Replace RSASHA1 in autosign test with default alg

Change RSASHA1 to $DEFAULT_ALGORITHM to be FIPS compliant. There is one RSASHA1 occurence left, to test that dynamically adding an NSEC3PARAM record to an NSEC-only zone fails.
2025-08-30 14:07:59 +00:00 · 2022-01-05 11:39:03 +01:00
parent f3e668d630
commit 6e9fed2d24
2 changed files with 85 additions and 82 deletions
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -29,8 +29,8 @@ setup () {
 setup secure.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -38,8 +38,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup secure.nsec3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -47,8 +47,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.nsec3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -71,8 +71,8 @@ done
 #
 setup optout.nsec3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -80,8 +80,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.example
 cat $infile dsset-*.${zone}$TP > $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -89,9 +89,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup autonsec3.example
 cat $infile > $zonefile
-ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../autoksk.key
-zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../autozsk.key
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
@@ -100,8 +100,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup secure.optout.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -109,8 +109,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.optout.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -118,8 +118,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup optout.optout.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -127,8 +127,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup optout.example
 cat $infile dsset-*.${zone}$TP > $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -170,8 +170,8 @@ do
    echo "label${count} IN TXT label${count}" >> $zonefile
    count=`expr $count + 1`
 done
-$KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
 mv $zonefile.signed $zonefile
@@ -188,8 +188,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
 # keys via nsupdate
 #
 setup secure-to-insecure.example
-$KEYGEN -a RSASHA1 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a RSASHA1 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
 #
@@ -197,9 +197,9 @@ $SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
 # removal of keys on schedule.
 #
 setup secure-to-insecure2.example
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../del1.key
-zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../del2.key
 $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
@@ -208,8 +208,8 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
 #
 setup prepub.example
 infile="secure-to-insecure2.example.db.in"
-$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
 #
@@ -218,35 +218,35 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
 # no default key TTL; DNSKEY should get SOA TTL
 setup ttl1.example
-$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 # default key TTL should be used
 setup ttl2.example
-$KEYGEN -a RSASHA1 -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 # mismatched key TTLs, should use shortest
 setup ttl3.example
-$KEYGEN -a RSASHA1 -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 # existing DNSKEY RRset, should retain TTL
 setup ttl4.example
-$KEYGEN -a RSASHA1 -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
 cat ${infile} K${zone}.+*.key > $zonefile
-$KEYGEN -a RSASHA1 -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
 #
 # A zone with a DNSKEY RRset that is published before it's activated
 #
 setup delay.example
-ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../delayksk.key
-zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../delayzsk.key
 #
@@ -254,8 +254,8 @@ echo $zsk > ../delayzsk.key
 # is missing.
 #
 setup noksk.example
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
 echo $ksk > ../noksk-ksk.key
 rm -f ${ksk}.private
@@ -265,8 +265,8 @@ rm -f ${ksk}.private
 # is missing.
 #
 setup nozsk.example
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
 echo $ksk > ../nozsk-ksk.key
 echo $zsk > ../nozsk-zsk.key
@@ -277,8 +277,8 @@ rm -f ${zsk}.private
 # is inactive.
 #
 setup inaczsk.example
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
 echo $ksk > ../inaczsk-ksk.key
 echo $zsk > ../inaczsk-zsk.key
@@ -289,16 +289,16 @@ $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
 #
 setup reconf.example
 cp secure.example.db.in $zonefile
-$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 #
 # A zone which generates CDS and CDNSEY RRsets automatically
 #
 setup sync.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 echo ns3/$ksk > ../sync.key
@@ -307,8 +307,8 @@ echo ns3/$ksk > ../sync.key
 #
 setup kskonly.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -316,8 +316,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inacksk2.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a RSASHA1 -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -325,8 +325,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inaczsk2.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -334,9 +334,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inacksk3.example
 cp $infile $zonefile
-$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
-ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -344,9 +344,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inaczsk3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -355,9 +355,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup delzsk.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
-zsk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
+zsk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
 echo $zsk > ../delzsk.key
 #
@@ -365,6 +365,6 @@ echo $zsk > ../delzsk.key
 #
 setup dname-at-apex-nsec3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -210,9 +210,9 @@ $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
 zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
       $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}'`
-grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1
-pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
 grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
 count=`awk 'BEGIN { count = 0 }
@@ -228,7 +228,8 @@ test $count -eq 3 || ret=1
 awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
 id=`awk "${awk}" dig.out.ns3.test$n`
-$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id} > settime.out.test$n || ret=1
+keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
 $SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 n=`expr $n + 1`
@@ -245,8 +246,8 @@ ret=0
 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
       $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
-grep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1
-grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
 count=`awk 'BEGIN { count = 0 }
 	    $4 == "RRSIG" && $5 == "CNAME" { count++ }
 	    END {print count}' dig.out.ns3.test$n`
@@ -256,7 +257,9 @@ count=`awk 'BEGIN { count = 0 }
       END {print count}' dig.out.ns3.test$n`
 test $count -eq 3 || ret=1
 id=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n`
-$SETTIME -D now+5 ns3/Kinaczsk3.example.+007+${id} > settime.out.test$n || ret=1
+
 keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
 $SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -406,7 +409,7 @@ status=`expr $status + $ret`
 echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)"
 ret=0
-loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
+loglines=`grep "Key nozsk.example/$DEFAULT_ALGORITHM/$missing .* retaining signatures" ns3/named.run | wc -l`
 [ "$loglines" -eq 0 ] || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -414,7 +417,7 @@ status=`expr $status + $ret`
 echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)"
 ret=0
-loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
+loglines=`grep "Key inaczsk.example/$DEFAULT_ALGORITHM/$inactive .* retaining signatures" ns3/named.run | wc -l`
 [ "$loglines" -eq 0 ] || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1072,7 +1075,7 @@ send
 END
 [ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
 # Create DNSSEC keys in the zone directory.
-$KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example > /dev/null
 # Trigger zone signing.
 ($RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 # Wait until zone has been signed.
@@ -1096,7 +1099,7 @@ ret=0
 oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
 oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
-$KEYGEN -a rsasha1 -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
 ($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
 newserial=$oldserial
@@ -1480,12 +1483,12 @@ $DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
 zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
       $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' `
-pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
 grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
       $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' `
-pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} "
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} "
 grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -1495,7 +1498,7 @@ status=`expr $status + $ret`
 echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
-grep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1
+grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -1512,7 +1515,7 @@ $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
 zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
       $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
-pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
 grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
 count=`awk 'BEGIN { count = 0 }
@@ -1539,7 +1542,7 @@ ret=0
 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
       $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
-grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
 count=`awk 'BEGIN { count = 0 }
       $4 == "RRSIG" && $5 == "CNAME" { count++ }
       END {print count}' dig.out.ns3.test$n`
@@ -1613,7 +1616,7 @@ status=`expr $status + $ret`
 echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
 ret=0
 $DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
-grep "RRSIG NSEC3 7 3 600" dig.out.ns3.test$n > /dev/null || ret=1
+grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`