diff --git a/bin/tests/system/checkconf/bad-kasp-keydir1.conf b/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in
similarity index 95%
rename from bin/tests/system/checkconf/bad-kasp-keydir1.conf
rename to bin/tests/system/checkconf/bad-kasp-keydir1.conf.in
index eea10308b0..b0deaeae33 100644
--- a/bin/tests/system/checkconf/bad-kasp-keydir1.conf
+++ b/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in
@@ -18,12 +18,12 @@
 
 
 key "keyforview1" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
 };
 
 key "keyforview2" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
 };
 
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir2.conf b/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in
similarity index 94%
rename from bin/tests/system/checkconf/bad-kasp-keydir2.conf
rename to bin/tests/system/checkconf/bad-kasp-keydir2.conf.in
index 2ccf4397d7..699c193aaa 100644
--- a/bin/tests/system/checkconf/bad-kasp-keydir2.conf
+++ b/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in
@@ -18,12 +18,12 @@
  */
 
 key "keyforview1" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
 };
 
 key "keyforview2" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
 };
 
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir3.conf b/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in
similarity index 95%
rename from bin/tests/system/checkconf/bad-kasp-keydir3.conf
rename to bin/tests/system/checkconf/bad-kasp-keydir3.conf.in
index e057877438..0dbd7e2265 100644
--- a/bin/tests/system/checkconf/bad-kasp-keydir3.conf
+++ b/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in
@@ -19,12 +19,12 @@
  */
 
 key "keyforview1" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
 };
 
 key "keyforview2" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
 };
 
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir4.conf b/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in
similarity index 95%
rename from bin/tests/system/checkconf/bad-kasp-keydir4.conf
rename to bin/tests/system/checkconf/bad-kasp-keydir4.conf.in
index 44f867f33e..af4a8f907b 100644
--- a/bin/tests/system/checkconf/bad-kasp-keydir4.conf
+++ b/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in
@@ -18,12 +18,12 @@
  */
 
 key "keyforview1" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
 };
 
 key "keyforview2" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
 };
 
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir5.conf b/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in
similarity index 95%
rename from bin/tests/system/checkconf/bad-kasp-keydir5.conf
rename to bin/tests/system/checkconf/bad-kasp-keydir5.conf.in
index 9373a079c7..1cca608326 100644
--- a/bin/tests/system/checkconf/bad-kasp-keydir5.conf
+++ b/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in
@@ -19,12 +19,12 @@
  */
 
 key "keyforview1" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
 };
 
 key "keyforview2" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
 };
 
diff --git a/bin/tests/system/checkconf/clean.sh b/bin/tests/system/checkconf/clean.sh
index 5bdcb6e8e1..0d6001da76 100644
--- a/bin/tests/system/checkconf/clean.sh
+++ b/bin/tests/system/checkconf/clean.sh
@@ -11,10 +11,15 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-rm -f good.conf.in good.conf.out badzero.conf *.out
-rm -f good-kasp.conf.in
-rm -rf test.keydir
+rm -f bad-kasp-keydir1.conf
+rm -f bad-kasp-keydir2.conf
+rm -f bad-kasp-keydir3.conf
+rm -f bad-kasp-keydir4.conf
+rm -f bad-kasp-keydir5.conf
 rm -f checkconf.out*
 rm -f diff.out*
-rm -f ns*/named.lock
+rm -f good-kasp.conf.in
 rm -f good-server-christmas-tree.conf
+rm -f good.conf.in good.conf.out badzero.conf *.out
+rm -f ns*/named.lock
+rm -rf test.keydir
diff --git a/bin/tests/system/checkconf/setup.sh b/bin/tests/system/checkconf/setup.sh
index 85eca861b1..7d83eb5463 100644
--- a/bin/tests/system/checkconf/setup.sh
+++ b/bin/tests/system/checkconf/setup.sh
@@ -10,4 +10,11 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
+. ../conf.sh
+
+copy_setports bad-kasp-keydir1.conf.in bad-kasp-keydir1.conf
+copy_setports bad-kasp-keydir2.conf.in bad-kasp-keydir2.conf
+copy_setports bad-kasp-keydir3.conf.in bad-kasp-keydir3.conf
+copy_setports bad-kasp-keydir4.conf.in bad-kasp-keydir4.conf
+copy_setports bad-kasp-keydir5.conf.in bad-kasp-keydir5.conf
 cp -f good-server-christmas-tree.conf.in good-server-christmas-tree.conf
diff --git a/bin/tests/system/checkzone/clean.sh b/bin/tests/system/checkzone/clean.sh
index 08c016cb40..9a9cde8a9f 100644
--- a/bin/tests/system/checkzone/clean.sh
+++ b/bin/tests/system/checkzone/clean.sh
@@ -11,4 +11,5 @@
 
 rm -f test.* good1.db.raw named-compilezone
 rm -f ns*/named.lock
+rm -f zones/bad-tsig.db
 rm -f zones/zone1_*.txt
diff --git a/bin/tests/system/checkzone/setup.sh b/bin/tests/system/checkzone/setup.sh
index f143347c89..cc2aa996fc 100644
--- a/bin/tests/system/checkzone/setup.sh
+++ b/bin/tests/system/checkzone/setup.sh
@@ -15,3 +15,5 @@ ln -s $CHECKZONE named-compilezone
 
 ./named-compilezone -D -F raw -o good1.db.raw example \
         zones/good1.db > /dev/null 2>&1
+
+copy_setports zones/bad-tsig.db.in zones/bad-tsig.db
diff --git a/bin/tests/system/checkzone/zones/bad-tsig.db b/bin/tests/system/checkzone/zones/bad-tsig.db.in
similarity index 84%
rename from bin/tests/system/checkzone/zones/bad-tsig.db
rename to bin/tests/system/checkzone/zones/bad-tsig.db.in
index 53c2f8c114..daef06c394 100644
--- a/bin/tests/system/checkzone/zones/bad-tsig.db
+++ b/bin/tests/system/checkzone/zones/bad-tsig.db.in
@@ -14,4 +14,4 @@ $TTL 600
 		NS	ns
 ns		A	192.0.2.1
 
-tsig		TSIG    hmac-sha1. 1516135665 300 20 thBt8DheAD7qpqSFTiGK999sxGg= 54994 NOERROR 0
+tsig		TSIG    @DEFAULT_HMAC@ 1516135665 300 20 thBt8DheAD7qpqSFTiGK999sxGg= 54994 NOERROR 0
diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in
index bea7ef67af..c3f19a9396 100644
--- a/bin/tests/system/kasp/ns4/named.conf.in
+++ b/bin/tests/system/kasp/ns4/named.conf.in
@@ -38,17 +38,17 @@ key "sha256" {
 };
 
 key "keyforview1" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
 };
 
 key "keyforview2" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
 };
 
 key "keyforview3" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "C1Azf+gGPMmxrUg/WQINP6eV9Y0=";
 };
 
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 8856e2db7d..6d63c5d70d 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -1872,7 +1872,7 @@ dnssec_verify
 # Test with views.
 set_zone "example.net"
 set_server "ns4" "10.53.0.4"
-TSIG="hmac-sha1:keyforview1:$VIEW1"
+TSIG="$DEFAULT_HMAC:keyforview1:$VIEW1"
 wait_for_nsec
 check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example1"
@@ -1891,7 +1891,7 @@ check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
-TSIG="hmac-sha1:keyforview2:$VIEW2"
+TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2"
 wait_for_nsec
 check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
@@ -1908,7 +1908,7 @@ check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
-TSIG="hmac-sha1:keyforview3:$VIEW3"
+TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3"
 wait_for_nsec
 check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
diff --git a/bin/tests/system/keymgr2kasp/ns4/named.conf.in b/bin/tests/system/keymgr2kasp/ns4/named.conf.in
index 3b0f9cb932..fda402ca31 100644
--- a/bin/tests/system/keymgr2kasp/ns4/named.conf.in
+++ b/bin/tests/system/keymgr2kasp/ns4/named.conf.in
@@ -36,12 +36,12 @@ controls {
 };
 
 key "external" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
 };
 
 key "internal" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
 };
 
diff --git a/bin/tests/system/keymgr2kasp/ns4/named2.conf.in b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in
index e9b0ed8f7c..09cc032de2 100644
--- a/bin/tests/system/keymgr2kasp/ns4/named2.conf.in
+++ b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in
@@ -57,12 +57,12 @@ dnssec-policy "rsasha256" {
 };
 
 key "external" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
 };
 
 key "internal" {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
 };
 
diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh
index a75dd80639..705054f542 100644
--- a/bin/tests/system/keymgr2kasp/tests.sh
+++ b/bin/tests/system/keymgr2kasp/tests.sh
@@ -957,7 +957,7 @@ set_server "ns4" "10.53.0.4"
 init_view_migration
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
 set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
-TSIG="hmac-sha1:external:$VIEW1"
+TSIG="$DEFAULT_HMAC:external:$VIEW1"
 wait_for_nsec
 # Make sure the zone is signed with legacy keys.
 check_keys
@@ -987,7 +987,7 @@ set_server "ns4" "10.53.0.4"
 init_view_migration
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
 set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
-TSIG="hmac-sha1:internal:$VIEW2"
+TSIG="$DEFAULT_HMAC:internal:$VIEW2"
 wait_for_nsec
 # Make sure the zone is signed with legacy keys.
 check_keys
@@ -1052,7 +1052,7 @@ set_keystate     "KEY3" "STATE_DNSKEY" "rumoured"
 set_keystate     "KEY3" "STATE_ZRRSIG" "hidden"
 
 # Various signing policy checks (external).
-TSIG="hmac-sha1:external:$VIEW1"
+TSIG="$DEFAULT_HMAC:external:$VIEW1"
 check_keys
 wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "ext"
@@ -1113,7 +1113,7 @@ check_apex
 dnssec_verify
 
 # Various signing policy checks (internal).
-TSIG="hmac-sha1:internal:$VIEW2"
+TSIG="$DEFAULT_HMAC:internal:$VIEW2"
 check_keys
 wait_for_done_signing
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "int"
diff --git a/bin/tests/system/rndc/ns7/named.conf.in b/bin/tests/system/rndc/ns7/named.conf.in
index ce8ea75c92..af3e6fbdd5 100644
--- a/bin/tests/system/rndc/ns7/named.conf.in
+++ b/bin/tests/system/rndc/ns7/named.conf.in
@@ -24,12 +24,12 @@ key rndc_key {
 };
 
 key int {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
 };
 
 key ext {
-	algorithm "hmac-sha1";
+	algorithm @DEFAULT_HMAC@;
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
 };
 
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 17b007e850..b6475bd4ff 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -739,10 +739,10 @@ status=$((status+ret))
 n=$((n+1))
 echo_i "checking initial in-view zone file is loaded ($n)"
 ret=0
-TSIG="hmac-sha1:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
 $DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.1.test$n
 grep 'include 1' dig.out.1.test$n >/dev/null || ret=1
-TSIG="hmac-sha1:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+TSIG="$DEFAULT_HMAC:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0="
 $DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.2.test$n
 grep 'include 1' dig.out.2.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -750,7 +750,7 @@ status=$((status+ret))
 
 echo_i "update in-view zone ($n)"
 ret=0
-TSIG="hmac-sha1:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
 $NSUPDATE -p ${PORT} -y "$TSIG" > /dev/null 2>&1 <<END || ret=1
 server 10.53.0.7
 zone test.
@@ -765,7 +765,7 @@ status=$((status+ret))
 
 echo_i "checking update ($n)"
 ret=0
-TSIG="hmac-sha1:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
 $DIGCMD @10.53.0.7 -y "$TSIG" text2.test. TXT > dig.out.1.test$n
 grep 'addition 1' dig.out.1.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -795,10 +795,10 @@ wait_for_log 3 "all zones loaded" ns7/named.run
 n=$((n+1))
 echo_i "checking zone file edits are loaded ($n)"
 ret=0
-TSIG="hmac-sha1:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
 $DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.1.test$n
 grep 'include 2' dig.out.1.test$n >/dev/null || ret=1
-TSIG="hmac-sha1:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+TSIG="$DEFAULT_HMAC:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0="
 $DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.2.test$n
 grep 'include 2' dig.out.2.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi