8 files changed, 538 insertions, 544 deletions
diff --git a/bin/tests/system/keymgr/19-old-keys/extra.sh b/bin/tests/system/keymgr/19-old-keys/extra.sh
index 502d951..1533658 100644
--- a/bin/tests/system/keymgr/19-old-keys/extra.sh
+++ b/bin/tests/system/keymgr/19-old-keys/extra.sh
@@ -11,13 +11,13 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-now=`$PERL -e 'print time()."\n";'`
+now=$($PERL -e 'print time()."\n";')
 for keyfile in K*.key; do
-    inactive=`$SETTIME -upI $keyfile | awk '{print $2}'`
-    if [ "$inactive" = UNSET ]; then
-        continue
-    elif [ "$inactive" -lt "$now" ]; then
-        echo_d "inactive date is in the past"
-        ret=1
-    fi
+  inactive=$($SETTIME -upI $keyfile | awk '{print $2}')
+  if [ "$inactive" = UNSET ]; then
+    continue
+  elif [ "$inactive" -lt "$now" ]; then
+    echo_d "inactive date is in the past"
+    ret=1
+  fi
 done
diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh
index d7cef0c..97a6abe 100644
--- a/bin/tests/system/keymgr/setup.sh
+++ b/bin/tests/system/keymgr/setup.sh
@@ -19,173 +19,173 @@ KEYGEN="$KEYGEN -q"
 # Test 1: KSK goes inactive before successor is active
 dir=01-ksk-inactive
 echo_i "set up $dir"
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
-$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
-ksk2=`$KEYGEN -K $dir -S $ksk1`
-$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1
+ksk2=$($KEYGEN -K $dir -S $ksk1)
+$SETTIME -K $dir -I +7mo $ksk1 >/dev/null 2>&1
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
 
 # Test 2: ZSK goes inactive before successor is active
 dir=02-zsk-inactive
 echo_i "set up $dir"
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
-$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
-$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1
+zsk2=$($KEYGEN -K $dir -S $zsk1)
+$SETTIME -K $dir -I +7mo $zsk1 >/dev/null 2>&1
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
 
 # Test 3: KSK is unpublished before its successor is published
 dir=03-ksk-unpublished
 echo_i "set up $dir"
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
-$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
-ksk2=`$KEYGEN -K $dir -S $ksk1`
-$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1
+ksk2=$($KEYGEN -K $dir -S $ksk1)
+$SETTIME -K $dir -D +6mo $ksk1 >/dev/null 2>&1
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
 
 # Test 4: ZSK is unpublished before its successor is published
 dir=04-zsk-unpublished
 echo_i "set up $dir"
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
-$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
-$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1
+zsk2=$($KEYGEN -K $dir -S $zsk1)
+$SETTIME -K $dir -D +6mo $zsk1 >/dev/null 2>&1
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
 
 # Test 5: KSK deleted and successor published before KSK is deactivated
 # and successor activated.
 dir=05-ksk-unpub-active
 echo_i "set up $dir"
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
-$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
-ksk2=`$KEYGEN -K $dir -S $ksk1`
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +8mo $ksk1 >/dev/null 2>&1
+ksk2=$($KEYGEN -K $dir -S $ksk1)
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
 
 # Test 6: ZSK deleted and successor published before ZSK is deactivated
 # and successor activated.
 dir=06-zsk-unpub-active
 echo_i "set up $dir"
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
-$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +8mo $zsk1 >/dev/null 2>&1
+zsk2=$($KEYGEN -K $dir -S $zsk1)
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
 
 # Test 7: KSK rolled with insufficient delay after prepublication.
 dir=07-ksk-ttl
 echo_i "set up $dir"
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
-$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
-ksk2=`$KEYGEN -K $dir -S $ksk1`
-$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1
+ksk2=$($KEYGEN -K $dir -S $ksk1)
+$SETTIME -K $dir -P +269d $ksk2 >/dev/null 2>&1
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
 
 # Test 8: ZSK rolled with insufficient delay after prepublication.
 dir=08-zsk-ttl
 echo_i "set up $dir"
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
-$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1
+zsk2=$($KEYGEN -K $dir -S $zsk1)
 # allow only 1 day between publication and activation
-$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+$SETTIME -K $dir -P +269d $zsk2 >/dev/null 2>&1
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
 
 # Test 9: No special preparation needed
 
 # Test 10: Valid key set, but rollover period has changed
 dir=10-change-roll
 echo_i "set up $dir"
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
-$SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +3mo -D +4mo $zsk1 >/dev/null 2>&1
+zsk2=$($KEYGEN -K $dir -S $zsk1)
 
 # Test 11: Many keys all simultaneously scheduled to be active in the future
 dir=11-many-simul
 echo_i "set up $dir"
-k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk -P now+1mo -A now+1mo example.com`
-z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
-z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
-z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
-z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
+k1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk -P now+1mo -A now+1mo example.com)
+z1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com)
+z2=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com)
+z3=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com)
+z4=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com)
 
 # Test 12: Many keys all simultaneously scheduled to be active in the past
 dir=12-many-active
 echo_i "set up $dir"
-k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
-z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
-z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
-z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
-z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+k1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com)
+z1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com)
+z2=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com)
+z3=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com)
+z4=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com)
 
 # Test 13: Multiple simultaneous keys with no configured roll period
 dir=13-noroll
 echo_i "set up $dir"
-k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
-k2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
-k3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
-z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+k1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com)
+k2=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com)
+k3=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com)
+z1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com)
 
 # Test 14: Keys exist but have the wrong algorithm
 dir=14-wrongalg
 echo_i "set up $dir"
-k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com`
-z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com`
-$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
-z2=`$KEYGEN -K $dir -q -S ${z1}.key`
-$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
-z3=`$KEYGEN -K $dir -q -S ${z2}.key`
-$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null
-z4=`$KEYGEN -K $dir -q -S ${z3}.key`
+k1=$($KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com)
+z1=$($KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com)
+$SETTIME -K $dir -I now+6mo -D now+8mo $z1 >/dev/null
+z2=$($KEYGEN -K $dir -q -S ${z1}.key)
+$SETTIME -K $dir -I now+1y -D now+14mo $z2 >/dev/null
+z3=$($KEYGEN -K $dir -q -S ${z2}.key)
+$SETTIME -K $dir -I now+18mo -D now+20mo $z3 >/dev/null
+z4=$($KEYGEN -K $dir -q -S ${z3}.key)
 
 # Test 15: No zones specified; just search the directory for keys
 dir=15-unspec
 echo_i "set up $dir"
-k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
-z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
-$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
-z2=`$KEYGEN -K $dir -q -S ${z1}.key`
-$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
-z3=`$KEYGEN -K $dir -q -S ${z2}.key`
-$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null
-z4=`$KEYGEN -K $dir -q -S ${z3}.key`
+k1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com)
+z1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com)
+$SETTIME -K $dir -I now+6mo -D now+8mo $z1 >/dev/null
+z2=$($KEYGEN -K $dir -q -S ${z1}.key)
+$SETTIME -K $dir -I now+1y -D now+14mo $z2 >/dev/null
+z3=$($KEYGEN -K $dir -q -S ${z2}.key)
+$SETTIME -K $dir -I now+18mo -D now+20mo $z3 >/dev/null
+z4=$($KEYGEN -K $dir -q -S ${z3}.key)
 
 # Test 16: No zones specified; search the directory for keys;
 # keys have the wrong algorithm for their policies
 dir=16-wrongalg-unspec
 echo_i "set up $dir"
-k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com`
-z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com`
-$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
-z2=`$KEYGEN -K $dir -q -S ${z1}.key`
-$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
-z3=`$KEYGEN -K $dir -q -S ${z2}.key`
-$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null
-z4=`$KEYGEN -K $dir -q -S ${z3}.key`
+k1=$($KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com)
+z1=$($KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com)
+$SETTIME -K $dir -I now+6mo -D now+8mo $z1 >/dev/null
+z2=$($KEYGEN -K $dir -q -S ${z1}.key)
+$SETTIME -K $dir -I now+1y -D now+14mo $z2 >/dev/null
+z3=$($KEYGEN -K $dir -q -S ${z2}.key)
+$SETTIME -K $dir -I now+18mo -D now+20mo $z3 >/dev/null
+z4=$($KEYGEN -K $dir -q -S ${z3}.key)
 
 # Test 17: Keys are simultaneously active but we run with no force
 # flag (this should fail)
 dir=17-noforce
 echo_i "set up $dir"
-k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
-z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
-z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
-z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
-z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+k1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com)
+z1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com)
+z2=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com)
+z3=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com)
+z4=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com)
 
 # Test 18: Prepublication interval is set to a nonstandard value
 dir=18-nonstd-prepub
 echo_i "set up $dir"
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
-$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 >/dev/null
 
 # Test 19: Key has been published/active a long time
 dir=19-old-keys
 echo_i "set up $dir"
-ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
-zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
-$SETTIME -K $dir -P now-2y -A now-2y $ksk1 > /dev/null
-$SETTIME -K $dir -P now-2y -A now-2y $zsk1 > /dev/null
+ksk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+zsk1=$($KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -P now-2y -A now-2y $ksk1 >/dev/null
+$SETTIME -K $dir -P now-2y -A now-2y $zsk1 >/dev/null
 
 copy_setports policy.conf.in policy.conf
 copy_setports 18-nonstd-prepub/policy.conf.in 18-nonstd-prepub/policy.conf
diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh
index 667277f..5beb83c 100644
--- a/bin/tests/system/keymgr/tests.sh
+++ b/bin/tests/system/keymgr/tests.sh
@@ -17,130 +17,129 @@ SYSTEMTESTTOP=..
 status=0
 n=1
 
-matchall () {
-    match_result=ok
-    file=$1
-    while IFS="," read expect matchline; do
-	[ -z "$matchline" ] && continue
-	matches=`grep "$matchline" $file | wc -l`
-	[ "$matches" -ne "$expect" ] && {
-	    echo "'$matchline': expected $expect found $matches"
-	    return 1
-	}
-    done << EOF
+matchall() {
+  match_result=ok
+  file=$1
+  while IFS="," read expect matchline; do
+    [ -z "$matchline" ] && continue
+    matches=$(grep "$matchline" $file | wc -l)
+    [ "$matches" -ne "$expect" ] && {
+      echo "'$matchline': expected $expect found $matches"
+      return 1
+    }
+  done <<EOF
     $2
 EOF
-    return 0
+  return 0
 }
 
 echo_i "checking for DNSSEC key coverage issues"
 ret=0
 for dir in [0-9][0-9]-*; do
-	ret=0
-	echo_i "$dir ($n)"
-	kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok=
-	. $dir/expect
-
-	# use policy.conf if available
-	policy=""
-	if [ -e "$dir/policy.conf" ]; then
-		policy="-c $dir/policy.conf"
-		if grep -e "-c policy.conf" $dir/expect > /dev/null
-		then
-			echo_i "fix $dir/expect: multiple policy files"
-			ret=1
-		fi
-	else
-		policy="-c policy.conf"
-	fi
-
-	# run keymgr to update keys
-	if [ "$CYGWIN" ]; then
-	    $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \
-		-s `cygpath -w $SETTIME` $kargs > keymgr.$n 2>&1
-	else
-	    $KEYMGR $policy -K $dir -g $KEYGEN \
-		-s $SETTIME $kargs > keymgr.$n 2>&1
-	fi
-	# check that return code matches expectations
-	found=$?
-	if [ $found -ne $kret ]; then
-	    echo "keymgr retcode was $found expected $kret"
-	    ret=1
-	fi
-
-	# check for matches in keymgr output
-	matchall keymgr.$n "$kmatch" || ret=1
-
-	# now check coverage
-	$COVERAGE -K $dir $cargs > coverage.$n 2>&1
-	# check that return code matches expectations
-	found=$?
-	if [ $found -ne $cret ]; then
-	    echo "coverage retcode was $found expected $cret"
-	    ret=1
-	fi
-
-	# check for correct number of errors
-	found=`grep ERROR coverage.$n | wc -l`
-	if [ $found -ne $error ]; then
-	    echo "error count was $found expected $error"
-	    ret=1
-	fi
-
-	# check for correct number of warnings
-	found=`grep WARNING coverage.$n | wc -l`
-	if [ $found -ne $warn ]; then
-	    echo "warning count was $found expected $warn"
-	    ret=1
-	fi
-
-	# check for correct number of OKs
-	found=`grep "No errors found" coverage.$n | wc -l`
-	if [ $found -ne $ok ]; then
-	    echo "good count was $found expected $ok"
-	    ret=1
-	fi
-
-	# check for matches in coverage output
-	matchall coverage.$n "$cmatch" || ret=1
-
-	if [ -f $dir/extra.sh ]; then
-	   cd $dir
-	   . ./extra.sh
-	   cd ..
-	fi
-
-	n=`expr $n + 1`
-	if [ $ret != 0 ]; then echo_i "failed"; fi
-	status=`expr $status + $ret`
+  ret=0
+  echo_i "$dir ($n)"
+  kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok=
+  . $dir/expect
+
+  # use policy.conf if available
+  policy=""
+  if [ -e "$dir/policy.conf" ]; then
+    policy="-c $dir/policy.conf"
+    if grep -e "-c policy.conf" $dir/expect >/dev/null; then
+      echo_i "fix $dir/expect: multiple policy files"
+      ret=1
+    fi
+  else
+    policy="-c policy.conf"
+  fi
+
+  # run keymgr to update keys
+  if [ "$CYGWIN" ]; then
+    $KEYMGR $policy -K $dir -g $(cygpath -w $KEYGEN) \
+      -s $(cygpath -w $SETTIME) $kargs >keymgr.$n 2>&1
+  else
+    $KEYMGR $policy -K $dir -g $KEYGEN \
+      -s $SETTIME $kargs >keymgr.$n 2>&1
+  fi
+  # check that return code matches expectations
+  found=$?
+  if [ $found -ne $kret ]; then
+    echo "keymgr retcode was $found expected $kret"
+    ret=1
+  fi
+
+  # check for matches in keymgr output
+  matchall keymgr.$n "$kmatch" || ret=1
+
+  # now check coverage
+  $COVERAGE -K $dir $cargs >coverage.$n 2>&1
+  # check that return code matches expectations
+  found=$?
+  if [ $found -ne $cret ]; then
+    echo "coverage retcode was $found expected $cret"
+    ret=1
+  fi
+
+  # check for correct number of errors
+  found=$(grep ERROR coverage.$n | wc -l)
+  if [ $found -ne $error ]; then
+    echo "error count was $found expected $error"
+    ret=1
+  fi
+
+  # check for correct number of warnings
+  found=$(grep WARNING coverage.$n | wc -l)
+  if [ $found -ne $warn ]; then
+    echo "warning count was $found expected $warn"
+    ret=1
+  fi
+
+  # check for correct number of OKs
+  found=$(grep "No errors found" coverage.$n | wc -l)
+  if [ $found -ne $ok ]; then
+    echo "good count was $found expected $ok"
+    ret=1
+  fi
+
+  # check for matches in coverage output
+  matchall coverage.$n "$cmatch" || ret=1
+
+  if [ -f $dir/extra.sh ]; then
+    cd $dir
+    . ./extra.sh
+    cd ..
+  fi
+
+  n=$(expr $n + 1)
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$(expr $status + $ret)
 done
 
 echo_i "checking domains ending in . ($n)"
 ret=0
-$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.1.$n 2>&1
-nkeys=`grep dnssec-keygen keymgr.1.$n | wc -l`
+$KEYMGR -g $KEYGEN -s $SETTIME . >keymgr.1.$n 2>&1
+nkeys=$(grep dnssec-keygen keymgr.1.$n | wc -l)
 [ "$nkeys" -eq 2 ] || ret=1
-$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.2.$n 2>&1
-nkeys=`grep dnssec-keygen keymgr.2.$n | wc -l`
+$KEYMGR -g $KEYGEN -s $SETTIME . >keymgr.2.$n 2>&1
+nkeys=$(grep dnssec-keygen keymgr.2.$n | wc -l)
 [ "$nkeys" -eq 0 ] || ret=1
-$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.3.$n 2>&1
-nkeys=`grep dnssec-keygen keymgr.3.$n | wc -l`
+$KEYMGR -g $KEYGEN -s $SETTIME example.com. >keymgr.3.$n 2>&1
+nkeys=$(grep dnssec-keygen keymgr.3.$n | wc -l)
 [ "$nkeys" -eq 2 ] || ret=1
-$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.4.$n 2>&1
-nkeys=`grep dnssec-keygen keymgr.4.$n | wc -l`
+$KEYMGR -g $KEYGEN -s $SETTIME example.com. >keymgr.4.$n 2>&1
+nkeys=$(grep dnssec-keygen keymgr.4.$n | wc -l)
 [ "$nkeys" -eq 0 ] || ret=1
-status=`expr $status + $ret`
-n=`expr $n + 1`
+status=$(expr $status + $ret)
+n=$(expr $n + 1)
 
 echo_i "checking policy.conf parser ($n)"
 ret=0
-PYTHONPATH="../../../python:$PYTHONPATH" ${PYTHON} testpolicy.py policy.sample > policy.out
-$DOS2UNIX policy.out > /dev/null 2>&1
+PYTHONPATH="../../../python:$PYTHONPATH" ${PYTHON} testpolicy.py policy.sample >policy.out
+$DOS2UNIX policy.out >/dev/null 2>&1
 cmp -s policy.good policy.out || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-n=`expr $n + 1`
+status=$(expr $status + $ret)
+n=$(expr $n + 1)
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh
index 1fe2bb9..3f6a76f 100644
--- a/bin/tests/system/keymgr2kasp/clean.sh
+++ b/bin/tests/system/keymgr2kasp/clean.sh
@@ -31,4 +31,3 @@ rm -f ./retired.*
 rm -f ./rndc.dnssec.*
 rm -f ./unused.key*
 rm -f ./verify.out.*
-
diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh
index 6c1d0a5..bb71ad3 100644
--- a/bin/tests/system/keymgr2kasp/ns3/setup.sh
+++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh
@@ -17,10 +17,10 @@
 echo_i "ns3/setup.sh"
 
 setup() {
-	zone="$1"
-	echo_i "setting up zone: $zone"
-	zonefile="${zone}.db"
-	infile="${zone}.db.infile"
+  zone="$1"
+  echo_i "setting up zone: $zone"
+  zonefile="${zone}.db"
+  infile="${zone}.db.infile"
 }
 
 # Make lines shorter by storing key states in environment variables.
@@ -31,70 +31,70 @@ U="UNRETENTIVE"
 
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
 setup migrate.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
 ksktimes="-P now -A now -P sync now"
 zsktimes="-P now -A now"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
 
 # Set up Single-Type Signing Scheme zones with auto-dnssec maintain to
 # migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;'
 # configured, meaning the zone is signed with a single CSK.
 setup csk.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
 csktimes="-P now -A now -P sync now"
-CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1)
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
-$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2>keygen.out.$zone.1)
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
 
 setup csk-nosep.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
 csktimes="-P now -A now -P sync now"
-CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1)
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
-$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2>keygen.out.$zone.1)
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
 
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
 # time the existing keys do not match the policy.  The existing keys are
 # RSASHA256 keys, and will be migrated to a dnssec-policy that dictates
 # ECDSAP256SHA256 keys.
 setup migrate-nomatch-algnum.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
 Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
 Tkey="now-3900s" # DNSKEY TTL + propagation delay
 Tsig="now-12h"   # Zone's maximum TTL + propagation delay
 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
 zsktimes="-P ${Tkey} -A ${Tsig}"
-KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 5 "$KSK" >> "$infile"
-private_type_record $zone 5 "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone 5 "$KSK" >>"$infile"
+private_type_record $zone 5 "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
 
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
 # time the existing keys do not match the policy.  The existing keys are
 # 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that
 # dictates 3072 bits RSASHA256 keys.
 setup migrate-nomatch-alglen.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
 Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
 Tkey="now-3900s" # DNSKEY TTL + propagation delay
 Tsig="now-12h"   # Zone's maximum TTL + propagation delay
 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
 zsktimes="-P ${Tkey} -A ${Tsig}"
-KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 5 "$KSK" >> "$infile"
-private_type_record $zone 5 "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone 5 "$KSK" >>"$infile"
+private_type_record $zone 5 "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
 
 #
 # Set up zones to test time metadata correctly sets state.
@@ -102,30 +102,30 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 
 # Key states expected to be rumoured after migration.
 setup rumoured.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
 Tds="now-2h"
 Tkey="now-300s"
 Tsig="now-11h"
 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
 zsktimes="-P ${Tkey} -A ${Tsig}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
 
 # Key states expected to be omnipresent after migration.
 setup omnipresent.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
 Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
 Tkey="now-3900s" # DNSKEY TTL + propagation delay
 Tsig="now-12h"   # Zone's maximum TTL + propagation delay
 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
 zsktimes="-P ${Tkey} -A ${Tsig}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
diff --git a/bin/tests/system/keymgr2kasp/ns4/setup.sh b/bin/tests/system/keymgr2kasp/ns4/setup.sh
index 63121a0..d5a63e0 100644
--- a/bin/tests/system/keymgr2kasp/ns4/setup.sh
+++ b/bin/tests/system/keymgr2kasp/ns4/setup.sh
@@ -25,22 +25,22 @@ U="UNRETENTIVE"
 zone="view-rsasha256.kasp"
 algo="RSASHA256"
 num="8"
-echo "$zone" >> zones
+echo "$zone" >>zones
 
 # Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy.
 # The keys for these zones are in use long enough that they should start a
 # rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y).
 ksktimes="-P -186d -A -186d -P sync -186d"
 zsktimes="-P -186d -A -186d"
-KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $algo -L 300 -b 2048        $zsktimes $zone 2> keygen.out.$zone.2)
+KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2>keygen.out.$zone.2)
 
 echo_i "setting up zone $zone (external)"
 view="ext"
 zonefile="${zone}.${view}.db"
-cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
+cat template.$view.db.in "${KSK}.key" "${ZSK}.key" >"$zonefile"
 
 echo_i "setting up zone $zone (internal)"
 view="int"
 zonefile="${zone}.${view}.db"
-cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
+cat template.$view.db.in "${KSK}.key" "${ZSK}.key" >"$zonefile"
diff --git a/bin/tests/system/keymgr2kasp/setup.sh b/bin/tests/system/keymgr2kasp/setup.sh
index e43f798..7c53890 100644
--- a/bin/tests/system/keymgr2kasp/setup.sh
+++ b/bin/tests/system/keymgr2kasp/setup.sh
@@ -25,10 +25,10 @@ copy_setports ns3/kasp.conf.in ns3/kasp.conf
 
 # Setup zones
 (
-	cd ns3
-	$SHELL setup.sh
+  cd ns3
+  $SHELL setup.sh
 )
 (
-	cd ns4
-	$SHELL setup.sh
+  cd ns4
+  $SHELL setup.sh
 )
diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh
index 62b58a7..9bad69c 100644
--- a/bin/tests/system/keymgr2kasp/tests.sh
+++ b/bin/tests/system/keymgr2kasp/tests.sh
@@ -27,17 +27,17 @@ n=0
 # Call dig with default options.
 dig_with_opts() {
 
-	if [ -n "$TSIG" ]; then
-		"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
-	else
-		"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
-	fi
+  if [ -n "$TSIG" ]; then
+    "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
+  else
+    "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+  fi
 }
 
 # Log error and increment failure rate.
 log_error() {
-	echo_i "error: $1"
-	ret=$((ret+1))
+  echo_i "error: $1"
+  ret=$((ret + 1))
 }
 
 # Default next key event threshold. May be extended by wait periods.
@@ -48,29 +48,29 @@ next_key_event_threshold=100
 ###############################################################################
 
 set_retired_removed() {
-	_Lkey=$2
-	_Iret=$3
+  _Lkey=$2
+  _Iret=$3
 
-	_active=$(key_get $1 ACTIVE)
-	set_addkeytime "${1}" "RETIRED" "${_active}"  "${_Lkey}"
-	_retired=$(key_get $1 RETIRED)
-	set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
+  _active=$(key_get $1 ACTIVE)
+  set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
+  _retired=$(key_get $1 RETIRED)
+  set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
 }
 
 rollover_predecessor_keytimes() {
-	_addtime=$1
+  _addtime=$1
 
-	_created=$(key_get KEY1 CREATED)
+  _created=$(key_get KEY1 CREATED)
 
-	set_addkeytime  "KEY1" "PUBLISHED"   "${_created}" "${_addtime}"
-	set_addkeytime  "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
-	set_addkeytime  "KEY1" "ACTIVE"      "${_created}" "${_addtime}"
-	[ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+  set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
+  set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+  set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
+  [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
 
-	_created=$(key_get KEY2 CREATED)
-	set_addkeytime  "KEY2" "PUBLISHED"   "${_created}" "${_addtime}"
-	set_addkeytime  "KEY2" "ACTIVE"      "${_created}" "${_addtime}"
-	[ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+  _created=$(key_get KEY2 CREATED)
+  set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
+  set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
+  [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
 }
 
 # Policy parameters.
@@ -79,7 +79,6 @@ rollover_predecessor_keytimes() {
 Lksk=0
 Lzsk=0
 
-
 #################################################
 # Test state before switching to dnssec-policy. #
 #################################################
@@ -88,38 +87,38 @@ Lzsk=0
 # $1 $2: Algorithm number and string.
 # $3 $4: KSK and ZSK size.
 init_migration_keys() {
-	key_clear        "KEY1"
-	key_set          "KEY1" "LEGACY" "yes"
-	set_keyrole      "KEY1" "ksk"
-	set_keylifetime  "KEY1" "none"
-	set_keyalgorithm "KEY1" "$1" "$2" "$3"
-	set_keysigning   "KEY1" "yes"
-	set_zonesigning  "KEY1" "no"
-
-	key_clear        "KEY2"
-	key_set          "KEY2" "LEGACY" "yes"
-	set_keyrole      "KEY2" "zsk"
-	set_keylifetime  "KEY2" "none"
-	set_keyalgorithm "KEY2" "$1" "$2" "$4"
-	set_keysigning   "KEY2" "no"
-	set_zonesigning  "KEY2" "yes"
-
-	key_clear        "KEY3"
-	key_clear        "KEY4"
+  key_clear "KEY1"
+  key_set "KEY1" "LEGACY" "yes"
+  set_keyrole "KEY1" "ksk"
+  set_keylifetime "KEY1" "none"
+  set_keyalgorithm "KEY1" "$1" "$2" "$3"
+  set_keysigning "KEY1" "yes"
+  set_zonesigning "KEY1" "no"
+
+  key_clear "KEY2"
+  key_set "KEY2" "LEGACY" "yes"
+  set_keyrole "KEY2" "zsk"
+  set_keylifetime "KEY2" "none"
+  set_keyalgorithm "KEY2" "$1" "$2" "$4"
+  set_keysigning "KEY2" "no"
+  set_zonesigning "KEY2" "yes"
+
+  key_clear "KEY3"
+  key_clear "KEY4"
 }
 
 # Set expected key states for migration tests.
 # $1: Goal
 # $2: States
 init_migration_states() {
-	set_keystate "KEY1" "GOAL"         "$1"
-	set_keystate "KEY1" "STATE_DNSKEY" "$2"
-	set_keystate "KEY1" "STATE_KRRSIG" "$2"
-	set_keystate "KEY1" "STATE_DS"     "$2"
-
-	set_keystate "KEY2" "GOAL"         "$1"
-	set_keystate "KEY2" "STATE_DNSKEY" "$2"
-	set_keystate "KEY2" "STATE_ZRRSIG" "$2"
+  set_keystate "KEY1" "GOAL" "$1"
+  set_keystate "KEY1" "STATE_DNSKEY" "$2"
+  set_keystate "KEY1" "STATE_KRRSIG" "$2"
+  set_keystate "KEY1" "STATE_DS" "$2"
+
+  set_keystate "KEY2" "GOAL" "$1"
+  set_keystate "KEY2" "STATE_DNSKEY" "$2"
+  set_keystate "KEY2" "STATE_ZRRSIG" "$2"
 }
 
 #
@@ -152,21 +151,21 @@ set_zone "csk.kasp"
 set_policy "none" "1" "7200"
 set_server "ns3" "10.53.0.3"
 
-key_clear        "KEY1"
-key_set          "KEY1" "LEGACY" "yes"
-set_keyrole      "KEY1" "ksk"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "yes"
+set_keyrole "KEY1" "ksk"
 # This key also acts as a ZSK.
-key_set          "KEY1" "ZSK" "yes"
-set_keylifetime  "KEY1" "none"
+key_set "KEY1" "ZSK" "yes"
+set_keylifetime "KEY1" "none"
 set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning   "KEY1" "yes"
-set_zonesigning  "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
 
-set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
 set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
 set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
 set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS"     "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
 
 key_clear "KEY2"
 key_clear "KEY3"
@@ -177,9 +176,9 @@ check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 # The key is immediately published and activated.
 _created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED"   "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
 set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE"      "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
 
 check_keytimes
 check_apex
@@ -195,21 +194,21 @@ set_zone "csk-nosep.kasp"
 set_policy "none" "1" "7200"
 set_server "ns3" "10.53.0.3"
 
-key_clear        "KEY1"
-key_set          "KEY1" "LEGACY" "yes"
-set_keyrole      "KEY1" "zsk"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "yes"
+set_keyrole "KEY1" "zsk"
 # Despite the missing SEP bit, this key also acts as a KSK.
-key_set          "KEY1" "KSK" "yes"
-set_keylifetime  "KEY1" "none"
+key_set "KEY1" "KSK" "yes"
+set_keylifetime "KEY1" "none"
 set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning   "KEY1" "yes"
-set_zonesigning  "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
 
-set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
 set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
 set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
 set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS"     "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
 
 key_clear "KEY2"
 key_clear "KEY3"
@@ -220,9 +219,9 @@ check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 # The key is immediately published and activated.
 _created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED"   "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
 set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE"      "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
 
 check_keytimes
 check_apex
@@ -290,15 +289,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 # -P sync: now-3h
 # -A     : now-3900s
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
 # The ZSK is immediately published and activated.
 # -P: now-3900s
 # -A: now-12h
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
 check_keytimes
 check_apex
 check_subdomain
@@ -328,15 +327,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 #   P sync: now-3h
 #   A     : now-3900s
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
 # - The ZSK is immediately published and activated.
 #   P: now-3900s
 #   A: now-12h
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
 check_keytimes
 check_apex
 check_subdomain
@@ -346,7 +345,6 @@ dnssec_verify
 _migratenomatch_alglen_ksk=$(key_get KEY1 ID)
 _migratenomatch_alglen_zsk=$(key_get KEY2 ID)
 
-
 #############
 # Reconfig. #
 #############
@@ -356,47 +354,46 @@ rndc_reconfig ns3 10.53.0.3
 
 # Calculate time passed to correctly check for next key events.
 now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
+time_passed=$((now - start_time))
 echo_i "${time_passed} seconds passed between start of tests and reconfig"
 
 # Wait until we have seen "zone_rekey done:" message for this key.
 _wait_for_done_signing() {
-	_zone=$1
-
-	_ksk=$(key_get $2 KSK)
-	_zsk=$(key_get $2 ZSK)
-	if [ "$_ksk" = "yes" ]; then
-		_role="KSK"
-		_expect_type=EXPECT_KRRSIG
-	elif [ "$_zsk" = "yes" ]; then
-		_role="ZSK"
-		_expect_type=EXPECT_ZRRSIG
-	fi
-
-	if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
-		_keyid=$(key_get $2 ID)
-		_keyalg=$(key_get $2 ALG_STR)
-		echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
-		grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1
-	fi
-
-	return 0
+  _zone=$1
+
+  _ksk=$(key_get $2 KSK)
+  _zsk=$(key_get $2 ZSK)
+  if [ "$_ksk" = "yes" ]; then
+    _role="KSK"
+    _expect_type=EXPECT_KRRSIG
+  elif [ "$_zsk" = "yes" ]; then
+    _role="ZSK"
+    _expect_type=EXPECT_ZRRSIG
+  fi
+
+  if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
+    _keyid=$(key_get $2 ID)
+    _keyalg=$(key_get $2 ALG_STR)
+    echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
+    grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1
+  fi
+
+  return 0
 }
 wait_for_done_signing() {
-	n=$((n+1))
-	echo_i "wait for zone ${ZONE} is done signing ($n)"
-	ret=0
+  n=$((n + 1))
+  echo_i "wait for zone ${ZONE} is done signing ($n)"
+  ret=0
 
-	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
-	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
-	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
-	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
+  retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
+  retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
+  retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
+  retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
 
-	test "$ret" -eq 0 || echo_i "failed"
-	status=$((status+ret))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status + ret))
 }
 
-
 ################################################
 # Test state after switching to dnssec-policy. #
 ################################################
@@ -439,9 +436,9 @@ rollover_predecessor_keytimes 0
 #   retire-safety: 1h (3600 seconds)
 #   IretZSK:       10d65m (867900 seconds)
 active=$(key_get KEY2 ACTIVE)
-set_addkeytime "KEY2" "RETIRED"     "${active}"  "${Lzsk}"
+set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}"
 retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED"     "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 
 # Continue signing policy checks.
 check_keytimes
@@ -450,13 +447,13 @@ check_subdomain
 dnssec_verify
 
 # Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
 ret=0
 [ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
 [ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
 #
 # Testing a good migration (CSK).
@@ -465,19 +462,19 @@ set_zone "csk.kasp"
 set_policy "default" "1" "7200"
 set_server "ns3" "10.53.0.3"
 
-key_clear        "KEY1"
-key_set          "KEY1" "LEGACY" "no"
-set_keyrole      "KEY1" "csk"
-set_keylifetime  "KEY1" "0"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "no"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
 set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning   "KEY1" "yes"
-set_zonesigning  "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
 
-set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
 set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
 set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
 set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS"     "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
 
 key_clear "KEY2"
 key_clear "KEY3"
@@ -490,9 +487,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The key was immediately published and activated.
 _created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED"   "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
 set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE"      "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
 
 # Continue signing policy checks.
 check_keytimes
@@ -501,12 +498,12 @@ check_subdomain
 dnssec_verify
 
 # Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
 ret=0
 [ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
 #
 # Testing a good migration (CSK, no SEP).
@@ -515,20 +512,20 @@ set_zone "csk-nosep.kasp"
 set_policy "default" "1" "7200"
 set_server "ns3" "10.53.0.3"
 
-key_clear        "KEY1"
-key_set          "KEY1" "LEGACY" "no"
-set_keyrole      "KEY1" "csk"
-key_set          "KEY1" "FLAGS" "256"
-set_keylifetime  "KEY1" "0"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "no"
+set_keyrole "KEY1" "csk"
+key_set "KEY1" "FLAGS" "256"
+set_keylifetime "KEY1" "0"
 set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning   "KEY1" "yes"
-set_zonesigning  "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
 
-set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
 set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
 set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
 set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS"     "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
 
 key_clear "KEY2"
 key_clear "KEY3"
@@ -541,9 +538,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The key was immediately published and activated.
 _created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED"   "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
 set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE"      "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
 
 # Continue signing policy checks.
 check_keytimes
@@ -552,12 +549,12 @@ check_subdomain
 dnssec_verify
 
 # Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
 ret=0
 [ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
 #
 # Test migration to dnssec-policy, existing keys do not match key algorithm.
@@ -572,24 +569,24 @@ init_migration_states "hidden" "omnipresent"
 key_set "KEY1" "LEGACY" "no"
 key_set "KEY2" "LEGACY" "no"
 
-set_keyrole      "KEY3" "ksk"
-set_keylifetime  "KEY3" "0"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
 set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning   "KEY3" "yes"
-set_zonesigning  "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
 
-set_keyrole      "KEY4" "zsk"
-set_keylifetime  "KEY4" "5184000"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "5184000"
 set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
-set_keysigning   "KEY4" "no"
-set_zonesigning  "KEY4" "yes"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
 
-set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
 set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
 set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS"     "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
 
-set_keystate "KEY4" "GOAL"         "omnipresent"
+set_keystate "KEY4" "GOAL" "omnipresent"
 set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
 set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
 
@@ -611,13 +608,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 #   IretKSK:       4h (14400 seconds)
 IretKSK=14400
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
 keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime    "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 # - ZSK must be retired since it no longer matches the policy.
 #   P: now-3900s
@@ -632,17 +629,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 IretZSK=824400
 Lzsk=5184000
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
 keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime    "KEY2" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
+retired=$(awk '{print $3}' <retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 # - The new KSK is immediately published and activated.
 created=$(key_get KEY3 CREATED)
-set_keytime    "KEY3" "PUBLISHED"   "${created}"
-set_keytime    "KEY3" "ACTIVE"      "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
 # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
 #   TTLsig:         11h (39600 seconds)
 #   Dprp:           1h (3600 seconds)
@@ -652,12 +649,12 @@ Ipub=46800
 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
 # - The ZSK is immediately published and activated.
 created=$(key_get KEY4 CREATED)
-set_keytime    "KEY4" "PUBLISHED"   "${created}"
-set_keytime    "KEY4" "ACTIVE"      "${created}"
+set_keytime "KEY4" "PUBLISHED" "${created}"
+set_keytime "KEY4" "ACTIVE" "${created}"
 active=$(key_get KEY4 ACTIVE)
-set_addkeytime "KEY4" "RETIRED"     "${active}"  "${Lzsk}"
+set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
 retired=$(key_get KEY4 RETIRED)
-set_addkeytime "KEY4" "REMOVED"     "${retired}" "${IretZSK}"
+set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
 
 # Continue signing policy checks.
 check_keytimes
@@ -666,13 +663,13 @@ check_subdomain
 dnssec_verify
 
 # Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
 ret=0
 [ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
 [ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
 #
 # Test migration to dnssec-policy, existing keys do not match key length.
@@ -688,25 +685,25 @@ init_migration_states "hidden" "omnipresent"
 key_set "KEY1" "LEGACY" "no"
 key_set "KEY2" "LEGACY" "no"
 
-set_keyrole      "KEY3" "ksk"
-set_keylifetime  "KEY3" "0"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
 set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
-set_keysigning   "KEY3" "yes"
-set_zonesigning  "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
 
-set_keyrole      "KEY4" "zsk"
-set_keylifetime  "KEY4" "5184000"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "5184000"
 set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
-set_keysigning   "KEY4" "no"
+set_keysigning "KEY4" "no"
 # This key is considered to be prepublished, so it is not yet signing.
-set_zonesigning  "KEY4" "no"
+set_zonesigning "KEY4" "no"
 
-set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
 set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
 set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS"     "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
 
-set_keystate "KEY4" "GOAL"         "omnipresent"
+set_keystate "KEY4" "GOAL" "omnipresent"
 set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
 set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
 
@@ -728,13 +725,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 #   IretKSK:       4h (14400 seconds)
 IretKSK=14400
 created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
 keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime    "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
 set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 # - ZSK must be retired since it no longer matches the policy.
 #   P: now-3900s
@@ -749,17 +746,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
 IretZSK=824400
 Lzsk=5184000
 created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
 keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime    "KEY2" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
+retired=$(awk '{print $3}' <retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
 set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
 # - The new KSK is immediately published and activated.
 created=$(key_get KEY3 CREATED)
-set_keytime    "KEY3" "PUBLISHED"   "${created}"
-set_keytime    "KEY3" "ACTIVE"      "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
 # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
 #   TTLsig:         11h (39600 seconds)
 #   Dprp:           1h (3600 seconds)
@@ -769,12 +766,12 @@ Ipub=46800
 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
 # - The ZSK is immediately published and activated.
 created=$(key_get KEY4 CREATED)
-set_keytime    "KEY4" "PUBLISHED"   "${created}"
-set_keytime    "KEY4" "ACTIVE"      "${created}"
+set_keytime "KEY4" "PUBLISHED" "${created}"
+set_keytime "KEY4" "ACTIVE" "${created}"
 active=$(key_get KEY4 ACTIVE)
-set_addkeytime "KEY4" "RETIRED"     "${active}"  "${Lzsk}"
+set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
 retired=$(key_get KEY4 RETIRED)
-set_addkeytime "KEY4" "REMOVED"     "${retired}" "${IretZSK}"
+set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
 
 # Continue signing policy checks.
 check_keytimes
@@ -783,13 +780,13 @@ check_subdomain
 dnssec_verify
 
 # Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
 ret=0
 [ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
 [ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
 ########################################################
 # Testing key states derived from key timing metadata. #
@@ -833,13 +830,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 # Tkey="now-300s" (300)
 # Tsig="now-11h"  (39600)
 created=$(key_get KEY1 CREATED)
-set_addkeytime      "KEY1" "PUBLISHED"   "${created}" -300
-set_addkeytime      "KEY1" "ACTIVE"      "${created}" -300
-set_addkeytime      "KEY1" "SYNCPUBLISH" "${created}"  -7200
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -300
+set_addkeytime "KEY1" "ACTIVE" "${created}" -300
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200
 set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
 created=$(key_get KEY2 CREATED)
-set_addkeytime      "KEY2" "PUBLISHED"   "${created}"  -300
-set_addkeytime      "KEY2" "ACTIVE"      "${created}"  -39600
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -300
+set_addkeytime "KEY2" "ACTIVE" "${created}" -39600
 set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
 
 # Continue signing policy checks.
@@ -849,13 +846,13 @@ check_subdomain
 dnssec_verify
 
 # Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
 ret=0
 [ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
 [ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
 #
 # Testing omnipresent state.
@@ -883,13 +880,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 # Tkey="now-3900s" (3900)
 # Tsig="now-12h"   (43200)
 created=$(key_get KEY1 CREATED)
-set_addkeytime      "KEY1" "PUBLISHED"   "${created}" -3900
-set_addkeytime      "KEY1" "ACTIVE"      "${created}" -3900
-set_addkeytime      "KEY1" "SYNCPUBLISH" "${created}"  -10800
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
 set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
 created=$(key_get KEY2 CREATED)
-set_addkeytime      "KEY2" "PUBLISHED"   "${created}"  -3900
-set_addkeytime      "KEY2" "ACTIVE"      "${created}"  -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
 set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
 
 # Continue signing policy checks.
@@ -899,55 +896,54 @@ check_subdomain
 dnssec_verify
 
 # Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
 ret=0
 [ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
 [ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
+status=$((status + ret))
 
 ######################################
 # Testing good migration with views. #
 ######################################
 init_view_migration() {
-	key_clear        "KEY1"
-	key_set          "KEY1" "LEGACY" "yes"
-	set_keyrole      "KEY1" "ksk"
-	set_keylifetime  "KEY1" "0"
-	set_keysigning   "KEY1" "yes"
-	set_zonesigning  "KEY1" "no"
-
-	key_clear        "KEY2"
-	key_set          "KEY2" "LEGACY" "yes"
-	set_keyrole      "KEY2" "zsk"
-	set_keylifetime  "KEY2" "0"
-	set_keysigning   "KEY2" "no"
-	set_zonesigning  "KEY2" "yes"
-
-	key_clear        "KEY3"
-	key_clear        "KEY4"
-
-	set_keystate "KEY1" "GOAL"         "omnipresent"
-	set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-	set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-	set_keystate "KEY1" "STATE_DS"     "rumoured"
-
-	set_keystate "KEY2" "GOAL"         "omnipresent"
-	set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-	set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+  key_clear "KEY1"
+  key_set "KEY1" "LEGACY" "yes"
+  set_keyrole "KEY1" "ksk"
+  set_keylifetime "KEY1" "0"
+  set_keysigning "KEY1" "yes"
+  set_zonesigning "KEY1" "no"
+
+  key_clear "KEY2"
+  key_set "KEY2" "LEGACY" "yes"
+  set_keyrole "KEY2" "zsk"
+  set_keylifetime "KEY2" "0"
+  set_keysigning "KEY2" "no"
+  set_zonesigning "KEY2" "yes"
+
+  key_clear "KEY3"
+  key_clear "KEY4"
+
+  set_keystate "KEY1" "GOAL" "omnipresent"
+  set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+  set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+  set_keystate "KEY1" "STATE_DS" "rumoured"
+
+  set_keystate "KEY2" "GOAL" "omnipresent"
+  set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+  set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
 }
 
 set_keytimes_view_migration() {
-	# Key is six months in use.
-	created=$(key_get KEY1 CREATED)
-	set_addkeytime "KEY1" "PUBLISHED"   "${created}" -16070400
-	set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400
-	set_addkeytime "KEY1" "ACTIVE"      "${created}" -16070400
-	created=$(key_get KEY2 CREATED)
-	set_addkeytime "KEY2" "PUBLISHED"   "${created}" -16070400
-	set_addkeytime "KEY2" "ACTIVE"      "${created}" -16070400
+  # Key is six months in use.
+  created=$(key_get KEY1 CREATED)
+  set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400
+  set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400
+  set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400
+  created=$(key_get KEY2 CREATED)
+  set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400
+  set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400
 }
 
 # Zone view.rsasha256.kasp (external)
@@ -965,16 +961,16 @@ set_keytimes_view_migration
 check_keytimes
 dnssec_verify
 
-n=$((n+1))
+n=$((n + 1))
 # check subdomain
 echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)"
 ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
 check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
 # Remember legacy key tags.
 _migrate_ext8_ksk=$(key_get KEY1 ID)
@@ -995,16 +991,16 @@ set_keytimes_view_migration
 check_keytimes
 dnssec_verify
 
-n=$((n+1))
+n=$((n + 1))
 # check subdomain
 echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)"
 ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
 check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
 # Remember legacy key tags.
 _migrate_int8_ksk=$(key_get KEY1 ID)
@@ -1017,7 +1013,7 @@ rndc_reconfig ns4 10.53.0.4
 
 # Calculate time passed to correctly check for next key events.
 now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
+time_passed=$((now - start_time))
 echo_i "${time_passed} seconds passed between start of tests and reconfig"
 
 #
@@ -1030,26 +1026,26 @@ init_migration_keys "8" "RSASHA256" "2048" "2048"
 init_migration_states "omnipresent" "rumoured"
 # Key properties, timings and metadata should be the same as legacy keys above.
 # However, because the keys have a lifetime, kasp will set the retired time.
-key_set          "KEY1" "LEGACY" "no"
-set_keylifetime  "KEY1" "31536000"
-set_keystate     "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate     "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate     "KEY1" "STATE_DS"     "omnipresent"
-
-key_set          "KEY2" "LEGACY" "no"
-set_keylifetime  "KEY2" "8035200"
-set_keystate     "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate     "KEY2" "STATE_ZRRSIG" "omnipresent"
+key_set "KEY1" "LEGACY" "no"
+set_keylifetime "KEY1" "31536000"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
+
+key_set "KEY2" "LEGACY" "no"
+set_keylifetime "KEY2" "8035200"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
 # The ZSK needs to be replaced.
-set_keystate     "KEY2" "GOAL" "hidden"
-set_keystate     "KEY3" "GOAL" "omnipresent"
-set_keyrole      "KEY3" "zsk"
-set_keylifetime  "KEY3" "8035200"
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY3" "GOAL" "omnipresent"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "8035200"
 set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
-set_keysigning   "KEY3" "no"
-set_zonesigning  "KEY3" "no" # not yet
-set_keystate     "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate     "KEY3" "STATE_ZRRSIG" "hidden"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "no" # not yet
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
 
 # Various signing policy checks (external).
 TSIG="$DEFAULT_HMAC:external:$VIEW1"
@@ -1060,11 +1056,11 @@ set_keytimes_view_migration
 
 # Set expected key times:
 published=$(key_get KEY1 PUBLISHED)
-set_keytime "KEY1" "ACTIVE"      "${published}"
+set_keytime "KEY1" "ACTIVE" "${published}"
 set_keytime "KEY1" "SYNCPUBLISH" "${published}"
 # Lifetime: 1 year (8035200 seconds)
 active=$(key_get KEY1 ACTIVE)
-set_addkeytime "KEY1" "RETIRED" "${active}"  "31536000"
+set_addkeytime "KEY1" "RETIRED" "${active}" "31536000"
 # Retire interval:
 # DS TTL:                  1d
 # Parent zone propagation: 3h
@@ -1088,7 +1084,7 @@ retired=$(key_get KEY2 RETIRED)
 set_addkeytime "KEY2" "REMOVED" "${retired}" "867900"
 
 created=$(key_get KEY3 CREATED)
-set_keytime    "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
 # Publication interval:
 # DNSKEY TTL:             300s
 # Publish safety:         1h
@@ -1123,7 +1119,7 @@ check_apex
 dnssec_verify
 
 # Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
 ret=0
 [ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag"
@@ -1131,7 +1127,7 @@ ret=0
 [ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
 [ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1