diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
index 560ad22eba..b3ddb0ed4c 100644
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@@ -245,6 +245,8 @@ set_keyrole() {
 	test "$2" = "csk" && key_set "$1" "KSK" "yes"
 	test "$2" = "csk" && key_set "$1" "ZSK" "yes"
 	test "$2" = "csk" && key_set "$1" "FLAGS" "257"
+
+	return 0
 }
 set_keylifetime() {
 	key_set "$1" "EXPECT" "yes"
@@ -382,7 +384,7 @@ check_key() {
 		[ -s "$STATE_FILE" ] || ret=1
 	fi
 	[ "$ret" -eq 0 ] || _log_error "${BASE_FILE} files missing"
-	[ "$ret" -eq 0 ] || return
+	[ "$ret" -eq 0 ] || return 0
 
 	# Retrieve creation date.
 	grep "; Created:" "$KEY_FILE" > "${ZONE}.${KEY_ID}.${_alg_num}.created" || _log_error "mismatch created comment in $KEY_FILE"
@@ -457,6 +459,8 @@ check_key() {
 			grep "DSChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch ds change in $STATE_FILE"
 		fi
 	fi
+
+	return 0
 }
 
 # Check the key timing metadata for key $1.
@@ -659,7 +663,7 @@ key_unused() {
 	[ -s "$KEY_FILE" ] || ret=1
 	[ -s "$PRIVATE_FILE" ] || ret=1
 	[ -s "$STATE_FILE" ] || ret=1
-	[ "$ret" -eq 0 ] || return
+	[ "$ret" -eq 0 ] || return 0
 
 	# Treat keys that have been removed from the zone as unused.
 	_check_removed=1
@@ -689,6 +693,8 @@ key_unused() {
 	grep "Retired: " "$STATE_FILE" > /dev/null && _log_error "unexpected retired in $STATE_FILE"
 	grep "Revoked: " "$STATE_FILE" > /dev/null && _log_error "unexpected revoked in $STATE_FILE"
 	grep "Removed: " "$STATE_FILE" > /dev/null && _log_error "unexpected removed in $STATE_FILE"
+
+	return 0
 }
 
 # Test: dnssec-verify zone $1.
@@ -987,6 +993,8 @@ check_cds_digests() {
 	else
 		response_has_cdnskey_for_key $1 "${2}.cdnskey" && _log_error "unexpected CDNSKEY record in response for key $(key_get $1 ID)"
 	fi
+
+	return 0
 }
 
 check_cds_digests_invert() {
@@ -996,6 +1004,8 @@ check_cds_digests_invert() {
 	# one for another key.  Since the CDNSKEY has no field for key
 	# id, it is hard to check what key the CDNSKEY may belong to
 	# so let's skip this check for now.
+
+	return 0
 }
 
 # Test CDS and CDNSKEY publication.
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index e4e4ffe9e2..2162952c23 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -2166,7 +2166,7 @@ dnssec_verify
 n=$((n+1))
 echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)"
 ret=0
-rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n
+rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n || ret=1
 grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message"
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))