[master] remove default algorithm in dnssec-keygen

4594. [func] dnssec-keygen no longer uses RSASHA1 by default; the signing algorithm must be specified on the command line with the "-a" option. Signing scripts that rely on the existing default behavior will break; use "dnssec-keygen -a RSASHA1" to repair them. (The goal of this change is to make it easier to find scripts using RSASHA1 so they can be changed in the event of that algorithm being deprecated in the future.) [RT #44755]
2025-09-02 07:35:26 +00:00 · 2017-08-30 18:51:11 -07:00
parent 2bfc294f0a
commit 45afdb2672
33 changed files with 468 additions and 431 deletions
--- a/10
+++ b/10
@@ -1,3 +1,13 @@
 4594.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
 			the signing algorithm must be specified on
 			the command line with the "-a" option.  Signing
 			scripts that rely on the existing default behavior
 			will break; use "dnssec-keygen -a RSASHA1" to
 			repair them. (The goal of this change is to make
 			it easier to find scripts using RSASHA1 so they
 			can be changed in the event of that algorithm
 			being deprecated in the future.) [RT #44755]
 4693.	[func]		Synthesis of responses from DNSSEC-verified records.
 			Stage 1 covers NXDOMAIN synthesis from NSEC records.
 			This is controlled by synth-from-dnssec and is enabled
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -46,15 +46,6 @@
 const char *program = "dnssec-keyfromlabel";
 int verbose;
 #define DEFAULT_ALGORITHM "RSASHA1"
 #define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
 static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
 			  " NSEC3DSA | NSEC3RSASHA1 |"
 			  " RSASHA256 | RSASHA512 | ECCGOST |"
 			  " ECDSAP256SHA256 | ECDSAP384SHA384 |"
 			  " ED25519 | ED448";
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -68,9 +59,11 @@ usage(void) {
 	fprintf(stderr, "    -l label: label of the key pair\n");
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
-	fprintf(stderr, "    -a algorithm: %s\n", algs);
+	fprintf(stderr, "    -a algorithm: \n"
-	fprintf(stderr, "       (default: RSASHA1, or "
+			"        RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
-			       "NSEC3RSASHA1 if using -3)\n");
+			"        NSEC3DSA | NSEC3RSASHA1 |\n"
 			"        RSASHA256 | RSASHA512 | ECCGOST |\n"
 			"        ECDSAP256SHA256 | ECDSAP384SHA384\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -c class (default: IN)\n");
 	fprintf(stderr, "    -E <engine>:\n");
@@ -394,16 +387,7 @@ main(int argc, char **argv) {
 		}
 		if (algname == NULL) {
-			if (use_nsec3)
+			fatal("no algorithm specified");
 				algname = strdup(DEFAULT_NSEC3_ALGORITHM);
 			else
 				algname = strdup(DEFAULT_ALGORITHM);
 			if (algname == NULL)
 				fatal("strdup failed");
 			freeit = algname;
 			if (verbose > 0)
 				fprintf(stderr, "no algorithm specified; "
 					"defaulting to %s\n", algname);
 		}
 		if (strcasecmp(algname, "RSA") == 0) {
@@ -434,14 +418,28 @@ main(int argc, char **argv) {
 				options |= DST_TYPE_KEY;
 		}
-		if (use_nsec3 &&
+		if (use_nsec3) {
-		    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+			switch (alg) {
-		    alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
+			case DST_ALG_DSA:
-		    alg != DST_ALG_ECCGOST &&
+				alg = DST_ALG_NSEC3DSA;
-		    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
+				break;
-		    alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
+			case DST_ALG_RSASHA1:
-			fatal("%s is incompatible with NSEC3; "
+				alg = DST_ALG_NSEC3RSASHA1;
-			      "do not use the -3 option", algname);
+				break;
 			case DST_ALG_NSEC3DSA:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
 			case DST_ALG_ECCGOST:
 			case DST_ALG_ECDSA256:
 			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:
 			case DST_ALG_ED448:
 				break;
 			default:
 				fatal("%s is incompatible with NSEC3; "
 				      "do not use the -3 option", algname);
 			}
 		}
 		if (type != NULL && (options & DST_TYPE_KEY) != 0) {
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -104,7 +104,6 @@
 	    <option>algorithm</option> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	    These values are case insensitive.
 	  </para>
 	  <para>
 	    If no algorithm is specified, then RSASHA1 will be used by
@@ -114,11 +113,17 @@
 	    that algorithm will be checked for compatibility with NSEC3.)
 	  </para>
 	  <para>
-	    Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+	    These values are case insensitive. In some cases, abbreviations
-	    algorithm, and DSA is recommended.
+	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
 	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <option>-3</option> option, then NSEC3RSASHA1
 	    or NSEC3DSA will be used instead.
 	  </para>
 	  <para>
-	    Note 2: DH automatically sets the -k flag.
+	    As of BIND 9.12.0, this option is mandatory except when using
 	    the <option>-S</option> option (which copies the algorithm from
 	    the predecessory key). Previously, the default for newly
 	    generated keys was RSASHA1.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -128,9 +133,10 @@
 	<listitem>
 	  <para>
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-	    If this option is used and no algorithm is explicitly
+	    If this option is used with an algorithm that has both
-	    set on the command line, NSEC3RSASHA1 will be used by
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
-	    default.
+	    used; for example, <command>dnssec-keygen -3a RSASHA1</command>
 	    specifies the NSEC3RSASHA1 algorithm.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -454,30 +460,30 @@
      </varlistentry>
      <varlistentry>
-        <term>-i <replaceable class="parameter">interval</replaceable></term>
+	<term>-i <replaceable class="parameter">interval</replaceable></term>
-        <listitem>
+	<listitem>
-          <para>
+	  <para>
-            Sets the prepublication interval for a key.  If set, then
+	    Sets the prepublication interval for a key.  If set, then
-            the publication and activation dates must be separated by at least
+	    the publication and activation dates must be separated by at least
-            this much time.  If the activation date is specified but the
+	    this much time.  If the activation date is specified but the
-            publication date isn't, then the publication date will default
+	    publication date isn't, then the publication date will default
-            to this much time before the activation date; conversely, if
+	    to this much time before the activation date; conversely, if
-            the publication date is specified but activation date isn't,
+	    the publication date is specified but activation date isn't,
-            then activation will be set to this much time after publication.
+	    then activation will be set to this much time after publication.
-          </para>
+	  </para>
-          <para>
+	  <para>
-            If the key is being created as an explicit successor to another
+	    If the key is being created as an explicit successor to another
-            key, then the default prepublication interval is 30 days;
+	    key, then the default prepublication interval is 30 days;
-            otherwise it is zero.
+	    otherwise it is zero.
-          </para>
+	  </para>
-          <para>
+	  <para>
-            As with date offsets, if the argument is followed by one of
+	    As with date offsets, if the argument is followed by one of
-            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+	    the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
-            interval is measured in years, months, weeks, days, hours,
+	    interval is measured in years, months, weeks, days, hours,
-            or minutes, respectively.  Without a suffix, the interval is
+	    or minutes, respectively.  Without a suffix, the interval is
-            measured in seconds.
+	    measured in seconds.
-          </para>
+	  </para>
-        </listitem>
+	</listitem>
      </varlistentry>
    </variablelist>
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -61,9 +61,6 @@
 const char *program = "dnssec-keygen";
 int verbose;
 #define DEFAULT_ALGORITHM "RSASHA1"
 #define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -86,8 +83,6 @@ usage(void) {
 	fprintf(stderr, "        HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
 				"HMAC-SHA256 | \n");
 	fprintf(stderr, "        HMAC-SHA384 | HMAC-SHA512\n");
 	fprintf(stderr, "       (default: RSASHA1, or "
 			       "NSEC3RSASHA1 if using -3)\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -b <key size in bits>:\n");
 	fprintf(stderr, "        RSAMD5:\t[1024..%d]\n", MAX_RSA);
@@ -110,9 +105,8 @@ usage(void) {
 	fprintf(stderr, "        HMAC-SHA256:\t[1..256]\n");
 	fprintf(stderr, "        HMAC-SHA384:\t[1..384]\n");
 	fprintf(stderr, "        HMAC-SHA512:\t[1..512]\n");
-	fprintf(stderr, "        (if using the default algorithm, key size\n"
+	fprintf(stderr, "        (key size defaults are set according to\n"
-			"        defaults to 2048 for KSK, or 1024 for all "
+			"        algorithm and usage (ZSK or KSK)\n");
 			"others)\n");
 	fprintf(stderr, "    -n <nametype>: ZONE | HOST | ENTITY | "
 					    "USER | OTHER\n");
 	fprintf(stderr, "        (DNSKEY generation defaults to ZONE)\n");
@@ -240,7 +234,7 @@ main(int argc, char **argv) {
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	int		dbits = 0;
 	dns_ttl_t	ttl = 0;
-	isc_boolean_t	use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
+	isc_boolean_t	use_nsec3 = ISC_FALSE;
 	isc_stdtime_t	publish = 0, activate = 0, revokekey = 0;
 	isc_stdtime_t	inactive = 0, deltime = 0;
 	isc_stdtime_t	now;
@@ -537,17 +531,7 @@ main(int argc, char **argv) {
 			      isc_result_totext(ret));
 		if (algname == NULL) {
-			use_default = ISC_TRUE;
+			fatal("no algorithm specified");
 			if (use_nsec3)
 				algname = strdup(DEFAULT_NSEC3_ALGORITHM);
 			else
 				algname = strdup(DEFAULT_ALGORITHM);
 			if (algname == NULL)
 				fatal("strdup failed");
 			freeit = algname;
 			if (verbose > 0)
 				fprintf(stderr, "no algorithm specified; "
 						"defaulting to %s\n", algname);
 		}
 		if (strcasecmp(algname, "RSA") == 0) {
@@ -601,14 +585,28 @@ main(int argc, char **argv) {
 		if (!dst_algorithm_supported(alg))
 			fatal("unsupported algorithm: %d", alg);
-		if (use_nsec3 &&
+		if (use_nsec3) {
-		    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+			switch (alg) {
-		    alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
+			case DST_ALG_DSA:
-		    alg != DST_ALG_ECCGOST &&
+				alg = DST_ALG_NSEC3DSA;
-		    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
+				break;
-		    alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
+			case DST_ALG_RSASHA1:
-			fatal("%s is incompatible with NSEC3; "
+				alg = DST_ALG_NSEC3RSASHA1;
-			      "do not use the -3 option", algname);
+				break;
 			case DST_ALG_NSEC3DSA:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
 			case DST_ALG_ECCGOST:
 			case DST_ALG_ECDSA256:
 			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:
 			case DST_ALG_ED448:
 				break;
 			default:
 				fatal("%s is incompatible with NSEC3; "
 				      "do not use the -3 option", algname);
 			}
 		}
 		if (type != NULL && (options & DST_TYPE_KEY) != 0) {
@@ -629,21 +627,31 @@ main(int argc, char **argv) {
 		}
 		if (size < 0) {
-			if (use_default) {
+			switch (alg) {
-				if ((kskflag & DNS_KEYFLAG_KSK) != 0)
+			case DST_ALG_RSASHA1:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
 				if ((kskflag & DNS_KEYFLAG_KSK) != 0) {
 					size = 2048;
-				else
+				} else {
 					size = 1024;
-				if (verbose > 0)
+				}
 				if (verbose > 0) {
 					fprintf(stderr, "key size not "
 							"specified; defaulting"
 							" to %d\n", size);
-			} else if (alg != DST_ALG_ECCGOST &&
+				}
-				   alg != DST_ALG_ECDSA256 &&
+				break;
-				   alg != DST_ALG_ECDSA384 &&
+			case DST_ALG_ECCGOST:
-				   alg != DST_ALG_ED25519 &&
+			case DST_ALG_ECDSA256:
-				   alg != DST_ALG_ED448)
+			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:
 			case DST_ALG_ED448:
 				break;
 			default:
 				fatal("key size not specified (-b option)");
 			}
 		}
 		if (!oldstyle && prepub > 0) {
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -53,7 +53,7 @@
  <refsynopsisdiv>
    <cmdsynopsis sepchar=" ">
      <command>dnssec-keygen</command>
-      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-3</option></arg>
@@ -101,6 +101,13 @@
      line.  For DNSSEC keys, this must match the name of the zone for
      which the key is being generated.
    </para>
    <para>
      The <command>dnssec-keymgr</command> command acts as a wrapper
      around <command>dnssec-keygen</command>, generating and updating keys
      as needed to enforce defined security policies such as key rollover
      scheduling. Using <command>dnssec-keymgr</command> may be preferable
      to direct use of <command>dnssec-keygen</command>.
    </para>
  </refsection>
  <refsection><info><title>OPTIONS</title></info>
@@ -114,27 +121,26 @@
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
 	    of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
-	    For TSIG/TKEY, the value must
+            TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
-	    be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
+            HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
-	    HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
+            or HMAC-SHA512; specifying any of these algorithms will
-	    case insensitive.
+            automatically set the <option>-T KEY</option> option as well.
            (Note: <command>tsig-keygen</command> produces TSIG keys in a
            more useful format than <command>dnssec-keygen</command>.)
 	  </para>
 	  <para>
-	    If no algorithm is specified, then RSASHA1 will be used by
+	    These values are case insensitive. In some cases, abbreviations
-	    default, unless the <option>-3</option> option is specified,
+	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    in which case NSEC3RSASHA1 will be used instead.  (If
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
-	    <option>-3</option> is used and an algorithm is specified,
+	    along with the <option>-3</option> option, then NSEC3RSASHA1
-	    that algorithm will be checked for compatibility with NSEC3.)
+	    or NSEC3DSA will be used instead.
 	  </para>
 	  <para>
-	    Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+	    As of BIND 9.12.0, this option is mandatory except when using
-	    algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
+	    the <option>-S</option> option (which copies the algorithm from
-	    mandatory.
+	    the predecessor key).  Previously, the default for newly
-	  </para>
+	    generated keys was RSASHA1.
 	  <para>
 	    Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
 	    automatically set the -T KEY option.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -152,13 +158,11 @@
 	    this parameter.
 	  </para>
 	  <para>
-	    The key size does not need to be specified if using a default
+	    If the key size is not specified, some algorithms have
-	    algorithm.  The default key size is 1024 bits for zone signing
+	    pre-defined defaults.  For example, RSA keys for use as
-	    keys (ZSKs) and 2048 bits for key signing keys (KSKs,
+	    DNSSEC zone signing keys have a default size of 1024 bits;
-	    generated with <option>-f KSK</option>).  However, if an
+	    RSA keys for use as key signing keys (KSKs, generated with
-	    algorithm is explicitly specified with the <option>-a</option>,
+	    <option>-f KSK</option>) default to 2048 bits.
 	    then there is no default key size, and the <option>-b</option>
 	    must be used.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -169,11 +173,10 @@
 	  <para>
 	    Specifies the owner type of the key.  The value of
 	    <option>nametype</option> must either be ZONE (for a DNSSEC
-	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
-	    a host (KEY)),
+	    with a host (KEY)), USER (for a key associated with a
-	    USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+	    user(KEY)) or OTHER (DNSKEY).  These values are case
-	    These values are case insensitive.  Defaults to ZONE for DNSKEY
+	    insensitive.  Defaults to ZONE for DNSKEY generation.
 	    generation.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -183,11 +186,10 @@
 	<listitem>
 	  <para>
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-	    If this option is used and no algorithm is explicitly
+	    If this option is used with an algorithm that has both
-	    set on the command line, NSEC3RSASHA1 will be used by
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
-	    default. Note that RSASHA256, RSASHA512, ECCGOST,
+	    used; for example, <command>dnssec-keygen -3a RSASHA1</command>
-	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
+	    specifies the NSEC3RSASHA1 algorithm.
 	    algorithms are NSEC3-capable.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -394,8 +396,8 @@
 	    overridden to KEY for use with SIG(0).
 	  <para>
 	  </para>
-	    Using any TSIG algorithm (HMAC-* or DH) forces this option
+	    Specifying any TSIG algorithm (HMAC-* or DH) with
-	    to KEY.
+	    <option>-a</option> forces this option to KEY.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -529,30 +531,30 @@
      </varlistentry>
      <varlistentry>
-        <term>-i <replaceable class="parameter">interval</replaceable></term>
+	<term>-i <replaceable class="parameter">interval</replaceable></term>
-        <listitem>
+	<listitem>
-          <para>
+	  <para>
-            Sets the prepublication interval for a key.  If set, then
+	    Sets the prepublication interval for a key.  If set, then
-            the publication and activation dates must be separated by at least
+	    the publication and activation dates must be separated by at least
-            this much time.  If the activation date is specified but the
+	    this much time.  If the activation date is specified but the
-            publication date isn't, then the publication date will default
+	    publication date isn't, then the publication date will default
-            to this much time before the activation date; conversely, if
+	    to this much time before the activation date; conversely, if
-            the publication date is specified but activation date isn't,
+	    the publication date is specified but activation date isn't,
-            then activation will be set to this much time after publication.
+	    then activation will be set to this much time after publication.
-          </para>
+	  </para>
-          <para>
+	  <para>
-            If the key is being created as an explicit successor to another
+	    If the key is being created as an explicit successor to another
-            key, then the default prepublication interval is 30 days;
+	    key, then the default prepublication interval is 30 days;
-            otherwise it is zero.
+	    otherwise it is zero.
-          </para>
+	  </para>
-          <para>
+	  <para>
-            As with date offsets, if the argument is followed by one of
+	    As with date offsets, if the argument is followed by one of
-            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+	    the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
-            interval is measured in years, months, weeks, days, hours,
+	    interval is measured in years, months, weeks, days, hours,
-            or minutes, respectively.  Without a suffix, the interval is
+	    or minutes, respectively.  Without a suffix, the interval is
-            measured in seconds.
+	    measured in seconds.
-          </para>
+	  </para>
-        </listitem>
+	</listitem>
      </varlistentry>
    </variablelist>
--- a/bin/tests/system/autosign/ns1/keygen.sh
+++ b/bin/tests/system/autosign/ns1/keygen.sh
@@ -17,18 +17,18 @@ infile=root.db.in
 cat $infile ../ns2/dsset-example$TP > $zonefile
-zskact=`$KEYGEN -3 -q -r $RANDFILE $zone`
+zskact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
-zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone`
+zskvanish=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
-zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone`
+zskdel=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -D now $zone`
-zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone`
+zskinact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -I now $zone`
-zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone`
+zskunpub=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -G $zone`
-zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone`
+zsksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A none $zone`
-zskactnowpub1d=`$KEYGEN -3 -q -r $RANDFILE -A now -P +1d $zone`
+zskactnowpub1d=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A now -P +1d $zone`
-zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone`
+zsknopriv=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
 rm $zsknopriv.private
-ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone`
+ksksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -P now -A now+15s -fk $zone`
-kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone`
+kskrev=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -R now+15s -fk $zone`
 cat $ksksby.key | grep -v '^; ' | $PERL -n -e '
 local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
--- a/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -23,16 +23,16 @@ zonefile="${zone}.db"
 infile="${zonefile}.in"
 cat $infile dsset-*.example$TP > $zonefile
-kskname=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
+kskname=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone`
-$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null
 $DSFROMKEY $kskname.key > dsset-${zone}$TP
 # Create keys for a private secure zone.
 zone=private.secure.example
 zonefile="${zone}.db"
 infile="${zonefile}.in"
-ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
+ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone`
-$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null
 cat $ksk.key | grep -v '^; ' | $PERL -n -e '
 local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
 local $key = join("", @rest);
@@ -55,5 +55,5 @@ for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \
 do
 	cp $i `echo $i | sed s/X/K/`
 done
-$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > /dev/null
 $DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -27,8 +27,8 @@ setup () {
 setup secure.example
 cp $infile $zonefile
-ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -36,8 +36,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup secure.nsec3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -45,8 +45,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.nsec3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -54,8 +54,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup optout.nsec3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -63,8 +63,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.example
 cat $infile dsset-*.${zone}$TP > $zonefile
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -72,9 +72,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup autonsec3.example
 cat $infile > $zonefile
-ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../autoksk.key
-zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../autozsk.key
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
@@ -83,8 +83,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup secure.optout.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -92,8 +92,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.optout.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -101,8 +101,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup optout.optout.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -110,8 +110,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup optout.example
 cat $infile dsset-*.${zone}$TP > $zonefile
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -137,8 +137,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -147,8 +147,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup oldsigs.example
 cp $infile $zonefile
-$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 #
@@ -164,8 +164,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 # keys via nsupdate
 #
 setup secure-to-insecure.example
-$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 #
@@ -173,9 +173,9 @@ $SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 # removal of keys on schedule.
 #
 setup secure-to-insecure2.example
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../del1.key
-zsk=`$KEYGEN -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../del2.key
 $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
@@ -184,8 +184,8 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 #
 setup prepub.example
 infile="secure-to-insecure2.example.db.in"
-$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 #
@@ -194,35 +194,35 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 # no default key TTL; DNSKEY should get SOA TTL
 setup ttl1.example
-$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 # default key TTL should be used
 setup ttl2.example 
-$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 # mismatched key TTLs, should use shortest
 setup ttl3.example
-$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 # existing DNSKEY RRset, should retain TTL
 setup ttl4.example
-$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
 cat ${infile} K${zone}.+*.key > $zonefile
-$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out
 #
 # A zone with a DNSKEY RRset that is published before it's activated
 #
 setup delay.example
-ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../delayksk.key
-zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../delayzsk.key
 #
@@ -230,8 +230,8 @@ echo $zsk > ../delayzsk.key
 # is missing.
 #
 setup nozsk.example
-$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
+zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone`
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
 echo $zsk > ../missingzsk.key
 rm -f ${zsk}.private
@@ -241,8 +241,8 @@ rm -f ${zsk}.private
 # is inactive.
 #
 setup inaczsk.example
-$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
+zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone`
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
 echo $zsk > ../inactivezsk.key
 $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
@@ -252,15 +252,15 @@ $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
 #
 setup reconf.example
 cp secure.example.db.in $zonefile
-$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 #
 # A zone which generates a CDS and CDNSEY RRsets automatically
 #
 setup sync.example
 cp $infile $zonefile
-ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 echo ns3/$ksk > ../sync.key
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -858,7 +858,7 @@ ret=0
 oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
 oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
-$KEYGEN -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
+$KEYGEN -a rsasha1 -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign prepub.example 2>&1 | sed 's/^/I:ns1 /'
 newserial=$oldserial
--- a/bin/tests/system/coverage/setup.sh
+++ b/bin/tests/system/coverage/setup.sh
@@ -19,110 +19,110 @@ ln -s $CHECKZONE named-compilezone
 dir=01-ksk-inactive
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
 ksk2=`$KEYGEN -K $dir -S $ksk1`
 $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 # Test 2: ZSK goes inactive before successor is active
 dir=02-zsk-inactive
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
 $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 # Test 3: KSK is unpublished before its successor is published
 dir=03-ksk-unpublished
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
 ksk2=`$KEYGEN -K $dir -S $ksk1`
 $SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 # Test 4: ZSK is unpublished before its successor is published
 dir=04-zsk-unpublished
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
 $SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 # Test 5: KSK deleted and successor published before KSK is deactivated
 # and successor activated.
 dir=05-ksk-unpub-active
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
 ksk2=`$KEYGEN -K $dir -S $ksk1`
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 # Test 6: ZSK deleted and successor published before ZSK is deactivated
 # and successor activated.
 dir=06-zsk-unpub-active
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 # Test 7: KSK rolled with insufficient delay after prepublication.
 dir=07-ksk-ttl
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
 ksk2=`$KEYGEN -K $dir -S $ksk1`
 # allow only 1 day between publication and activation
 $SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 # Test 8: ZSK rolled with insufficient delay after prepublication.
 dir=08-zsk-ttl
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
 # allow only 1 day between publication and activation
 $SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 # Test 9: KSK goes inactive before successor is active, but checking ZSKs
 dir=09-check-zsk
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
 ksk2=`$KEYGEN -K $dir -S $ksk1`
 $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 # Test 10: ZSK goes inactive before successor is active, but checking KSKs
 dir=10-check-ksk
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
 $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 # Test 11: ZSK goes inactive before successor is active, but after cutoff
 dir=11-cutoff
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
 $SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
--- a/bin/tests/system/dns64/ns1/sign.sh
+++ b/bin/tests/system/dns64/ns1/sign.sh
@@ -15,8 +15,8 @@ zone=signed
 infile=example.db
 zonefile=signed.db
-key1=`$KEYGEN -q -r $RANDFILE $zone`
+key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
-key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
+key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
 cat $infile $key1.key $key2.key > $zonefile
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -283,8 +283,8 @@ zone=kskonly.example.
 infile=kskonly.example.db.in
 zonefile=kskonly.example.db
-kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
 $SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
@@ -295,8 +295,8 @@ zone=expired.example.
 infile=expired.example.db.in
 zonefile=expired.example.db
-kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
 $SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1
 rm -f $kskname.* $zskname.*
@@ -308,8 +308,8 @@ zone=update-nsec3.example.
 infile=update-nsec3.example.db.in
 zonefile=update-nsec3.example.db
-kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
 $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
@@ -321,10 +321,10 @@ zone=auto-nsec.example.
 infile=auto-nsec.example.db.in
 zonefile=auto-nsec.example.db
-kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
-kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
@@ -336,10 +336,10 @@ zone=auto-nsec3.example.
 infile=auto-nsec3.example.db.in
 zonefile=auto-nsec3.example.db
-kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
-kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
 $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
@@ -404,8 +404,8 @@ zone="expiring.example."
 infile="expiring.example.db.in"
 zonefile="expiring.example.db"
 signedfile="expiring.example.db.signed"
-kskname=`$KEYGEN -q -r $RANDFILE $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
 cp $infile $zonefile
 $SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
 mv -f ${zskname}.private ${zskname}.private.moved
@@ -419,8 +419,8 @@ infile="upper.example.db.in"
 zonefile="upper.example.db"
 lower="upper.example.db.lower"
 signedfile="upper.example.db.signed"
-kskname=`$KEYGEN -q -r $RANDFILE $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
 cp $infile $zonefile
 $SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>&1
 $CHECKZONE -D upper.example $lower 2>&- | \
@@ -434,8 +434,8 @@ zone="LOWER.EXAMPLE."
 infile="lower.example.db.in"
 zonefile="lower.example.db"
 signedfile="lower.example.db.signed"
-kskname=`$KEYGEN -q -r $RANDFILE $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
 cp $infile $zonefile
 $SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
@@ -447,8 +447,8 @@ zone="nosign.example."
 infile="nosign.example.db.in"
 zonefile="nosign.example.db"
 signedfile="nosign.example.db.signed"
-kskname=`$KEYGEN -q -r $RANDFILE $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
 cp $infile $zonefile
 $SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
 # preserve a normalized copy of the NS RRSIG for comparison later
@@ -460,8 +460,8 @@ $CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \
 # An inline signing zone
 #
 zone=inline.example.
-kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
 #
 # publish a new key while deactivating another key at the same time.
@@ -470,10 +470,10 @@ zone=publish-inactive.example
 infile=publish-inactive.example.db.in
 zonefile=publish-inactive.example.db
 now=`date -u +%Y%m%d%H%M%S`
-kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
-kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone`
+kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
-kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone`
+kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
-zskname=`$KEYGEN -q -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
 cp $infile $zonefile
 $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
@@ -483,8 +483,8 @@ $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 zone=siginterval.example
 infile=siginterval.example.db.in
 zonefile=siginterval.example.db
-kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
 cp $infile $zonefile
 #
@@ -508,8 +508,8 @@ sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP
 zone=future.example
 infile=future.example.db.in
 zonefile=future.example.db
-kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
-zskname=`$KEYGEN -q -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
 $SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 cp -f $kskname.key trusted-future.key
@@ -520,8 +520,8 @@ cp -f $kskname.key trusted-future.key
 zone=managed-future.example
 infile=managed-future.example.db.in
 zonefile=managed-future.example.db
-kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
-zskname=`$KEYGEN -q -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
 $SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
@@ -532,10 +532,10 @@ zone=revkey.example.
 infile=generic.example.db.in
 zonefile=revkey.example.db
-ksk1=`$KEYGEN -q -r $RANDFILE -3fk $zone`
+ksk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone`
 ksk1=`$REVOKE $ksk1`
-ksk2=`$KEYGEN -q -r $RANDFILE -3fk $zone`
+ksk2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone`
-zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone`
+zsk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 $zone`
 cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
--- a/bin/tests/system/dnssec/ns5/sign.sh
+++ b/bin/tests/system/dnssec/ns5/sign.sh
@@ -13,7 +13,7 @@ zone=.
 infile=../ns1/root.db.in
 zonefile=root.db.signed
-keyname=`$KEYGEN -r $RANDFILE -qfk $zone`
+keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone`
 # copy the KSK out first, then revoke it
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
@@ -29,6 +29,6 @@ EOF
 $SETTIME -R now ${keyname}.key > /dev/null
 # create a current set of keys, and sign the root zone
-$KEYGEN -r $RANDFILE -q $zone > /dev/null
+$KEYGEN -r $RANDFILE -a RSASHA1 -q $zone > /dev/null
-$KEYGEN -r $RANDFILE -qfk $zone > /dev/null
+$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone > /dev/null
 $SIGNER -S -r $RANDFILE -o $zone -f $zonefile $infile > /dev/null 2>&1
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -2209,7 +2209,7 @@ echo "I:checking that the NSEC3 record for the apex is properly signed when a DN
 ret=0
 (
 cd ns3
-kskname=`$KEYGEN -q -3 -r $RANDFILE -fk update-nsec3.example`
+kskname=`$KEYGEN -q -3 -a RSASHA1 -r $RANDFILE -fk update-nsec3.example`
 (
 echo zone update-nsec3.example
 echo server 10.53.0.3 5300
@@ -3247,8 +3247,8 @@ ret=0
 # generate signed zone with MX and AAAA records at apex.
 (
 cd signer
-$KEYGEN -q -r $RANDFILE -3 -fK remove > /dev/null
+$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 -fK remove > /dev/null
-$KEYGEN -q -r $RANDFILE -3 remove > /dev/null
+$KEYGEN -q -r $RANDFILE -a RSASHA1 -33 remove > /dev/null
 echo > remove.db.signed
 $SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
 )
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@@ -615,8 +615,8 @@ grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:setup broken"; fi
 status=`expr $status + $ret`
 cp ns5/named.conf.post ns5/named.conf
-(cd ns5; $KEYGEN -q -r $RANDFILE bits) > /dev/null 2>&1
+(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE bits) > /dev/null 2>&1
-(cd ns5; $KEYGEN -q -r $RANDFILE -f KSK bits) > /dev/null 2>&1
+(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE -f KSK bits) > /dev/null 2>&1
 $RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /'
 for i in 1 2 3 4 5 6 7 8 9 10
 do
@@ -870,7 +870,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:testing imported key won't overwrite a private key ($n)"
 ret=0
-key=`$KEYGEN -r $RANDFILE -q import.example`
+key=`$KEYGEN -r $RANDFILE -q -a rsasha256 import.example`
 cp ${key}.key import.key
 # import should fail
 $IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
--- a/bin/tests/system/keymgr/setup.sh
+++ b/bin/tests/system/keymgr/setup.sh
@@ -18,44 +18,44 @@ dir=01-ksk-inactive
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
 ksk2=`$KEYGEN -K $dir -S $ksk1`
 $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 # Test 2: ZSK goes inactive before successor is active
 dir=02-zsk-inactive
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
 $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 # Test 3: KSK is unpublished before its successor is published
 dir=03-ksk-unpublished
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
 ksk2=`$KEYGEN -K $dir -S $ksk1`
 $SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 # Test 4: ZSK is unpublished before its successor is published
 dir=04-zsk-unpublished
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
 $SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 # Test 5: KSK deleted and successor published before KSK is deactivated
 # and successor activated.
@@ -63,10 +63,10 @@ dir=05-ksk-unpub-active
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
 ksk2=`$KEYGEN -K $dir -S $ksk1`
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 # Test 6: ZSK deleted and successor published before ZSK is deactivated
 # and successor activated.
@@ -74,33 +74,33 @@ dir=06-zsk-unpub-active
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 # Test 7: KSK rolled with insufficient delay after prepublication.
 dir=07-ksk-ttl
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
 ksk2=`$KEYGEN -K $dir -S $ksk1`
 $SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 # Test 8: ZSK rolled with insufficient delay after prepublication.
 dir=08-zsk-ttl
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
 # allow only 1 day between publication and activation
 $SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
 # Test 9: No special preparation needed
 rm -f $dir/K*.key
@@ -111,8 +111,8 @@ dir=10-change-roll
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1
 zsk2=`$KEYGEN -K $dir -S $zsk1`
@@ -121,40 +121,40 @@ dir=11-many-simul
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-k1=`$KEYGEN -K $dir -q3fk -P now+1mo -A now+1mo example.com`
+k1=`$KEYGEN -K $dir -a rsasha1 -q3fk -P now+1mo -A now+1mo example.com`
-z1=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
+z1=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
-z2=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
+z2=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
-z3=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
+z3=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
-z4=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
+z4=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
 # Test 12: Many keys all simultaneously scheduled to be active in the past
 dir=12-many-active
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-k1=`$KEYGEN -K $dir -q3fk example.com`
+k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
-z1=`$KEYGEN -K $dir -q3 example.com`
+z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
-z2=`$KEYGEN -K $dir -q3 example.com`
+z2=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
-z3=`$KEYGEN -K $dir -q3 example.com`
+z3=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
-z4=`$KEYGEN -K $dir -q3 example.com`
+z4=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
 # Test 13: Multiple simultaneous keys with no configured roll period
 dir=13-noroll
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-k1=`$KEYGEN -K $dir -q3fk example.com`
+k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
-k2=`$KEYGEN -K $dir -q3fk example.com`
+k2=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
-k3=`$KEYGEN -K $dir -q3fk example.com`
+k3=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
-z1=`$KEYGEN -K $dir -q3 example.com`
+z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
 # Test 14: Keys exist but have the wrong algorithm
 dir=14-wrongalg
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-k1=`$KEYGEN -K $dir -qfk example.com`
+k1=`$KEYGEN -K $dir -a rsasha1 -qfk example.com`
-z1=`$KEYGEN -K $dir -q example.com`
+z1=`$KEYGEN -K $dir -a rsasha1 -q example.com`
 $SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
 z2=`$KEYGEN -K $dir -q -S ${z1}.key`
 $SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
@@ -167,8 +167,8 @@ dir=15-unspec
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-k1=`$KEYGEN -K $dir -q3fk example.com`
+k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
-z1=`$KEYGEN -K $dir -q3 example.com`
+z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
 $SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
 z2=`$KEYGEN -K $dir -q -S ${z1}.key`
 $SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
@@ -182,8 +182,8 @@ dir=16-wrongalg-unspec
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-k1=`$KEYGEN -K $dir -qfk example.com`
+k1=`$KEYGEN -K $dir -a rsasha1 -qfk example.com`
-z1=`$KEYGEN -K $dir -q example.com`
+z1=`$KEYGEN -K $dir -a rsasha1 -q example.com`
 $SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
 z2=`$KEYGEN -K $dir -q -S ${z1}.key`
 $SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
@@ -197,17 +197,17 @@ dir=17-noforce
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-k1=`$KEYGEN -K $dir -q3fk example.com`
+k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
-z1=`$KEYGEN -K $dir -q3 example.com`
+z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
-z2=`$KEYGEN -K $dir -q3 example.com`
+z2=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
-z3=`$KEYGEN -K $dir -q3 example.com`
+z3=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
-z4=`$KEYGEN -K $dir -q3 example.com`
+z4=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
 # Test 18: Prepublication interval is set to a nonstandard value
 dir=18-nonstd-prepub
 echo I:set up $dir
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -3fk example.com`
+ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
-zsk1=`$KEYGEN -K $dir -3 example.com`
+zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null
--- a/bin/tests/system/masterformat/ns1/compile.sh
+++ b/bin/tests/system/masterformat/ns1/compile.sh
@@ -25,7 +25,7 @@ SYSTEMTESTTOP=../..
 ../named-compilezone -D -F map -o example.db.map example-map \
        example.db > /dev/null 2>&1
-$KEYGEN -q -r $RANDFILE signed > /dev/null 2>&1
+$KEYGEN -q -a rsasha256 -r $RANDFILE signed > /dev/null 2>&1
-$KEYGEN -q -r $RANDFILE -fk signed > /dev/null 2>&1
+$KEYGEN -q -a rsasha256 -r $RANDFILE -fk signed > /dev/null 2>&1
 $SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1
 ../named-compilezone -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1
--- a/bin/tests/system/metadata/setup.sh
+++ b/bin/tests/system/metadata/setup.sh
@@ -19,42 +19,42 @@ czone=child.parent.nil
 echo "I:generating keys"
 # active zsk
-zsk=`$KEYGEN -q -r $RANDFILE $czone`
+zsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $czone`
 echo $zsk > zsk.key
 # not yet published or active
-pending=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
+pending=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone`
 echo $pending > pending.key
 # published but not active
-standby=`$KEYGEN -q -r $RANDFILE -A none $czone`
+standby=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone`
 echo $standby > standby.key
 # inactive
-inact=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
+inact=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone`
 echo $inact > inact.key
 # active ksk
-ksk=`$KEYGEN -q -r $RANDFILE -fk $czone`
+ksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
 echo $ksk > ksk.key
 # published but not YET active; will be active in 15 seconds
-rolling=`$KEYGEN -q -r $RANDFILE -fk $czone`
+rolling=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
 $SETTIME -A now+15s $rolling > /dev/null
 echo $rolling > rolling.key
 # revoked
-revoke1=`$KEYGEN -q -r $RANDFILE -fk $czone`
+revoke1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
 echo $revoke1 > prerev.key
 revoke2=`$REVOKE $revoke1`
 echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key
-pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
+pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone`
 echo $pzsk > parent.zsk.key
-pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
+pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone`
 echo $pksk > parent.ksk.key
-oldstyle=`$KEYGEN -Cq -r $RANDFILE $pzone`
+oldstyle=`$KEYGEN -Cq -a rsasha1 -r $RANDFILE $pzone`
 echo $oldstyle > oldstyle.key
--- a/bin/tests/system/metadata/tests.sh
+++ b/bin/tests/system/metadata/tests.sh
@@ -174,7 +174,7 @@ status=`expr $status + $ret`
 echo "I:checking warning about delete date < inactive date with dnssec-keygen ($n)"
 ret=0
 # keygen should print a warning about delete < inactive
-$KEYGEN -q -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
+$KEYGEN -q -a rsasha1 -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
 grep "warning" tmp.out > /dev/null 2>&1 || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -182,15 +182,15 @@ status=`expr $status + $ret`
 echo "I:checking correct behavior setting activation without publication date ($n)"
 ret=0
-key=`$KEYGEN -q -r $RANDFILE -A +1w $czone`
+key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w $czone`
 pub=`$SETTIME -upP $key | awk '{print $2}'`
 act=`$SETTIME -upA $key | awk '{print $2}'`
 [ $pub -eq $act ] || ret=1
-key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone`
+key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -i 1d $czone`
 pub=`$SETTIME -upP $key | awk '{print $2}'`
 act=`$SETTIME -upA $key | awk '{print $2}'`
 [ $pub -lt $act ] || ret=1
-key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone`
+key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -P never $czone`
 pub=`$SETTIME -upP $key | awk '{print $2}'`
 [ $pub = "UNSET" ] || ret=1
 n=`expr $n + 1`
--- a/bin/tests/system/mkeys/ns1/sign.sh
+++ b/bin/tests/system/mkeys/ns1/sign.sh
@@ -12,8 +12,8 @@ SYSTEMTESTTOP=../..
 zone=.
 zonefile=root.db
-keyname=`$KEYGEN -qfk -r $RANDFILE $zone`
+keyname=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE $zone`
-zskkeyname=`$KEYGEN -q -r $RANDFILE $zone`
+zskkeyname=`$KEYGEN -a rsasha256 -q -r $RANDFILE $zone`
 $SIGNER -Sg -r $RANDFILE -o $zone $zonefile > /dev/null 2>&-
--- a/bin/tests/system/mkeys/tests.sh
+++ b/bin/tests/system/mkeys/tests.sh
@@ -57,7 +57,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: check new trust anchor can be added ($n)"
 ret=0
-standby1=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
+standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
 sleep 5
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
@@ -241,7 +241,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: revoke original key, add new standby ($n)"
 ret=0
-standby2=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
+standby2=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
 $SETTIME -R now -K ns1 `cat ns1/managed.key` > /dev/null
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
 sleep 3
@@ -276,7 +276,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: revoke standby before it is trusted ($n)"
 ret=0
-standby3=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
+standby3=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
 sleep 3
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
--- a/bin/tests/system/nsupdate/ns3/sign.sh
+++ b/bin/tests/system/nsupdate/ns3/sign.sh
@@ -35,8 +35,8 @@ zone=delegation.test.
 infile=delegation.test.db.in
 zonefile=delegation.test.db
-keyname1=`$KEYGEN -q -r $RANDFILE -3 -f KSK $zone`
+keyname1=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 -f KSK $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -3 $zone`
+keyname2=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 $zone`
 cat $infile $keyname1.key $keyname2.key >$zonefile
--- a/bin/tests/system/redirect/ns1/sign.sh
+++ b/bin/tests/system/redirect/ns1/sign.sh
@@ -15,8 +15,8 @@ zone=signed
 infile=example.db
 zonefile=signed.db
-key1=`$KEYGEN -q -r $RANDFILE $zone`
+key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
-key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
+key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
 cat $infile $key1.key $key2.key > $zonefile
@@ -26,8 +26,8 @@ zone=nsec3
 infile=example.db
 zonefile=nsec3.db
-key1=`$KEYGEN -q -r $RANDFILE -3 $zone`
+key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone`
-key2=`$KEYGEN -q -r $RANDFILE -3 -fk $zone`
+key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone`
 cat $infile $key1.key $key2.key > $zonefile
--- a/bin/tests/system/redirect/ns3/sign.sh
+++ b/bin/tests/system/redirect/ns3/sign.sh
@@ -15,8 +15,8 @@ zone=signed
 infile=example.db
 zonefile=signed.db
-key1=`$KEYGEN -q -r $RANDFILE $zone`
+key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
-key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
+key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
 cat $infile $key1.key $key2.key > $zonefile
@@ -26,8 +26,8 @@ zone=nsec3
 infile=example.db
 zonefile=nsec3.db
-key1=`$KEYGEN -q -r $RANDFILE -3 $zone`
+key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone`
-key2=`$KEYGEN -q -r $RANDFILE -3 -fk $zone`
+key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone`
 cat $infile $key1.key $key2.key > $zonefile
--- a/bin/tests/system/resolver/ns6/keygen.sh
+++ b/bin/tests/system/resolver/ns6/keygen.sh
@@ -15,8 +15,8 @@ zone=ds.example.net
 zonefile="${zone}.db"
 infile="${zonefile}.in"
 cp $infile $zonefile
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
-zsk=`$KEYGEN -q -3 -r $RANDFILE -b 2048 $zone`
+zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -b 2048 $zone`
 cat $ksk.key $zsk.key >> $zonefile
 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
@@ -24,8 +24,8 @@ zone=example.net
 zonefile="${zone}.db"
 infile="${zonefile}.in"
 cp $infile $zonefile
-ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
-zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
+zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
 cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile
 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -30,7 +30,7 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 # $1=directory, $2=domain name, $3=input zone file, $4=output file
 signzone () {
-    KEYNAME=`$KEYGEN -q -r $RANDFILE -b 1024 -K $1 $2`
+    KEYNAME=`$KEYGEN -q -a rsasha256 -r $RANDFILE -K $1 $2`
    cat $1/$3 $1/$KEYNAME.key > $1/tmp
    $SIGNER -Pp -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
    sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trusted-keys {"\1" \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
--- a/bin/tests/system/smartsign/tests.sh
+++ b/bin/tests/system/smartsign/tests.sh
@@ -21,39 +21,39 @@ cfile=child.db
 echo "I:generating child's keys"
 # active zsk
-czsk1=`$KEYGEN -q -r $RANDFILE -L 30 $czone`
+czsk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -L 30 $czone`
 # not yet published or active
-czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
+czsk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone`
 # published but not active
-czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone`
+czsk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone`
 # inactive
-czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
+czsk4=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone`
 # active in 12 hours, inactive 12 hours after that...
-czsk5=`$KEYGEN -q -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
+czsk5=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
 # explicit successor to czk5
 # (suppressing warning about lack of removal date)
 czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-` 
 # active ksk
-cksk1=`$KEYGEN -q -r $RANDFILE -fk -L 30 $czone`
+cksk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk -L 30 $czone`
 # published but not YET active; will be active in 20 seconds
-cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
+cksk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
 # $SETTIME moved after other $KEYGENs
 echo I:revoking key
 # revoking key changes its ID
-cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone`
+cksk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
 cksk4=`$REVOKE $cksk3`
 echo I:generating parent keys
-pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
+pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone`
-pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
+pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone`
 echo "I:setting child's activation time"
 # using now+30s to fix RT 24561
--- a/bin/tests/system/testcrypto.sh
+++ b/bin/tests/system/testcrypto.sh
@@ -26,7 +26,7 @@ while test "$#" -gt 0; do
                quiet=1
                ;;
        rsa|RSA)
-                alg=""
+                alg="-a RSASHA1"
                msg1="RSA cryptography"
                ;;
        gost|GOST)
--- a/bin/tests/system/verify/zones/genzones.sh
+++ b/bin/tests/system/verify/zones/genzones.sh
@@ -27,83 +27,83 @@ cp unsigned.db unsigned.bad
 # A set of nsec zones.
 setup zsk-only.nsec good
-$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 setup ksk-only.nsec good
-$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 setup ksk+zsk.nsec good
-$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
-$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 # A set of nsec3 zones.
 setup zsk-only.nsec3 good
-$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 setup ksk-only.nsec3 good
-$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 setup ksk+zsk.nsec3 good
-$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
-$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 setup ksk+zsk.outout good
-$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
-$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 # A set of zones with only DNSKEY records.
 setup zsk-only.dnskeyonly bad
-key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
+key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
 cat unsigned.db $key1.key > ${file}
 setup ksk-only.dnskeyonly bad
-key1=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
+key1=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
 cat unsigned.db $key1.key > ${file}
 setup ksk+zsk.dnskeyonly bad
-key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
+key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
-key2=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
+key2=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
 cat unsigned.db $key1.key $key2.key > ${file}
 # A set of zones with expired records
 s="-s -2678400"
 setup zsk-only.nsec.expired bad
-$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 setup ksk-only.nsec.expired bad
-$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 setup ksk+zsk.nsec.expired bad
-$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
-$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 setup zsk-only.nsec3.expired bad
-$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 setup ksk-only.nsec3.expired bad
-$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 setup ksk+zsk.nsec3.expired bad
-$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
-$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 # ksk expired
 setup ksk+zsk.nsec.ksk-expired bad
-zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
 $SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
@@ -112,8 +112,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
 [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
 setup ksk+zsk.nsec3.ksk-expired bad
-zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
 $SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
@@ -123,8 +123,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
 # broken nsec chain
 setup ksk+zsk.nsec.broken-chain bad
-zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp
@@ -132,8 +132,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 |
 # bad nsec bitmap
 setup ksk+zsk.nsec.bad-bitmap bad
-zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp
@@ -141,8 +141,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 |
 # extra NSEC record out side of zone
 setup ksk+zsk.nsec.out-of-zone-nsec bad
-zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
@@ -150,8 +150,8 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>
 # extra NSEC record below bottom of one
 setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
-zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file}
@@ -163,8 +163,8 @@ awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${fil
 # extract the hash fields from the empty node's NSEC 3 record then fix up
 # the NSEC3 chain to remove it
 setup ksk+zsk.nsec3.missing-empty bad
-zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}`
@@ -177,8 +177,8 @@ $SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s
 # extra NSEC3 record
 setup ksk+zsk.nsec3.extra-nsec3 bad
-zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 awk '
--- a/bin/tests/system/views/setup.sh
+++ b/bin/tests/system/views/setup.sh
@@ -26,11 +26,11 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 # same source of "random" data and we want different keys for
 # internal and external instances of inline.
 #
-$KEYGEN -K ns2/internal -r $RANDFILE -3q inline > /dev/null 2>&1
+$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1
-$KEYGEN -K ns2/internal -r $RANDFILE -3qfk inline > /dev/null 2>&1
+$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1
-k1=`$KEYGEN -K ns2/external -r $RANDFILE -3q inline 2> /dev/null`
+k1=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline 2> /dev/null`
-k2=`$KEYGEN -K ns2/external -r $RANDFILE -3qfk inline 2> /dev/null`
+k2=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline 2> /dev/null`
-$KEYGEN -K ns2/external -r $RANDFILE -3q inline > /dev/null 2>&1
+$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1
-$KEYGEN -K ns2/external -r $RANDFILE -3qfk inline > /dev/null 2>&1
+$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1
 test -n "$k1" && rm -f ns2/external/$k1.*
 test -n "$k2" && rm -f ns2/external/$k2.*
--- a/bin/tests/system/zonechecks/setup.sh
+++ b/bin/tests/system/zonechecks/setup.sh
@@ -19,8 +19,8 @@ cp bigserial.db ns1/
 cd ns1
 touch master.db.signed
 echo '$INCLUDE "master.db.signed"' >> master.db
-$KEYGEN -r $RANDFILE -3q master.example > /dev/null 2>&1
+$KEYGEN -r $RANDFILE -a rsasha256 -q master.example > /dev/null 2>&1
-$KEYGEN -r $RANDFILE -3qfk master.example > /dev/null 2>&1
+$KEYGEN -r $RANDFILE -a rsasha256 -qfk master.example > /dev/null 2>&1
 $SIGNER -SD -o master.example master.db > /dev/null \
    2> signer.err || cat signer.err
 echo '$INCLUDE "soa.db"' > reload.db
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -433,6 +433,17 @@
  <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
    <itemizedlist>
      <listitem>
 	<para>
 	  <command>dnssec-keygen</command> no longer has default
 	  algorithm settings. It is necessary to explicitly specify the
 	  algorithm on the command line with the <option>-a</option> option
 	  when generating keys. This may cause errors with existing signing
 	  scripts if they rely on current defaults. The intent is to
 	  reduce the long-term cost of transitioning to newer algorithms in
 	  the event of RSASHA1 being deprecated. [RT #44755]
 	</para>
      </listitem>
      <listitem>
 	<para>
 	  Threads in <command>named</command> are now set to human-readable
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -131,7 +131,9 @@
 	{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
 	{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
 	{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
 	{ DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \
 	{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
 	{ DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \
 	{ DNS_KEYALG_ED25519, "ED25519", 0 }, \
 	{ DNS_KEYALG_ED448, "ED448", 0 }, \
 	{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \