Don't use 'dnssec-signzone -P' unless necessary

Most of the test zones in the dnssec system test can be verified. Use -z when only a single key is being used so that the verifier knows that only a single key is in use.
2025-08-30 22:15:20 +00:00 · 2021-11-18 14:31:52 +11:00
parent 77ca778377
commit dbeea1afa0
4 changed files with 43 additions and 43 deletions
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -36,7 +36,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")

 cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"

-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1

 # Configure the resolving server with a staitc key.
 keyfile_to_static_ds "$ksk" > trusted.conf
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -36,7 +36,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo

 cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"

-"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1

 zone=trusted.
 infile=key.db.in
@@ -47,7 +47,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo

 cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"

-"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1

 # The "example." zone.
 zone=example.
@@ -72,7 +72,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo

 cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"

-"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1

 #
 # lower/uppercase the signature bits with the exception of the last characters
@@ -134,7 +134,7 @@ keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS
 keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")

 cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1

 # Sign the badparam secure file

@@ -147,7 +147,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon

 cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"

-"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1

 sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad"

@@ -162,7 +162,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon

 cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"

-"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1

 #
 # algroll has just has the old DNSKEY records removed and is waiting
@@ -180,7 +180,7 @@ keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"

-"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
+"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1

 #
 # Make a zone big enough that it takes several seconds to generate a new
@@ -204,7 +204,7 @@ done >> "$zonefile"
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cat "$key1.key" "$key2.key" >> "$zonefile"
-"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
+"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1

 zone=cds.secure
 infile=cds.secure.db.in
@@ -213,7 +213,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 "$DSFROMKEY" -C "$key1.key" > "$key1.cds"
 cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1

 zone=cds-x.secure
 infile=cds.secure.db.in
@@ -223,7 +223,7 @@ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 "$DSFROMKEY" -C "$key2.key" > "$key2.cds"
 cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile"
-"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1

 zone=cds-update.secure
 infile=cds-update.secure.db.in
@@ -231,7 +231,7 @@ zonefile=cds-update.secure.db
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1

 zone=cds-kskonly.secure
 infile=cds-kskonly.secure.db.in
@@ -239,7 +239,7 @@ zonefile=cds-kskonly.secure.db
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
 keyfile_to_key_id "$key1" > cds-kskonly.secure.id

 zone=cds-auto.secure
@@ -257,7 +257,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
 cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1

 zone=cdnskey-x.secure
 infile=cdnskey.secure.db.in
@@ -267,7 +267,7 @@ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
 cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
-"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1

 zone=cdnskey-update.secure
 infile=cdnskey-update.secure.db.in
@@ -275,7 +275,7 @@ zonefile=cdnskey-update.secure.db
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1

 zone=cdnskey-kskonly.secure
 infile=cdnskey-kskonly.secure.db.in
@@ -283,7 +283,7 @@ zonefile=cdnskey-kskonly.secure.db
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
 keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id

 zone=cdnskey-auto.secure
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -49,7 +49,7 @@ do

 	keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 	cat "$infile" "$keyname4.key" > "$zonefile"
-	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+	"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
 	awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed

 	# Make trusted-keys and managed keys conf sections for ns8.
@@ -86,7 +86,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null

 zone=bogus.example.
 infile=bogus.example.db.in
@@ -96,7 +96,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null

 zone=dynamic.example.
 infile=dynamic.example.db.in
@@ -107,7 +107,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS

 cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"

-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -o "$zone" "$zonefile" > /dev/null

 zone=keyless.example.
 infile=generic.example.db.in
@@ -117,7 +117,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null

 # Change the signer field of the a.b.keyless.example SIG A
 # to point to a provably nonexistent KEY record.
@@ -138,7 +138,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null

 #
 #  NSEC3/NSEC3 test zone
@@ -151,7 +151,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null

 #
 #  OPTOUT/NSEC3 test zone
@@ -164,7 +164,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null

 #
 # A nsec3 zone (non-optout).
@@ -177,7 +177,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" > /dev/null

 #
 #  OPTOUT/NSEC test zone
@@ -190,7 +190,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null

 #
 #  OPTOUT/NSEC3 test zone
@@ -203,7 +203,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null

 #
 #  OPTOUT/OPTOUT test zone
@@ -216,7 +216,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null

 #
 # A optout nsec3 zone.
@@ -229,7 +229,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" > /dev/null

 #
 # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
@@ -242,7 +242,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" > /dev/null

 #
 # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
@@ -255,7 +255,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" > /dev/null

 #
 # A zone that is signed with an unknown DNSKEY algorithm.
@@ -269,7 +269,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null

 awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed

@@ -288,7 +288,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null

 awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed

@@ -308,7 +308,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")

 cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"

-"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null
+"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null

 #
 # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
@@ -322,7 +322,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" > /dev/null

 awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed

@@ -340,17 +340,17 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -O full -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -O full -o "$zone" "$zonefile" > /dev/null
 awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC
-"$SIGNER" -P -O full -u3 - -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" > /dev/null
 awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3
-"$SIGNER" -P -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null
 awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
-"$SIGNER" -P -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null
 awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
-"$SIGNER" -P -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null
 awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
-"$SIGNER" -P -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null
 cat NSEC NSEC3 >> "$zonefile".signed

 #
--- a/bin/tests/system/dnssec/ns6/sign.sh
+++ b/bin/tests/system/dnssec/ns6/sign.sh
@@ -24,4 +24,4 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone

 cat "$infile" "$keyname.key" > "$zonefile"

-"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1