (isc_md5_available())
++ hmacname = DNS_TSIG_HMACMD5_NAME;
+ #endif
+ name = keystr;
+ n = s;
+@@ -729,7 +731,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
+ switch (dst_key_alg(dstkey)) {
+ #ifndef PK11_MD5_DISABLE
+ case DST_ALG_HMACMD5:
+- hmacname = DNS_TSIG_HMACMD5_NAME;
++ if (isc_md5_available())
++ hmacname = DNS_TSIG_HMACMD5_NAME;
+ break;
+ #endif
+ case DST_ALG_HMACSHA1:
+@@ -1604,12 +1607,13 @@ evaluate_key(char *cmdline) {
+ return (STATUS_SYNTAX);
+ }
+ namestr = n + 1;
+- } else
+-#ifndef PK11_MD5_DISABLE
+- hmacname = DNS_TSIG_HMACMD5_NAME;
+-#else
++ } else {
+ hmacname = DNS_TSIG_HMACSHA256_NAME;
++#ifndef PK11_MD5_DISABLE
++ if (isc_md5_available())
++ hmacname = DNS_TSIG_HMACMD5_NAME;
+ #endif
++ }
+
+ isc_buffer_init(&b, namestr, strlen(namestr));
+ isc_buffer_add(&b, strlen(namestr));
+diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
+index 5c29caf86b..617b06b4a1 100644
+--- a/bin/rndc/rndc.c
++++ b/bin/rndc/rndc.c
+@@ -21,6 +21,7 @@
+ #include <isc/file.h>
+ #include <isc/log.h>
+ #include <isc/net.h>
++#include <isc/md5.h>
+ #include <isc/mem.h>
+ #include <isc/print.h>
+ #include <isc/random.h>
+@@ -634,7 +635,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
+ algorithmstr = cfg_obj_asstring(algorithmobj);
+
+ #ifndef PK11_MD5_DISABLE
+- if (strcasecmp(algorithmstr, "hmac-md5") == 0)
++ if (strcasecmp(algorithmstr, "hmac-md5") == 0 && isc_md5_available())
+ algorithm = ISCCC_ALG_HMACMD5;
+ else
+ #endif
+diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c
+index bf2891ad4c..b5f0a1c5f5 100644
+--- a/bin/tests/optional/hash_test.c
++++ b/bin/tests/optional/hash_test.c
+@@ -90,43 +90,47 @@ main(int argc, char **argv) {
+ print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4);
+
+ #ifndef PK11_MD5_DISABLE
+- s = "abc";
+- isc_md5_init(&md5);
+- memmove(buffer, s, strlen(s));
+- isc_md5_update(&md5, buffer, strlen(s));
+- isc_md5_final(&md5, digest);
+- print_digest(s, "md5", digest, 4);
+-
+- /*
+- * The 3 HMAC-MD5 examples from RFC2104
+- */
+- s = "Hi There";
+- memset(key, 0x0b, 16);
+- isc_hmacmd5_init(&hmacmd5, key, 16);
+- memmove(buffer, s, strlen(s));
+- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
+- isc_hmacmd5_sign(&hmacmd5, digest);
+- print_digest(s, "hmacmd5", digest, 4);
+-
+- s = "what do ya want for nothing?";
+- strlcpy((char *)key, "Jefe", sizeof(key));
+- isc_hmacmd5_init(&hmacmd5, key, 4);
+- memmove(buffer, s, strlen(s));
+- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
+- isc_hmacmd5_sign(&hmacmd5, digest);
+- print_digest(s, "hmacmd5", digest, 4);
+-
+- s = "\335\335\335\335\335\335\335\335\335\335"
+- "\335\335\335\335\335\335\335\335\335\335"
+- "\335\335\335\335\335\335\335\335\335\335"
+- "\335\335\335\335\335\335\335\335\335\335"
+- "\335\335\335\335\335\335\335\335\335\335";
+- memset(key, 0xaa, 16);
+- isc_hmacmd5_init(&hmacmd5, key, 16);
+- memmove(buffer, s, strlen(s));
+- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
+- isc_hmacmd5_sign(&hmacmd5, digest);
+- print_digest(s, "hmacmd5", digest, 4);
++ if (isc_md5_available()) {
++ s = "abc";
++ isc_md5_init(&md5);
++ memmove(buffer, s, strlen(s));
++ isc_md5_update(&md5, buffer, strlen(s));
++ isc_md5_final(&md5, digest);
++ print_digest(s, "md5", digest, 4);
++
++ /*
++ * The 3 HMAC-MD5 examples from RFC2104
++ */
++ s = "Hi There";
++ memset(key, 0x0b, 16);
++ isc_hmacmd5_init(&hmacmd5, key, 16);
++ memmove(buffer, s, strlen(s));
++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
++ isc_hmacmd5_sign(&hmacmd5, digest);
++ print_digest(s, "hmacmd5", digest, 4);
++
++ s = "what do ya want for nothing?";
++ strlcpy((char *)key, "Jefe", sizeof(key));
++ isc_hmacmd5_init(&hmacmd5, key, 4);
++ memmove(buffer, s, strlen(s));
++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
++ isc_hmacmd5_sign(&hmacmd5, digest);
++ print_digest(s, "hmacmd5", digest, 4);
++
++ s = "\335\335\335\335\335\335\335\335\335\335"
++ "\335\335\335\335\335\335\335\335\335\335"
++ "\335\335\335\335\335\335\335\335\335\335"
++ "\335\335\335\335\335\335\335\335\335\335"
++ "\335\335\335\335\335\335\335\335\335\335";
++ memset(key, 0xaa, 16);
++ isc_hmacmd5_init(&hmacmd5, key, 16);
++ memmove(buffer, s, strlen(s));
++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
++ isc_hmacmd5_sign(&hmacmd5, digest);
++ print_digest(s, "hmacmd5", digest, 4);
++ } else {
++ fprintf(stderr, "Skipping disabled MD5 algorithm\n");
++ }
+ #endif
+
+ /*
+diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
+index 2a0ee94888..489f4390dc 100644
+--- a/bin/tests/system/tkey/keycreate.c
++++ b/bin/tests/system/tkey/keycreate.c
+@@ -20,6 +20,7 @@
+ #include <isc/entropy.h>
+ #include <isc/hash.h>
+ #include <isc/log.h>
++#include <isc/md5.h>
+ #include <isc/mem.h>
+ #include <isc/print.h>
+ #include <isc/sockaddr.h>
+@@ -142,6 +143,8 @@ sendquery(isc_task_t *task, isc_event_t *event) {
+ static char keystr[] = "0123456789ab";
+
+ isc_event_free(&event);
++ if (isc_md5_available() == ISC_FALSE)
++ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
+
+ result = ISC_R_FAILURE;
+ if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1)
+diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
+index 7057c318e4..36ee6c7d21 100644
+--- a/bin/tests/system/tkey/keydelete.c
++++ b/bin/tests/system/tkey/keydelete.c
+@@ -225,12 +225,18 @@ main(int argc, char **argv) {
+ result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
+ CHECK("dst_key_fromnamedfile", result);
+ #ifndef PK11_MD5_DISABLE
+- result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
+- DNS_TSIG_HMACMD5_NAME,
+- dstkey, ISC_TRUE, NULL, 0, 0,
+- mctx, ring, &tsigkey);
+- dst_key_free(&dstkey);
+- CHECK("dns_tsigkey_createfromkey", result);
++ if (isc_md5_available()) {
++ result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
++ DNS_TSIG_HMACMD5_NAME,
++ dstkey, ISC_TRUE,
++ NULL, 0, 0,
++ mctx, ring, &tsigkey);
++ dst_key_free(&dstkey);
++ CHECK("dns_tsigkey_createfromkey", result);
++ } else {
++ dst_key_free(&dstkey);
++ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
++ }
+ #else
+ dst_key_free(&dstkey);
+ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
+diff --git a/lib/bind9/check.c b/lib/bind9/check.c
+index 3da83a7ae2..1a3d534799 100644
+--- a/lib/bind9/check.c
++++ b/lib/bind9/check.c
+@@ -21,6 +21,7 @@
+ #include <isc/file.h>
+ #include <isc/hex.h>
+ #include <isc/log.h>
++#include <isc/md5.h>
+ #include <isc/mem.h>
+ #include <isc/netaddr.h>
+ #include <isc/parseint.h>
+@@ -2572,6 +2573,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
+ }
+
+ algorithm = cfg_obj_asstring(algobj);
++#ifndef PK11_MD5_DISABLE
++ /* Skip hmac-md5* algorithms */
++ if (isc_md5_available() == ISC_FALSE &&
++ strncasecmp(algorithm, "hmac-md5", 8) == 0) {
++ cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
++ "disabled algorithm '%s'", algorithm);
++ return (ISC_R_DISABLED);
++ }
++#endif
+ for (i = 0; algorithms[i].name != NULL; i++) {
+ len = strlen(algorithms[i].name);
+ if (strncasecmp(algorithms[i].name, algorithm, len) == 0 &&
+diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
+index 4f3d6ac55c..dbece0ac56 100644
+--- a/lib/dns/dst_api.c
++++ b/lib/dns/dst_api.c
+@@ -190,6 +190,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+ dst_result_register();
+
+ memset(dst_t_func, 0, sizeof(dst_t_func));
++
++#ifdef OPENSSL
++ RETERR(dst__openssl_init(engine));
++#elif PKCS11CRYPTO
++ RETERR(dst__pkcs11_init(mctx, engine));
++#endif
+ #ifndef PK11_MD5_DISABLE
+ RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+ #endif
+@@ -199,7 +205,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+ RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
+ RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
+ #ifdef OPENSSL
+- RETERR(dst__openssl_init(engine));
+ #ifndef PK11_MD5_DISABLE
+ RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
+ DST_ALG_RSAMD5));
+@@ -233,14 +238,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+ RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
+ #endif
+ #elif PKCS11CRYPTO
+- RETERR(dst__pkcs11_init(mctx, engine));
+ #ifndef PK11_MD5_DISABLE
+- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5],
++ DST_ALG_RSAMD5));
+ #endif
+- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
+- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
+- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
+- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1],
++ DST_ALG_RSASHA1));
++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
++ DST_ALG_NSEC3RSASHA1));
++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256],
++ DST_ALG_RSASHA256));
++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512],
++ DST_ALG_RSASHA512));
+ #ifndef PK11_DSA_DISABLE
+ RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
+ RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
+diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
+index 640519a5ba..deb7ed4e13 100644
+--- a/lib/dns/dst_internal.h
++++ b/lib/dns/dst_internal.h
+@@ -245,7 +245,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
+ isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
+ isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
+ unsigned char algorithm);
+-isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
++isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp,
++ unsigned char algorithm);
+ #ifndef PK11_DSA_DISABLE
+ isc_result_t dst__openssldsa_init(struct dst_func **funcp);
+ isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
+diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
+index b0e5c895c6..03f2b8ace8 100644
+--- a/lib/dns/dst_parse.c
++++ b/lib/dns/dst_parse.c
+@@ -30,6 +30,7 @@
+ #include <isc/file.h>
+ #include <isc/fsaccess.h>
+ #include <isc/lex.h>
++#include <isc/md5.h>
+ #include <isc/mem.h>
+ #include <isc/print.h>
+ #include <isc/stdtime.h>
+@@ -393,6 +394,10 @@ check_data(const dst_private_t *priv, const unsigned int alg,
+ switch (alg) {
+ #ifndef PK11_MD5_DISABLE
+ case DST_ALG_RSAMD5:
++ if (isc_md5_available())
++ return (check_rsa(priv, external));
++ else
++ return (DST_R_UNSUPPORTEDALG);
+ #endif
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+@@ -418,7 +423,10 @@ check_data(const dst_private_t *priv, const unsigned int alg,
+ return (check_eddsa(priv, external));
+ #ifndef PK11_MD5_DISABLE
+ case DST_ALG_HMACMD5:
+- return (check_hmac_md5(priv, old));
++ if (isc_md5_available())
++ return (check_hmac_md5(priv, old));
++ else
++ return (DST_R_UNSUPPORTEDALG);
+ #endif
+ case DST_ALG_HMACSHA1:
+ return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
+@@ -637,11 +645,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
+ }
+
+ #ifdef PK11_MD5_DISABLE
+- check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg,
+- ISC_TRUE, external);
++ if (alg == DST_ALG_RSA)
++ alg = DST_ALG_RSASHA1;
+ #else
+- check = check_data(priv, alg, ISC_TRUE, external);
++ if (isc_md5_available() == ISC_FALSE && alg == DST_ALG_RSA)
++ alg = DST_ALG_RSASHA1;
+ #endif
++ check = check_data(priv, alg, ISC_TRUE, external);
+ if (check < 0) {
+ ret = DST_R_INVALIDPRIVATEKEY;
+ goto fail;
+diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
+index 59aa4705e5..21bfa44450 100644
+--- a/lib/dns/hmac_link.c
++++ b/lib/dns/hmac_link.c
+@@ -338,25 +338,17 @@ static dst_func_t hmacmd5_functions = {
+
+ isc_result_t
+ dst__hmacmd5_init(dst_func_t **funcp) {
+-#ifdef HAVE_FIPS_MODE
+ /*
+- * Problems from OpenSSL are likely from FIPS mode
++ * Prevent use of incorrect crypto
+ */
+- int fips_mode = FIPS_mode();
+-
+- if (fips_mode != 0) {
+- UNEXPECTED_ERROR(__FILE__, __LINE__,
+- "FIPS mode is %d: MD5 is only supported "
+- "if the value is 0.\n"
+- "Please disable either FIPS mode or MD5.",
+- fips_mode);
++
++#ifndef PK11_MD5_DISABLE
++ if (isc_md5_available() == ISC_FALSE) {
++ /* Intentionally skip initialization */
++ return (ISC_R_SUCCESS);
+ }
+ #endif
+
+- /*
+- * Prevent use of incorrect crypto
+- */
+-
+ RUNTIME_CHECK(isc_md5_check(ISC_FALSE));
+ RUNTIME_CHECK(isc_hmacmd5_check(0));
+
+diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
+index f4847bbe74..126cebca19 100644
+--- a/lib/dns/opensslrsa_link.c
++++ b/lib/dns/opensslrsa_link.c
+@@ -1801,6 +1801,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
+
+ if (*funcp == NULL) {
+ switch (algorithm) {
++#ifndef PK11_MD5_DISABLE
++ case DST_ALG_RSAMD5:
++ if (isc_md5_available())
++ *funcp = &opensslrsa_functions;
++ break;
++#endif
+ case DST_ALG_RSASHA256:
+ #if defined(HAVE_EVP_SHA256) || !USE_EVP
+ *funcp = &opensslrsa_functions;
+diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
+index 56955203e9..af6008d4dd 100644
+--- a/lib/dns/pkcs11rsa_link.c
++++ b/lib/dns/pkcs11rsa_link.c
+@@ -94,10 +94,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+ #endif
+
+ /*
+- * Reject incorrect RSA key lengths.
++ * Reject incorrect RSA key lengths or disabled algorithms.
+ */
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
++#ifndef PK11_MD5_DISABLE
++ if (isc_md5_available() == ISC_FALSE)
++ return (ISC_R_FAILURE);
++#endif
++ /* FALLTHROUGH */
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ /* From RFC 3110 */
+@@ -634,6 +639,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+ switch (key->key_alg) {
+ #ifndef PK11_MD5_DISABLE
+ case DST_ALG_RSAMD5:
++ if (isc_md5_available() == ISC_FALSE)
++ return (ISC_R_FAILURE);
++
+ mech.mechanism = CKM_MD5;
+ break;
+ #endif
+@@ -790,6 +798,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+ switch (key->key_alg) {
+ #ifndef PK11_MD5_DISABLE
+ case DST_ALG_RSAMD5:
++ if (isc_md5_available() == ISC_FALSE)
++ return (ISC_R_FAILURE);
++
+ der = md5_der;
+ derlen = sizeof(md5_der);
+ hashlen = ISC_MD5_DIGESTLENGTH;
+@@ -1014,6 +1025,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ switch (key->key_alg) {
+ #ifndef PK11_MD5_DISABLE
+ case DST_ALG_RSAMD5:
++ if (isc_md5_available() == ISC_FALSE)
++ return (ISC_R_FAILURE);
++
+ der = md5_der;
+ derlen = sizeof(md5_der);
+ hashlen = ISC_MD5_DIGESTLENGTH;
+@@ -2217,11 +2231,22 @@ static dst_func_t pkcs11rsa_functions = {
+ };
+
+ isc_result_t
+-dst__pkcs11rsa_init(dst_func_t **funcp) {
++dst__pkcs11rsa_init(dst_func_t **funcp, unsigned char algorithm) {
+ REQUIRE(funcp != NULL);
+
+- if (*funcp == NULL)
+- *funcp = &pkcs11rsa_functions;
++ if (*funcp == NULL) {
++ switch (algorithm) {
++#ifndef PK11_MD5_DISABLE
++ case DST_ALG_RSAMD5:
++ if (isc_md5_available())
++ *funcp = &pkcs11rsa_functions;
++ break;
++#endif
++ default:
++ *funcp = &pkcs11rsa_functions;
++ break;
++ }
++ }
+ return (ISC_R_SUCCESS);
+ }
+
+diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
+index 937d8fc1ec..d1fa8d5870 100644
+--- a/lib/dns/rcode.c
++++ b/lib/dns/rcode.c
+@@ -14,6 +14,7 @@
+ #include <ctype.h>
+
+ #include <isc/buffer.h>
++#include <isc/md5.h>
+ #include <isc/parseint.h>
+ #include <isc/print.h>
+ #include <isc/region.h>
+@@ -347,17 +348,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
+ return (dns_mnemonic_totext(cert, target, certs));
+ }
+
++static inline struct tbl *
++secalgs_tbl_start() {
++ struct tbl *algs = secalgs;
++
++#ifndef PK11_MD5_DISABLE
++ if (isc_md5_available() == ISC_FALSE) {
++ while (algs->name != NULL &&
++ algs->value == DNS_KEYALG_RSAMD5)
++ ++algs;
++ }
++#endif
++ return algs;
++}
++
+ isc_result_t
+ dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
+ unsigned int value;
+- RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff));
++
++ RETERR(dns_mnemonic_fromtext(&value, source,
++ secalgs_tbl_start(), 0xff));
+ *secalgp = value;
+ return (ISC_R_SUCCESS);
+ }
+
+ isc_result_t
+ dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
+- return (dns_mnemonic_totext(secalg, target, secalgs));
++ return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start()));
+ }
+
+ void
+diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c
+index 224cf5b475..44040dd8b7 100644
+--- a/lib/dns/tests/rsa_test.c
++++ b/lib/dns/tests/rsa_test.c
+@@ -19,6 +19,7 @@
+ #include <stdio.h>
+ #include <string.h>
+
++#include <isc/md5.h>
+ #include <isc/util.h>
+ #include <isc/print.h>
+
+@@ -225,23 +226,25 @@ ATF_TC_BODY(isc_rsa_verify, tc) {
+ /* RSAMD5 */
+
+ #ifndef PK11_MD5_DISABLE
+- key->key_alg = DST_ALG_RSAMD5;
++ if (isc_md5_available()) {
++ key->key_alg = DST_ALG_RSAMD5;
+
+- ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+- ISC_FALSE, &ctx);
+- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
++ ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
++ ISC_FALSE, &ctx);
++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+- r.base = d;
+- r.length = 10;
+- ret = dst_context_adddata(ctx, &r);
+- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
++ r.base = d;
++ r.length = 10;
++ ret = dst_context_adddata(ctx, &r);
++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+- r.base = sigmd5;
+- r.length = 256;
+- ret = dst_context_verify(ctx, &r);
+- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
++ r.base = sigmd5;
++ r.length = 256;
++ ret = dst_context_verify(ctx, &r);
++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+- dst_context_destroy(&ctx);
++ dst_context_destroy(&ctx);
++ }
+ #endif
+
+ /* RSASHA256 */
+diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c
+index ee025c2387..c403d9954d 100644
+--- a/lib/dns/tests/tsig_test.c
++++ b/lib/dns/tests/tsig_test.c
+@@ -14,6 +14,7 @@
+ #include <config.h>
+ #include <atf-c.h>
+
++#include <isc/md5.h>
+ #include <isc/mem.h>
+ #include <isc/print.h>
+
+diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
+index d9f68e50b1..a8edde47b5 100644
+--- a/lib/dns/tkey.c
++++ b/lib/dns/tkey.c
+@@ -242,6 +242,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
+ unsigned char digests[32];
+ unsigned int i;
+
++ if (isc_md5_available() == ISC_FALSE)
++ return (ISC_R_NOTIMPLEMENTED);
++
+ isc_buffer_usedregion(shared, &r);
+
+ /*
+@@ -318,6 +321,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
+ }
+
+ #ifndef PK11_MD5_DISABLE
++ if (isc_md5_available() == ISC_FALSE) {
++ tkey_log("process_dhtkey: MD5 was disabled");
++ tkeyout->error = dns_tsigerror_badalg;
++ return (ISC_R_SUCCESS);
++ }
++
+ if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
+ tkey_log("process_dhtkey: algorithms other than "
+ "hmac-md5 are not supported");
+diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c
+index a367291f23..37baad7437 100644
+--- a/lib/dns/tsec.c
++++ b/lib/dns/tsec.c
+@@ -11,6 +11,7 @@
+
+ #include <config.h>
+
++#include <isc/md5.h>
+ #include <isc/mem.h>
+ #include <isc/util.h>
+
+@@ -63,7 +64,12 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+ switch (dst_key_alg(key)) {
+ #ifndef PK11_MD5_DISABLE
+ case DST_ALG_HMACMD5:
+- algname = dns_tsig_hmacmd5_name;
++ if (isc_md5_available()) {
++ algname = dns_tsig_hmacmd5_name;
++ } else {
++ isc_mem_put(mctx, tsec, sizeof(*tsec));
++ return (DNS_R_BADALG);
++ }
+ break;
+ #endif
+ case DST_ALG_HMACSHA1:
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index bdcc581bc3..70805bb709 100644
+--- a/lib/dns/tsig.c
++++ b/lib/dns/tsig.c
+@@ -270,7 +270,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
+ (void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
+
+ #ifndef PK11_MD5_DISABLE
+- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) &&
++ isc_md5_available()) {
+ tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
+ if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
+ ret = DNS_R_BADALG;
+@@ -496,7 +497,8 @@ destroyring(dns_tsig_keyring_t *ring) {
+ static unsigned int
+ dst_alg_fromname(dns_name_t *algorithm) {
+ #ifndef PK11_MD5_DISABLE
+- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) &&
++ isc_md5_available()) {
+ return (DST_ALG_HMACMD5);
+ } else
+ #endif
+@@ -680,7 +682,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
+ REQUIRE(secret != NULL);
+
+ #ifndef PK11_MD5_DISABLE
+- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) &&
++ isc_md5_available()) {
+ if (secret != NULL) {
+ isc_buffer_t b;
+
+@@ -1280,7 +1283,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ return (ret);
+ if (
+ #ifndef PK11_MD5_DISABLE
+- alg == DST_ALG_HMACMD5 ||
++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) ||
+ #endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+@@ -1449,7 +1452,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+
+ if (
+ #ifndef PK11_MD5_DISABLE
+- alg == DST_ALG_HMACMD5 ||
++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) ||
+ #endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+@@ -1590,7 +1593,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+ goto cleanup_querystruct;
+ if (
+ #ifndef PK11_MD5_DISABLE
+- alg == DST_ALG_HMACMD5 ||
++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) ||
+ #endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 ||
+@@ -1769,7 +1772,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+ goto cleanup_context;
+ if (
+ #ifndef PK11_MD5_DISABLE
+- alg == DST_ALG_HMACMD5 ||
++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) ||
+ #endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 ||
+diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
+index e5f46dd9c7..9d11f9f8b6 100644
+--- a/lib/isc/include/isc/md5.h
++++ b/lib/isc/include/isc/md5.h
+@@ -89,6 +89,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest);
+ isc_boolean_t
+ isc_md5_check(isc_boolean_t testing);
+
++isc_boolean_t
++isc_md5_available(void);
++
+ ISC_LANG_ENDDECLS
+
+ #endif /* !PK11_MD5_DISABLE */
+diff --git a/lib/isc/md5.c b/lib/isc/md5.c
+index 740d863b1b..aefd16478f 100644
+--- a/lib/isc/md5.c
++++ b/lib/isc/md5.c
+@@ -35,6 +35,7 @@
+
+ #include <isc/assertions.h>
+ #include <isc/md5.h>
++#include <isc/once.h>
+ #include <isc/platform.h>
+ #include <isc/safe.h>
+ #include <isc/string.h>
+@@ -53,6 +54,9 @@
+ #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
+ #endif
+
++static isc_once_t available_once = ISC_ONCE_INIT;
++static isc_boolean_t available = ISC_FALSE;
++
+ void
+ isc_md5_init(isc_md5_t *ctx) {
+ ctx->ctx = EVP_MD_CTX_new();
+@@ -84,8 +88,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+ ctx->ctx = NULL;
+ }
+
++static void
++do_detect_available() {
++ isc_md5_t local;
++ isc_md5_t *ctx = &local;
++ unsigned char digest[ISC_MD5_DIGESTLENGTH];
++
++ ctx->ctx = EVP_MD_CTX_new();
++ RUNTIME_CHECK(ctx->ctx != NULL);
++ available = ISC_TF(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1);
++ if (available)
++ (void)EVP_DigestFinal(ctx->ctx, digest, NULL);
++ EVP_MD_CTX_free(ctx->ctx);
++ ctx->ctx = NULL;
++}
++
++isc_boolean_t
++isc_md5_available() {
++ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available)
++ == ISC_R_SUCCESS);
++ return available;
++}
++
+ #elif PKCS11CRYPTO
+
++static isc_once_t available_once = ISC_ONCE_INIT;
++static isc_boolean_t available = ISC_FALSE;
++
+ void
+ isc_md5_init(isc_md5_t *ctx) {
+ CK_RV rv;
+@@ -128,6 +157,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+ pk11_return_session(ctx);
+ }
+
++static void
++do_detect_available() {
++ isc_md5_t local;
++ isc_md5_t *ctx = &local;
++ CK_RV rv;
++ CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
++
++ if (pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
++ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS)
++ {
++ rv = pkcs_C_DigestInit(ctx->session, &mech);
++ isc_md5_invalidate(ctx);
++ available = (ISC_TF(rv == CKR_OK));
++ } else {
++ available = ISC_FALSE;
++ }
++}
++
++isc_boolean_t
++isc_md5_available() {
++ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available)
++ == ISC_R_SUCCESS);
++ return available;
++}
++
+ #else
+
+ static void
+@@ -337,6 +391,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+ memmove(digest, ctx->buf, 16);
+ isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */
+ }
++
++isc_boolean_t
++isc_md5_available() {
++ return ISC_TRUE;
++}
+ #endif
+
+ /*
+diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
+index fc75a46154..48e1031974 100644
+--- a/lib/isc/pk11.c
++++ b/lib/isc/pk11.c
+@@ -191,13 +191,12 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) {
+ LOCK(&alloclock);
+ if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0))
+ isc_mem_attach(mctx, &pk11_mctx);
++ UNLOCK(&alloclock);
++
++ LOCK(&sessionlock);
+ if (initialized) {
+- UNLOCK(&alloclock);
+- return (ISC_R_SUCCESS);
+- } else {
+- LOCK(&sessionlock);
+- initialized = ISC_TRUE;
+- UNLOCK(&alloclock);
++ result = ISC_R_SUCCESS;
++ goto unlock;
+ }
+
+ ISC_LIST_INIT(tokens);
+@@ -237,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) {
+ }
+ #endif
+ #endif /* PKCS11CRYPTO */
++ initialized = ISC_TRUE;
+ result = ISC_R_SUCCESS;
+ unlock:
+ UNLOCK(&sessionlock);
+@@ -273,9 +273,14 @@ pk11_finalize(void) {
+ pk11_mem_put(token, sizeof(*token));
+ token = next;
+ }
++ LOCK(&alloclock);
+ if (pk11_mctx != NULL)
+ isc_mem_detach(&pk11_mctx);
++ UNLOCK(&alloclock);
++
++ LOCK(&sessionlock);
+ initialized = ISC_FALSE;
++ UNLOCK(&sessionlock);
+ return (ret);
+ }
+
+@@ -589,6 +594,8 @@ scan_slots(void) {
+ pk11_token_t *token;
+ unsigned int i;
+ isc_boolean_t bad;
++ unsigned int best_rsa_algorithms = 0;
++ unsigned int best_digest_algorithms = 0;
+
+ slotCount = 0;
+ PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount));
+@@ -601,6 +608,8 @@ scan_slots(void) {
+ PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount));
+
+ for (i = 0; i < slotCount; i++) {
++ unsigned int rsa_algorithms = 0;
++ unsigned int digest_algorithms = 0;
+ slot = slotList[i];
+ PK11_TRACE2("slot#%u=0x%lx\n", i, slot);
+
+@@ -640,11 +649,12 @@ scan_slots(void) {
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_SIGN) == 0) ||
+ ((mechInfo.flags & CKF_VERIFY) == 0)) {
+-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE)
+- bad = ISC_TRUE;
+-#endif
+ PK11_TRACEM(CKM_MD5_RSA_PKCS);
+ }
++#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE)
++ else
++ ++rsa_algorithms;
++#endif
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+@@ -687,8 +697,14 @@ scan_slots(void) {
+ if (bad)
+ goto try_dsa;
+ token->operations |= 1 << OP_RSA;
+- if (best_rsa_token == NULL)
++ if (best_rsa_token == NULL) {
++ best_rsa_token = token;
++ best_rsa_algorithms = rsa_algorithms;
++ } else if (rsa_algorithms > best_rsa_algorithms) {
++ pk11_mem_put(best_rsa_token, sizeof(*best_rsa_token));
+ best_rsa_token = token;
++ best_rsa_algorithms = rsa_algorithms;
++ }
+
+ try_dsa:
+ bad = ISC_FALSE;
+@@ -756,11 +772,12 @@ scan_slots(void) {
+ bad = ISC_FALSE;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+-#ifndef PK11_MD5_DISABLE
+- bad = ISC_TRUE;
+-#endif
+ PK11_TRACEM(CKM_MD5);
+ }
++#ifndef PK11_MD5_DISABLE
++ else
++ ++digest_algorithms;
++#endif
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+ bad = ISC_TRUE;
+@@ -788,11 +805,12 @@ scan_slots(void) {
+ }
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE)
+- bad = ISC_TRUE;
+-#endif
+ PK11_TRACEM(CKM_MD5_HMAC);
+ }
++#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE)
++ else
++ ++digest_algorithms;
++#endif
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+ #ifndef PK11_SHA_1_HMAC_REPLACE
+@@ -830,8 +848,14 @@ scan_slots(void) {
+ }
+ if (!bad) {
+ token->operations |= 1 << OP_DIGEST;
+- if (digest_token == NULL)
++ if (digest_token == NULL) {
++ digest_token = token;
++ best_digest_algorithms = digest_algorithms;
++ } else if (digest_algorithms > best_digest_algorithms) {
++ pk11_mem_put(digest_token, sizeof(*digest_token));
+ digest_token = token;
++ best_digest_algorithms = digest_algorithms;
++ }
+ }
+
+ /* ECDSA requires digest */
+diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c
+index 18759903be..6bc45b1ad3 100644
+--- a/lib/isc/tests/hash_test.c
++++ b/lib/isc/tests/hash_test.c
+@@ -2008,7 +2008,8 @@ ATF_TP_ADD_TCS(tp) {
+ * various cryptographic hashes.
+ */
+ #ifndef PK11_MD5_DISABLE
+- ATF_TP_ADD_TC(tp, md5_check);
++ if (isc_md5_available())
++ ATF_TP_ADD_TC(tp, md5_check);
+ #endif
+ ATF_TP_ADD_TC(tp, sha1_check);
+
+@@ -2016,7 +2017,8 @@ ATF_TP_ADD_TCS(tp) {
+ ATF_TP_ADD_TC(tp, isc_hash_function_reverse);
+ ATF_TP_ADD_TC(tp, isc_hash_initializer);
+ #ifndef PK11_MD5_DISABLE
+- ATF_TP_ADD_TC(tp, isc_hmacmd5);
++ if (isc_md5_available())
++ ATF_TP_ADD_TC(tp, isc_hmacmd5);
+ #endif
+ ATF_TP_ADD_TC(tp, isc_hmacsha1);
+ ATF_TP_ADD_TC(tp, isc_hmacsha224);
+@@ -2024,7 +2026,8 @@ ATF_TP_ADD_TCS(tp) {
+ ATF_TP_ADD_TC(tp, isc_hmacsha384);
+ ATF_TP_ADD_TC(tp, isc_hmacsha512);
+ #ifndef PK11_MD5_DISABLE
+- ATF_TP_ADD_TC(tp, isc_md5);
++ if (isc_md5_available())
++ ATF_TP_ADD_TC(tp, isc_md5);
+ #endif
+ ATF_TP_ADD_TC(tp, isc_sha1);
+ ATF_TP_ADD_TC(tp, isc_sha224);
+diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
+index 7225ab4a37..42b30466be 100644
+--- a/lib/isccc/cc.c
++++ b/lib/isccc/cc.c
+@@ -270,11 +270,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac,
+ switch (algorithm) {
+ #ifndef PK11_MD5_DISABLE
+ case ISCCC_ALG_HMACMD5:
+- isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
+- REGION_SIZE(*secret));
+- isc_hmacmd5_update(&ctx.hmd5, data, length);
+- isc_hmacmd5_sign(&ctx.hmd5, digest);
+- source.rend = digest + ISC_MD5_DIGESTLENGTH;
++ if (isc_md5_available()) {
++ isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacmd5_update(&ctx.hmd5, data, length);
++ isc_hmacmd5_sign(&ctx.hmd5, digest);
++ source.rend = digest + ISC_MD5_DIGESTLENGTH;
++ } else {
++ return (ISC_R_FAILURE);
++ }
+ break;
+ #endif
+
+@@ -348,14 +352,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
+ {
+ unsigned int hmac_base, signed_base;
+ isc_result_t result;
++ const isc_boolean_t md5 = ISC_TF(algorithm == ISCCC_ALG_HMACMD5);
+
+ #ifndef PK11_MD5_DISABLE
++ if (md5 && isc_md5_available() == ISC_FALSE)
++ return (ISC_R_NOTIMPLEMENTED);
++
+ result = isc_buffer_reserve(buffer,
+- 4 + ((algorithm == ISCCC_ALG_HMACMD5) ?
++ 4 + ((md5) ?
+ sizeof(auth_hmd5) :
+ sizeof(auth_hsha)));
+ #else
+- if (algorithm == ISCCC_ALG_HMACMD5)
++ if (md5)
+ return (ISC_R_NOTIMPLEMENTED);
+ result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha));
+ #endif
+@@ -374,7 +382,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
+ * we know what it is.
+ */
+ #ifndef PK11_MD5_DISABLE
+- if (algorithm == ISCCC_ALG_HMACMD5) {
++ if (md5) {
+ hmac_base = (*buffer)->used + HMD5_OFFSET;
+ isc_buffer_putmem(*buffer,
+ auth_hmd5, sizeof(auth_hmd5));
+@@ -440,7 +448,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+ if (!isccc_alist_alistp(_auth))
+ return (ISC_R_FAILURE);
+ #ifndef PK11_MD5_DISABLE
+- if (algorithm == ISCCC_ALG_HMACMD5)
++ if (algorithm == ISCCC_ALG_HMACMD5 && isc_md5_available())
+ hmac = isccc_alist_lookup(_auth, "hmd5");
+ else
+ #endif
+@@ -455,12 +463,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+ switch (algorithm) {
+ #ifndef PK11_MD5_DISABLE
+ case ISCCC_ALG_HMACMD5:
+- isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
+- REGION_SIZE(*secret));
+- isc_hmacmd5_update(&ctx.hmd5, data, length);
+- isc_hmacmd5_sign(&ctx.hmd5, digest);
+- source.rend = digest + ISC_MD5_DIGESTLENGTH;
+- break;
++ if (isc_md5_available()) {
++ isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacmd5_update(&ctx.hmd5, data, length);
++ isc_hmacmd5_sign(&ctx.hmd5, digest);
++ source.rend = digest + ISC_MD5_DIGESTLENGTH;
++ break;
++ } else {
++ return (ISC_R_FAILURE);
++ }
+ #endif
+
+ case ISCCC_ALG_HMACSHA1:
+--
+2.14.4
+
diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch
new file mode 100644
index 0000000..f7a998d
--- /dev/null
+++ b/bind-9.11-fips-tests.patch
@@ -0,0 +1,1781 @@
+From 35b53607724ec4b5d4060385218c39ccd0d78a4d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 2 Aug 2018 23:46:45 +0200
+Subject: [PATCH 2/2] Squashed commit of the following:
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 20:35:13 2018 +0100
+
+ Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
+
+commit ab303db70082db76ecf36493d0b82ef3e8750cad
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 18:11:10 2018 +0100
+
+ Changed root key to be RSASHA256
+
+ Change bad trusted key to be the same algorithm.
+
+commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 16:56:17 2018 +0100
+
+ Change used key to not use hmac-md5
+
+ Fix upforwd test, do not use hmac-md5
+
+commit aec891571626f053acfb4d0a247240cbc21a84e9
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 15:54:11 2018 +0100
+
+ Increase bitsize of DSA key to pass FIPS 140-2 mode.
+
+commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 15:41:08 2018 +0100
+
+ Fix tsig and rndc tests for disabled md5
+
+ Use hmac-sha256 instead of hmac-md5.
+
+commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 13:21:00 2018 +0100
+
+ Add md5 availability detection to featuretest
+
+commit f389a918803e2853e4b55fed62765dc4a492e34f
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 10:44:23 2018 +0100
+
+ Change tests to not use hmac-md5 algorithms if not required
+
+ Use hmac-sha256 instead of default hmac-md5 for allow-query
+---
+ bin/tests/system/acl/ns2/named1.conf.in | 4 +-
+ bin/tests/system/acl/ns2/named2.conf.in | 4 +-
+ bin/tests/system/acl/ns2/named3.conf.in | 6 +--
+ bin/tests/system/acl/ns2/named4.conf.in | 4 +-
+ bin/tests/system/acl/ns2/named5.conf.in | 4 +-
+ bin/tests/system/acl/tests.sh | 32 +++++------
+ bin/tests/system/allow-query/ns2/named10.conf.in | 2 +-
+ bin/tests/system/allow-query/ns2/named11.conf.in | 4 +-
+ bin/tests/system/allow-query/ns2/named12.conf.in | 2 +-
+ bin/tests/system/allow-query/ns2/named30.conf.in | 2 +-
+ bin/tests/system/allow-query/ns2/named31.conf.in | 4 +-
+ bin/tests/system/allow-query/ns2/named32.conf.in | 2 +-
+ bin/tests/system/allow-query/ns2/named40.conf.in | 4 +-
+ bin/tests/system/allow-query/tests.sh | 18 +++----
+ bin/tests/system/catz/ns1/named.conf.in | 2 +-
+ bin/tests/system/catz/ns2/named.conf.in | 2 +-
+ bin/tests/system/checkconf/bad-tsig.conf | 2 +-
+ bin/tests/system/checkconf/good.conf | 2 +-
+ bin/tests/system/digdelv/ns2/example.db | 15 +++---
+ bin/tests/system/digdelv/tests.sh | 28 +++++-----
+ bin/tests/system/dlv/ns1/sign.sh | 4 +-
+ bin/tests/system/dlv/ns2/sign.sh | 4 +-
+ bin/tests/system/dlv/ns3/sign.sh | 69 ++++++++++++------------
+ bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++++-----------
+ bin/tests/system/dnssec/ns1/sign.sh | 4 +-
+ bin/tests/system/dnssec/ns2/sign.sh | 12 ++---
+ bin/tests/system/dnssec/ns3/sign.sh | 20 +++----
+ bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +-
+ bin/tests/system/dnssec/tests.sh | 8 +--
+ bin/tests/system/feature-test.c | 14 +++++
+ bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +-
+ bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +-
+ bin/tests/system/notify/ns5/named.conf.in | 6 +--
+ bin/tests/system/notify/tests.sh | 6 +--
+ bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
+ bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
+ bin/tests/system/nsupdate/setup.sh | 7 ++-
+ bin/tests/system/nsupdate/tests.sh | 11 +++-
+ bin/tests/system/rndc/setup.sh | 2 +-
+ bin/tests/system/rndc/tests.sh | 23 ++++----
+ bin/tests/system/tsig/clean.sh | 1 +
+ bin/tests/system/tsig/ns1/named.conf.in | 10 +---
+ bin/tests/system/tsig/ns1/rndc5.conf.in | 11 ++++
+ bin/tests/system/tsig/setup.sh | 4 ++
+ bin/tests/system/tsig/tests.sh | 67 ++++++++++++++---------
+ bin/tests/system/tsiggss/setup.sh | 2 +-
+ bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
+ bin/tests/system/upforwd/tests.sh | 2 +-
+ 48 files changed, 287 insertions(+), 225 deletions(-)
+ create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
+
+diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
+index 0ea6502708..026db3f134 100644
+--- a/bin/tests/system/acl/ns2/named1.conf.in
++++ b/bin/tests/system/acl/ns2/named1.conf.in
+@@ -33,12 +33,12 @@ options {
+ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
+index b877880554..d8f50be255 100644
+--- a/bin/tests/system/acl/ns2/named2.conf.in
++++ b/bin/tests/system/acl/ns2/named2.conf.in
+@@ -33,12 +33,12 @@ options {
+ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
+index 0a950622a2..aa54088138 100644
+--- a/bin/tests/system/acl/ns2/named3.conf.in
++++ b/bin/tests/system/acl/ns2/named3.conf.in
+@@ -33,17 +33,17 @@ options {
+ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key three {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
+index 7cdcb6e341..606a3452d8 100644
+--- a/bin/tests/system/acl/ns2/named4.conf.in
++++ b/bin/tests/system/acl/ns2/named4.conf.in
+@@ -33,12 +33,12 @@ options {
+ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
+index 4b4e05027a..0e679a821d 100644
+--- a/bin/tests/system/acl/ns2/named5.conf.in
++++ b/bin/tests/system/acl/ns2/named5.conf.in
+@@ -34,12 +34,12 @@ options {
+ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
+index 09f31f2bb9..f88f0d4430 100644
+--- a/bin/tests/system/acl/tests.sh
++++ b/bin/tests/system/acl/tests.sh
+@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
+ # key "one" should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+
+ # any other key should be fine
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ copy_setports ns2/named2.conf.in ns2/named.conf
+@@ -39,18 +39,18 @@ sleep 5
+ # prefix 10/8 should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ # any other address should work, as long as it sends key "one"
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ echo_i "testing nested ACL processing"
+@@ -62,31 +62,31 @@ sleep 5
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # but only one or the other should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ t=`expr $t + 1`
+@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
+ # and other values? right out
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
+@@ -108,31 +108,31 @@ sleep 5
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ # should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ # should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ echo_i "testing allow-query-on ACL processing"
+diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
+index 1569913b37..e9c5c2d574 100644
+--- a/bin/tests/system/allow-query/ns2/named10.conf.in
++++ b/bin/tests/system/allow-query/ns2/named10.conf.in
+@@ -12,7 +12,7 @@
+ controls { /* empty */ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
+index 18ac91c6e7..2b1c8739d8 100644
+--- a/bin/tests/system/allow-query/ns2/named11.conf.in
++++ b/bin/tests/system/allow-query/ns2/named11.conf.in
+@@ -12,12 +12,12 @@
+ controls { /* empty */ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234efgh8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
+index b8248444dd..dd48945bf8 100644
+--- a/bin/tests/system/allow-query/ns2/named12.conf.in
++++ b/bin/tests/system/allow-query/ns2/named12.conf.in
+@@ -12,7 +12,7 @@
+ controls { /* empty */ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
+index aeb1540e95..bfce58bddd 100644
+--- a/bin/tests/system/allow-query/ns2/named30.conf.in
++++ b/bin/tests/system/allow-query/ns2/named30.conf.in
+@@ -12,7 +12,7 @@
+ controls { /* empty */ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
+index d4b743281a..e0f52526ba 100644
+--- a/bin/tests/system/allow-query/ns2/named31.conf.in
++++ b/bin/tests/system/allow-query/ns2/named31.conf.in
+@@ -12,12 +12,12 @@
+ controls { /* empty */ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234efgh8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
+index c0259387e7..87afb3fa3a 100644
+--- a/bin/tests/system/allow-query/ns2/named32.conf.in
++++ b/bin/tests/system/allow-query/ns2/named32.conf.in
+@@ -12,7 +12,7 @@
+ controls { /* empty */ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
+index d83b376cfd..d726b9480b 100644
+--- a/bin/tests/system/allow-query/ns2/named40.conf.in
++++ b/bin/tests/system/allow-query/ns2/named40.conf.in
+@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
+ acl badaccept { 10.53.0.1; };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234efgh8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
+index fb6059d5b8..f9601564a2 100644
+--- a/bin/tests/system/allow-query/tests.sh
++++ b/bin/tests/system/allow-query/tests.sh
+@@ -190,7 +190,7 @@ rndc_reload
+
+ echo_i "test $n: key allowed - query allowed"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -203,7 +203,7 @@ rndc_reload
+
+ echo_i "test $n: key not allowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -216,7 +216,7 @@ rndc_reload
+
+ echo_i "test $n: key disallowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -349,7 +349,7 @@ rndc_reload
+
+ echo_i "test $n: views key allowed - query allowed"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -362,7 +362,7 @@ rndc_reload
+
+ echo_i "test $n: views key not allowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -375,7 +375,7 @@ rndc_reload
+
+ echo_i "test $n: views key disallowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -508,7 +508,7 @@ status=`expr $status + $ret`
+ n=`expr $n + 1`
+ echo_i "test $n: zone key allowed - query allowed"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+ grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -518,7 +518,7 @@ status=`expr $status + $ret`
+ n=`expr $n + 1`
+ echo_i "test $n: zone key not allowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -528,7 +528,7 @@ status=`expr $status + $ret`
+ n=`expr $n + 1`
+ echo_i "test $n: zone key disallowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
+index 74b7d371b7..c35376640d 100644
+--- a/bin/tests/system/catz/ns1/named.conf.in
++++ b/bin/tests/system/catz/ns1/named.conf.in
+@@ -61,5 +61,5 @@ zone "catalog4.example" {
+
+ key tsig_key. {
+ secret "LSAnCU+Z";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
+index ee83efbee4..35ced08842 100644
+--- a/bin/tests/system/catz/ns2/named.conf.in
++++ b/bin/tests/system/catz/ns2/named.conf.in
+@@ -70,5 +70,5 @@ zone "catalog4.example" {
+
+ key tsig_key. {
+ secret "LSAnCU+Z";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
+index 21be03e9d2..e57c30875c 100644
+--- a/bin/tests/system/checkconf/bad-tsig.conf
++++ b/bin/tests/system/checkconf/bad-tsig.conf
+@@ -11,7 +11,7 @@
+
+ /* Bad secret */
+ key "badtsig" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "jEdD+BPKg==";
+ };
+
+diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
+index 9ab35b38a5..486551ae64 100644
+--- a/bin/tests/system/checkconf/good.conf
++++ b/bin/tests/system/checkconf/good.conf
+@@ -153,6 +153,6 @@ dyndb "name" "library.so" {
+ system;
+ };
+ key "mykey" {
+- algorithm "hmac-md5";
++ algorithm "hmac-sha256";
+ secret "qwertyuiopasdfgh";
+ };
+diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
+index f4e30f51e5..9f53e31c97 100644
+--- a/bin/tests/system/digdelv/ns2/example.db
++++ b/bin/tests/system/digdelv/ns2/example.db
+@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890
+ ;;
+ ;; we are not testing DNSSEC behavior, so we don't care about the semantics
+ ;; of the following records.
+-dnskey 300 DNSKEY 256 3 1 (
+- AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg
+- +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD
+- Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R
+- b9VIE5x7KNHAYTvTO5d4S8M=
+- )
++dnskey 300 DNSKEY 256 3 8 (
++ AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo
++ EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba
++ zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R
++ qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/
++ KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld
++ QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG
++ /idCeeQlaLU=
++ )
+
+ ; TTL of 3 weeks
+ weeks 1814400 A 10.53.0.2
+diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
+index 1b25c4ddfc..5dbf20a3e1 100644
+--- a/bin/tests/system/digdelv/tests.sh
++++ b/bin/tests/system/digdelv/tests.sh
+@@ -62,7 +62,7 @@ if [ -x ${DIG} ] ; then
+ echo_i "checking dig +multi +norrcomments works for dnskey (when default is rrcomments)($n)"
+ ret=0
+ $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
+- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1
++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -70,7 +70,7 @@ if [ -x ${DIG} ] ; then
+ echo_i "checking dig +multi +norrcomments works for soa (when default is rrcomments)($n)"
+ ret=0
+ $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1
+- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1
++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -78,7 +78,7 @@ if [ -x ${DIG} ] ; then
+ echo_i "checking dig +rrcomments works for DNSKEY($n)"
+ ret=0
+ $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
+- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1
++ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -86,7 +86,7 @@ if [ -x ${DIG} ] ; then
+ echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
+ ret=0
+ $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
+- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1
++ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -94,7 +94,7 @@ if [ -x ${DIG} ] ; then
+ echo_i "checking dig +short +nosplit works($n)"
+ ret=0
+ $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
+- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < dig.out.test$n > /dev/null || ret=1
++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < dig.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -102,7 +102,7 @@ if [ -x ${DIG} ] ; then
+ echo_i "checking dig +short +rrcomments works($n)"
+ ret=0
+ $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
+- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1
++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -118,7 +118,7 @@ if [ -x ${DIG} ] ; then
+ echo_i "checking dig +short +rrcomments works($n)"
+ ret=0
+ $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
+- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1
++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -543,7 +543,7 @@ if [ -x ${DELV} ] ; then
+ echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)"
+ ret=0
+ $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
+- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1
++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -551,7 +551,7 @@ if [ -x ${DELV} ] ; then
+ echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)"
+ ret=0
+ $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1
+- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1
++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -559,7 +559,7 @@ if [ -x ${DELV} ] ; then
+ echo_i "checking delv +rrcomments works for DNSKEY($n)"
+ ret=0
+ $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
+- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1
++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -567,7 +567,7 @@ if [ -x ${DELV} ] ; then
+ echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
+ ret=0
+ $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
+- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1
++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -575,7 +575,7 @@ if [ -x ${DELV} ] ; then
+ echo_i "checking delv +short +rrcomments works ($n)"
+ ret=0
+ $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
+- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < delv.out.test$n > /dev/null || ret=1
++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < delv.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+@@ -583,7 +583,7 @@ if [ -x ${DELV} ] ; then
+ echo_i "checking delv +short +nosplit works ($n)"
+ ret=0
+ $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
+- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=" < delv.out.test$n > /dev/null || ret=1
++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=" < delv.out.test$n > /dev/null || ret=1
+ if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
+ f=`awk '{print NF}' < delv.out.test$n`
+ test "${f:-0}" -eq 14 || ret=1
+@@ -594,7 +594,7 @@ if [ -x ${DELV} ] ; then
+ echo_i "checking delv +short +nosplit +norrcomments works ($n)"
+ ret=0
+ $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
+- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < delv.out.test$n > /dev/null || ret=1
++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < delv.out.test$n > /dev/null || ret=1
+ if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
+ f=`awk '{print NF}' < delv.out.test$n`
+ test "${f:-0}" -eq 4 || ret=1
+diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
+index b8151620cc..2a62e583b8 100755
+--- a/bin/tests/system/dlv/ns1/sign.sh
++++ b/bin/tests/system/dlv/ns1/sign.sh
+@@ -23,8 +23,8 @@ infile=root.db.in
+ zonefile=root.db
+ outfile=root.signed
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
+index 6f84d7a525..e128303a22 100755
+--- a/bin/tests/system/dlv/ns2/sign.sh
++++ b/bin/tests/system/dlv/ns2/sign.sh
+@@ -24,8 +24,8 @@ zonefile=druz.db
+ outfile=druz.pre
+ dlvzone=utld.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
+index bcc9922e26..846dbcc0df 100755
+--- a/bin/tests/system/dlv/ns3/sign.sh
++++ b/bin/tests/system/dlv/ns3/sign.sh
+@@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh"
+ dlvzone=dlv.utld.
+ dlvsets=
+ dssets=
++bits=1024
+
+ zone=child1.utld.
+ infile=child.db.in
+@@ -26,8 +27,8 @@ zonefile=child1.utld.db
+ outfile=child1.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
+ cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
+@@ -42,8 +43,8 @@ zonefile=child3.utld.db
+ outfile=child3.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
+ cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
+@@ -58,8 +59,8 @@ zonefile=child4.utld.db
+ outfile=child4.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -73,8 +74,8 @@ zonefile=child5.utld.db
+ outfile=child5.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
+ cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
+@@ -88,8 +89,8 @@ infile=child.db.in
+ zonefile=child7.utld.db
+ outfile=child7.signed
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
+ cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
+@@ -103,8 +104,8 @@ infile=child.db.in
+ zonefile=child8.utld.db
+ outfile=child8.signed
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -118,8 +119,8 @@ zonefile=child9.utld.db
+ outfile=child9.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -132,8 +133,8 @@ zonefile=child10.utld.db
+ outfile=child10.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -147,8 +148,8 @@ outfile=child1.druz.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+ dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
+ cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
+@@ -164,8 +165,8 @@ outfile=child3.druz.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+ dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
+ cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
+@@ -181,8 +182,8 @@ outfile=child4.druz.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+ dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -197,8 +198,8 @@ outfile=child5.druz.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+ dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
+ cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
+@@ -213,8 +214,8 @@ zonefile=child7.druz.db
+ outfile=child7.druz.signed
+ dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
+ cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
+@@ -228,8 +229,8 @@ infile=child.db.in
+ zonefile=child8.druz.db
+ outfile=child8.druz.signed
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -243,8 +244,8 @@ zonefile=child9.druz.db
+ outfile=child9.druz.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -258,8 +259,8 @@ outfile=child10.druz.signed
+ dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
+ dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -272,8 +273,8 @@ infile=dlv.db.in
+ zonefile=dlv.utld.db
+ outfile=dlv.signed
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
+
+diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
+index 1e398625f1..4ed19acd1f 100755
+--- a/bin/tests/system/dlv/ns6/sign.sh
++++ b/bin/tests/system/dlv/ns6/sign.sh
+@@ -16,13 +16,15 @@ SYSTESTDIR=dlv
+
+ echo_i "dlv/ns6/sign.sh"
+
++bits=1024
++
+ zone=grand.child1.utld.
+ infile=child.db.in
+ zonefile=grand.child1.utld.db
+ outfile=grand.child1.signed
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -36,8 +38,8 @@ zonefile=grand.child3.utld.db
+ outfile=grand.child3.signed
+ dlvzone=dlv.utld.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -51,8 +53,8 @@ zonefile=grand.child4.utld.db
+ outfile=grand.child4.signed
+ dlvzone=dlv.utld.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -66,8 +68,8 @@ zonefile=grand.child5.utld.db
+ outfile=grand.child5.signed
+ dlvzone=dlv.utld.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -81,8 +83,8 @@ zonefile=grand.child7.utld.db
+ outfile=grand.child7.signed
+ dlvzone=dlv.utld.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -96,8 +98,8 @@ zonefile=grand.child8.utld.db
+ outfile=grand.child8.signed
+ dlvzone=dlv.utld.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -111,8 +113,8 @@ zonefile=grand.child9.utld.db
+ outfile=grand.child9.signed
+ dlvzone=dlv.utld.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -125,8 +127,8 @@ zonefile=grand.child10.utld.db
+ outfile=grand.child10.signed
+ dlvzone=dlv.utld.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -138,8 +140,8 @@ infile=child.db.in
+ zonefile=grand.child1.druz.db
+ outfile=grand.child1.druz.signed
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -153,8 +155,8 @@ zonefile=grand.child3.druz.db
+ outfile=grand.child3.druz.signed
+ dlvzone=dlv.druz.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -168,8 +170,8 @@ zonefile=grand.child4.druz.db
+ outfile=grand.child4.druz.signed
+ dlvzone=dlv.druz.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -183,8 +185,8 @@ zonefile=grand.child5.druz.db
+ outfile=grand.child5.druz.signed
+ dlvzone=dlv.druz.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -198,8 +200,8 @@ zonefile=grand.child7.druz.db
+ outfile=grand.child7.druz.signed
+ dlvzone=dlv.druz.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -213,8 +215,8 @@ zonefile=grand.child8.druz.db
+ outfile=grand.child8.druz.signed
+ dlvzone=dlv.druz.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -228,8 +230,8 @@ zonefile=grand.child9.druz.db
+ outfile=grand.child9.druz.signed
+ dlvzone=dlv.druz.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -242,8 +244,8 @@ zonefile=grand.child10.druz.db
+ outfile=grand.child10.druz.signed
+ dlvzone=dlv.druz.
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
+index 198d60ae15..d89a539ffd 100644
+--- a/bin/tests/system/dnssec/ns1/sign.sh
++++ b/bin/tests/system/dnssec/ns1/sign.sh
+@@ -27,7 +27,7 @@ cp ../ns2/dsset-in-addr.arpa$TP .
+ grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP
+ cp ../ns6/dsset-optout-tld$TP .
+
+-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+
+ cat $infile $keyname.key > $zonefile
+
+@@ -48,6 +48,6 @@ cp managed.conf ../ns4/managed.conf
+ #
+ # Save keyid for managed key id test.
+ #
+-keyid=`expr $keyname : 'K.+001+\(.*\)'`
++keyid=`expr $keyname : 'K.+008+\([0-9]*\)'`
+ keyid=`expr $keyid + 0`
+ echo "$keyid" > managed.key.id
+diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
+index 9078459ac8..9dcd028eb5 100644
+--- a/bin/tests/system/dnssec/ns2/sign.sh
++++ b/bin/tests/system/dnssec/ns2/sign.sh
+@@ -29,8 +29,8 @@ do
+ cp ../ns3/dsset-$subdomain.example$TP .
+ done
+
+-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
++keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
++keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -89,8 +89,8 @@ zone=in-addr.arpa.
+ infile=in-addr.arpa.db.in
+ zonefile=in-addr.arpa.db
+
+-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
++keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
++keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+ $SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+@@ -101,7 +101,7 @@ privzone=private.secure.example.
+ privinfile=private.secure.example.db.in
+ privzonefile=private.secure.example.db
+
+-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
++privkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $privzone`
+
+ cat $privinfile $privkeyname.key >$privzonefile
+
+@@ -115,7 +115,7 @@ dlvinfile=dlv.db.in
+ dlvzonefile=dlv.db
+ dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP
+
+-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
++dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone`
+
+ cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
+
+diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
+index 330abf7feb..f95a6b7ea8 100644
+--- a/bin/tests/system/dnssec/ns3/sign.sh
++++ b/bin/tests/system/dnssec/ns3/sign.sh
+@@ -28,7 +28,7 @@ zone=bogus.example.
+ infile=bogus.example.db.in
+ zonefile=bogus.example.db
+
+-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone`
+
+ cat $infile $keyname.key >$zonefile
+
+@@ -38,8 +38,8 @@ zone=dynamic.example.
+ infile=dynamic.example.db.in
+ zonefile=dynamic.example.db
+
+-keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+-keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
++keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone`
++keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone -f KSK $zone`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+@@ -49,7 +49,7 @@ zone=keyless.example.
+ infile=generic.example.db.in
+ zonefile=keyless.example.db
+
+-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone`
+
+ cat $infile $keyname.key >$zonefile
+
+@@ -69,7 +69,7 @@ zone=secure.nsec3.example.
+ infile=secure.nsec3.example.db.in
+ zonefile=secure.nsec3.example.db
+
+-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone`
+
+ cat $infile $keyname.key >$zonefile
+
+@@ -82,7 +82,7 @@ zone=nsec3.nsec3.example.
+ infile=nsec3.nsec3.example.db.in
+ zonefile=nsec3.nsec3.example.db
+
+-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+
+ cat $infile $keyname.key >$zonefile
+
+@@ -95,7 +95,7 @@ zone=optout.nsec3.example.
+ infile=optout.nsec3.example.db.in
+ zonefile=optout.nsec3.example.db
+
+-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+
+ cat $infile $keyname.key >$zonefile
+
+@@ -108,7 +108,7 @@ zone=nsec3.example.
+ infile=nsec3.example.db.in
+ zonefile=nsec3.example.db
+
+-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+
+ cat $infile $keyname.key >$zonefile
+
+@@ -121,7 +121,7 @@ zone=secure.optout.example.
+ infile=secure.optout.example.db.in
+ zonefile=secure.optout.example.db
+
+-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone`
+
+ cat $infile $keyname.key >$zonefile
+
+@@ -498,7 +498,7 @@ zone=badds.example.
+ infile=bogus.example.db.in
+ zonefile=badds.example.db
+
+-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone`
+
+ cat $infile $keyname.key >$zonefile
+
+diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad
+index ed30460bda..e6b112630e 100644
+--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad
++++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad
+@@ -10,5 +10,5 @@
+ */
+
+ trusted-keys {
+- "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk=";
++ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
+ };
+diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
+index bb2315fbf3..315666825e 100644
+--- a/bin/tests/system/dnssec/tests.sh
++++ b/bin/tests/system/dnssec/tests.sh
+@@ -1690,7 +1690,7 @@ ret=0
+ $RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i
+ keyid=`cat ns1/managed.key.id`
+ cp ns4/named.secroots named.secroots.test$n
+-linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l`
++linecount=`grep "./RSASHA256/$keyid ; trusted" named.secroots.test$n | wc -l`
+ [ "$linecount" -eq 1 ] || ret=1
+ linecount=`cat named.secroots.test$n | wc -l`
+ [ "$linecount" -eq 10 ] || ret=1
+@@ -3018,7 +3018,7 @@ echo_i "check dig's +nocrypto flag ($n)"
+ ret=0
+ $DIG $DIGOPTS +norec +nocrypto DNSKEY . \
+ @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1
+-grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
++grep '256 3 8 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+ grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+ $DIG $DIGOPTS +norec +nocrypto DS example \
+ @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1
+@@ -3130,8 +3130,8 @@ do
+ alg=`expr $alg + 1`
+ continue;;
+ 3) size="-b 512";;
+- 5) size="-b 512";;
+- 6) size="-b 512";;
++ 5) size="-b 1024";;
++ 6) size="-b 1024";;
+ 7) size="-b 512";;
+ 8) size="-b 512";;
+ 10) size="-b 1024";;
+diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
+index 9612450ab4..5eee6aa4f8 100644
+--- a/bin/tests/system/feature-test.c
++++ b/bin/tests/system/feature-test.c
+@@ -19,6 +19,7 @@
+ #include <isc/print.h>
+ #include <isc/util.h>
+ #include <isc/net.h>
++#include <isc/md5.h>
+ #include <dns/edns.h>
+
+ #ifdef WIN32
+@@ -45,6 +46,7 @@ usage() {
+ fprintf(stderr, " --have-geoip\n");
+ fprintf(stderr, " --have-libxml2\n");
+ fprintf(stderr, " --ipv6only=no\n");
++ fprintf(stderr, " --md5\n");
+ fprintf(stderr, " --rpz-nsdname\n");
+ fprintf(stderr, " --rpz-nsip\n");
+ fprintf(stderr, " --with-idn\n");
+@@ -136,6 +138,18 @@ main(int argc, char **argv) {
+ #endif
+ }
+
++ if (strcmp(argv[1], "--md5") == 0) {
++#ifdef PK11_MD5_DISABLE
++ return (1);
++#else
++ if (isc_md5_available()) {
++ return (0);
++ } else {
++ return (1);
++ }
++#endif
++ }
++
+ if (strcmp(argv[1], "--rpz-nsip") == 0) {
+ #ifdef ENABLE_RPZ_NSIP
+ return (0);
+diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
+index f7555810a0..4a7d89004a 100755
+--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
++++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
+@@ -21,8 +21,8 @@ infile=signed.db.in
+ zonefile=signed.db.signed
+ outfile=signed.db.signed
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
+index f7555810a0..4a7d89004a 100755
+--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
++++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
+@@ -21,8 +21,8 @@ infile=signed.db.in
+ zonefile=signed.db.signed
+ outfile=signed.db.signed
+
+-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+
+ cat $infile $keyname1.key $keyname2.key >$zonefile
+
+diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
+index cfcfe8fa2f..0a1614d527 100644
+--- a/bin/tests/system/notify/ns5/named.conf.in
++++ b/bin/tests/system/notify/ns5/named.conf.in
+@@ -10,17 +10,17 @@
+ */
+
+ key "a" {
+- algorithm "hmac-md5";
++ algorithm "hmac-sha256";
+ secret "aaaaaaaaaaaaaaaaaaaa";
+ };
+
+ key "b" {
+- algorithm "hmac-md5";
++ algorithm "hmac-sha256";
+ secret "bbbbbbbbbbbbbbbbbbbb";
+ };
+
+ key "c" {
+- algorithm "hmac-md5";
++ algorithm "hmac-sha256";
+ secret "cccccccccccccccccccc";
+ };
+
+diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
+index ad20e3eaca..5a9ce4688a 100644
+--- a/bin/tests/system/notify/tests.sh
++++ b/bin/tests/system/notify/tests.sh
+@@ -186,16 +186,16 @@ ret=0
+ $NSUPDATE << EOF
+ server 10.53.0.5 ${PORT}
+ zone x21
+-key a aaaaaaaaaaaaaaaaaaaa
++key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
+ update add added.x21 0 in txt "test string"
+ send
+ EOF
+
+ for i in 1 2 3 4 5 6 7 8 9
+ do
+- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
++ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+ txt > dig.out.b.ns5.test$n || ret=1
+- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
++ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
+ txt > dig.out.c.ns5.test$n || ret=1
+ grep "test string" dig.out.b.ns5.test$n > /dev/null &&
+ grep "test string" dig.out.c.ns5.test$n > /dev/null &&
+diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
+index 1d999adc39..26b6b7c9ab 100644
+--- a/bin/tests/system/nsupdate/ns1/named.conf.in
++++ b/bin/tests/system/nsupdate/ns1/named.conf.in
+@@ -32,7 +32,7 @@ controls {
+ };
+
+ key altkey {
+- algorithm hmac-md5;
++ algorithm hmac-sha512;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
+index b4ecf96668..1adb33eb0b 100644
+--- a/bin/tests/system/nsupdate/ns2/named.conf.in
++++ b/bin/tests/system/nsupdate/ns2/named.conf.in
+@@ -24,7 +24,7 @@ options {
+ };
+
+ key altkey {
+- algorithm hmac-md5;
++ algorithm hmac-sha512;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
+index 32674eb382..2331b30b00 100644
+--- a/bin/tests/system/nsupdate/setup.sh
++++ b/bin/tests/system/nsupdate/setup.sh
+@@ -59,7 +59,12 @@ EOF
+
+ $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
+
+-$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
++if $FEATURETEST --md5; then
++ $DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
++else
++ echo -n > ns1/md5.key
++fi
++
+ $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
+ $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
+ $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
+diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
+index 2a01d1e46d..e8659587c3 100755
+--- a/bin/tests/system/nsupdate/tests.sh
++++ b/bin/tests/system/nsupdate/tests.sh
+@@ -680,7 +680,14 @@ fi
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check TSIG key algorithms ($n)"
+-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
++if $FEATURETEST --md5
++then
++ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
++else
++ ALGS="sha1 sha224 sha256 sha384 sha512"
++ echo_i "skipping disabled md5 algorithm"
++fi
++for alg in $ALGS; do
+ $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
+ server 10.53.0.1 ${PORT}
+ update add ${alg}.keytests.nil. 600 A 10.10.10.3
+@@ -688,7 +695,7 @@ send
+ END
+ done
+ sleep 2
+-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
++for alg in $ALGS; do
+ $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
+ done
+ if [ $ret -ne 0 ]; then
+diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
+index 850c4d2744..09a3e0f9ad 100644
+--- a/bin/tests/system/rndc/setup.sh
++++ b/bin/tests/system/rndc/setup.sh
+@@ -37,7 +37,7 @@ make_key () {
+ sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
+ }
+
+-make_key 1 ${EXTRAPORT1} hmac-md5
++$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
+ make_key 2 ${EXTRAPORT2} hmac-sha1
+ make_key 3 ${EXTRAPORT3} hmac-sha224
+ make_key 4 ${EXTRAPORT4} hmac-sha256
+diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
+index d364e6fea0..dbf3bc6780 100644
+--- a/bin/tests/system/rndc/tests.sh
++++ b/bin/tests/system/rndc/tests.sh
+@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+ n=`expr $n + 1`
+-echo_i "testing rndc with hmac-md5 ($n)"
+-ret=0
+-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+-for i in 2 3 4 5 6
+-do
+- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+-done
+-if [ $ret != 0 ]; then echo_i "failed"; fi
+-status=`expr $status + $ret`
++if $FEATURETEST --md5
++then
++ echo_i "testing rndc with hmac-md5 ($n)"
++ ret=0
++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
++ for i in 2 3 4 5 6
++ do
++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
++ done
++ if [ $ret != 0 ]; then echo_i "failed"; fi
++ status=`expr $status + $ret`
++else
++ echo_i "skipping rndc with hmac-md5 ($n)"
++fi
+
+ n=`expr $n + 1`
+ echo_i "testing rndc with hmac-sha1 ($n)"
+diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
+index 576ec70f76..cb7a852189 100644
+--- a/bin/tests/system/tsig/clean.sh
++++ b/bin/tests/system/tsig/clean.sh
+@@ -20,3 +20,4 @@ rm -f */named.run
+ rm -f ns*/named.lock
+ rm -f Kexample.net.+163+*
+ rm -f keygen.out?
++rm -f ns1/named.conf
+diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
+index fbf30c6dc4..f61657d7cf 100644
+--- a/bin/tests/system/tsig/ns1/named.conf.in
++++ b/bin/tests/system/tsig/ns1/named.conf.in
+@@ -21,10 +21,7 @@ options {
+ notify no;
+ };
+
+-key "md5" {
+- secret "97rnFx24Tfna4mHPfgnerA==";
+- algorithm hmac-md5;
+-};
++# md5 key appended by setup.sh at the end
+
+ key "sha1" {
+ secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+@@ -51,10 +48,7 @@ key "sha512" {
+ algorithm hmac-sha512;
+ };
+
+-key "md5-trunc" {
+- secret "97rnFx24Tfna4mHPfgnerA==";
+- algorithm hmac-md5-80;
+-};
++# md5-trunc key appended by setup.sh at the end
+
+ key "sha1-trunc" {
+ secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
+new file mode 100644
+index 0000000000..4117830adb
+--- /dev/null
++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
+@@ -0,0 +1,11 @@
++
++key "md5" {
++ secret "97rnFx24Tfna4mHPfgnerA==";
++ algorithm hmac-md5;
++};
++
++key "md5-trunc" {
++ secret "97rnFx24Tfna4mHPfgnerA==";
++ algorithm hmac-md5-80;
++};
++
+diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
+index 656e9bbcd8..628c5bbac1 100644
+--- a/bin/tests/system/tsig/setup.sh
++++ b/bin/tests/system/tsig/setup.sh
+@@ -17,3 +17,7 @@ $SHELL clean.sh
+ copy_setports ns1/named.conf.in ns1/named.conf
+
+ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
++if $FEATURETEST --md5
++then
++ cat ns1/rndc5.conf.in >> ns1/named.conf
++fi
+diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
+index f731fa604c..cade35bc1d 100644
+--- a/bin/tests/system/tsig/tests.sh
++++ b/bin/tests/system/tsig/tests.sh
+@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
+
+ status=0
+
+-echo_i "fetching using hmac-md5 (old form)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
+-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+- echo_i "failed"; status=1
+-fi
+-
+-echo_i "fetching using hmac-md5 (new form)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
+-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+- echo_i "failed"; status=1
++if $FEATURETEST --md5
++then
++ echo_i "fetching using hmac-md5 (old form)"
++ ret=0
++ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
++ if [ $ret -eq 1 ] ; then
++ echo_i "failed"; status=1
++ fi
++
++ echo_i "fetching using hmac-md5 (new form)"
++ ret=0
++ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
++ if [ $ret -eq 1 ] ; then
++ echo_i "failed"; status=1
++ fi
++else
++ echo_i "skipping using hmac-md5"
+ fi
+
+ echo_i "fetching using hmac-sha1"
+@@ -87,12 +92,17 @@ fi
+ # Truncated TSIG
+ #
+ #
+-echo_i "fetching using hmac-md5 (trunc)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
+-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+- echo_i "failed"; status=1
++if $FEATURETEST --md5
++then
++ echo_i "fetching using hmac-md5 (trunc)"
++ ret=0
++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
++ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
++ if [ $ret -eq 1 ] ; then
++ echo_i "failed"; status=1
++ fi
++else
++ echo_i "skipping using hmac-md5 (trunc)"
+ fi
+
+ echo_i "fetching using hmac-sha1 (trunc)"
+@@ -141,12 +151,17 @@ fi
+ # Check for bad truncation.
+ #
+ #
+-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
+-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+- echo_i "failed"; status=1
++if $FEATURETEST --md5
++then
++ echo_i "fetching using hmac-md5-80 (BADTRUNC)"
++ ret=0
++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
++ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
++ if [ $ret -eq 1 ] ; then
++ echo_i "failed"; status=1
++ fi
++else
++ echo_i "skipping using hmac-md5-80 (BADTRUNC)"
+ fi
+
+ echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
+diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
+index 5da33cfde0..fb108b02bd 100644
+--- a/bin/tests/system/tsiggss/setup.sh
++++ b/bin/tests/system/tsiggss/setup.sh
+@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+
+ copy_setports ns1/named.conf.in ns1/named.conf
+
+-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.`
++key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
+ cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
+diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
+index e0a30cda15..6a77b1ce52 100644
+--- a/bin/tests/system/upforwd/ns1/named.conf.in
++++ b/bin/tests/system/upforwd/ns1/named.conf.in
+@@ -10,7 +10,7 @@
+ */
+
+ key "update.example." {
+- algorithm "hmac-md5";
++ algorithm "hmac-sha256";
+ secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+ };
+
+diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
+index b0694bbd5c..9adae8228e 100644
+--- a/bin/tests/system/upforwd/tests.sh
++++ b/bin/tests/system/upforwd/tests.sh
+@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+ echo_i "updating zone (signed) ($n)"
+ ret=0
+-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
++$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+ server 10.53.0.3 ${PORT}
+ update add updated.example. 600 A 10.10.10.1
+ update add updated.example. 600 TXT Foo
+--
+2.14.4
+
diff --git a/bind.spec b/bind.spec
index 511ec18..a017964 100644
--- a/bind.spec
+++ b/bind.spec
@@ -52,7 +52,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.11.4
-Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
#
@@ -112,6 +112,8 @@ Patch149:bind-9.11-kyua-pkcs11.patch
Patch153:bind-9.11-export-suffix.patch
Patch154:bind-9.11-oot-manual.patch
Patch155:bind-9.11-pk11.patch
+Patch156:bind-9.11-fips-code.patch
+Patch157:bind-9.11-fips-tests.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -447,6 +449,8 @@ are used for building ISC DHCP.
%patch153 -p1 -b .export_suffix
%patch154 -p1 -b .oot-man
%patch155 -p1 -b .pk11-internal
+%patch156 -p1 -b .fips-code
+%patch157 -p1 -b .fips-tests
%if %{with PKCS11}
cp -r bin/named{,-pkcs11}
@@ -1405,6 +1409,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Thu Aug 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-4
+- Support unavailable MD5 in FIPS mode
+
* Thu Aug 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-3
- Use OpenSSL for digest operations (#1611537)