From 3a8f8bef7340cf47837e9bb89b7a24d3844005ec Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 28 Apr 2024 01:51:28 +0200
Subject: Adding upstream version 1:9.16.48.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 bin/tests/system/inline/tests.sh | 1090 +++++++++++++++++++-------------------
 1 file changed, 542 insertions(+), 548 deletions(-)

(limited to 'bin/tests/system/inline/tests.sh')

diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
index 2242d79..90c7a1b 100755
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@@ -18,29 +18,28 @@ DIGOPTS="+tcp +dnssec -p ${PORT}"
 RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
 
 dig_with_opts() {
-	$DIG $DIGOPTS "$@"
+  $DIG $DIGOPTS "$@"
 }
 
 rndccmd() {
-	$RNDCCMD "$@"
+  $RNDCCMD "$@"
 }
 
 wait_for_serial() (
-    $DIG $DIGOPTS "@$1" "$2" SOA > "$4"
-    serial=$(awk '$4 == "SOA" { print $7 }' "$4")
-    [ "$3" -eq "${serial:--1}" ]
+  $DIG $DIGOPTS "@$1" "$2" SOA >"$4"
+  serial=$(awk '$4 == "SOA" { print $7 }' "$4")
+  [ "$3" -eq "${serial:--1}" ]
 )
 
 status=0
 n=0
 
-$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 >/dev/null 2>&1
 
-for i in 1 2 3 4 5 6 7 8 9 0
-do
-	nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.)
-	test "$nsec3param" = "1 0 0 -" && break
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 0; do
+  nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.)
+  test "$nsec3param" = "1 0 0 -" && break
+  sleep 1
 done
 
 n=$((n + 1))
@@ -53,22 +52,21 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking that rrsigs are replaced with ksk only ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 axfr nsec3. |
-	awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
+$DIG $DIGOPTS @10.53.0.3 axfr nsec3. \
+  | awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking that the zone is signed on initial transfer ($n)"
 ret=0
-for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
-	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
-	[ $keys = 2 ] || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1
+  keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+  [ $keys = 2 ] || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -76,7 +74,7 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking expired signatures are updated on load ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n
+$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA >dig.out.ns3.test$n
 expiry=$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n)
 [ "$expiry" = "20110101000000" ] && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -85,20 +83,19 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking removal of private type record via 'rndc signing -clear' ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
+$RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1
 keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n)
 for key in $keys; do
-	$RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1
-	break;	# We only want to remove 1 record for now.
-done 2>&1 |sed 's/^/ns3 /' | cat_i
-
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ans=0
-	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
-        num=$(grep "Done signing with" signing.out.test$n | wc -l)
-	[ $num = 1 ] && break
-	sleep 1
+  $RNDCCMD 10.53.0.3 signing -clear ${key} bits >/dev/null || ret=1
+  break # We only want to remove 1 record for now.
+done 2>&1 | sed 's/^/ns3 /' | cat_i
+
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ans=0
+  $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1
+  num=$(grep "Done signing with" signing.out.test$n | wc -l)
+  [ $num = 1 ] && break
+  sleep 1
 done
 [ $ans = 0 ] || ret=1
 
@@ -108,9 +105,9 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking private type was properly signed ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
-grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
-grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 >dig.out.ns6.test$n
+grep "ANSWER: 2," dig.out.ns6.test$n >/dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -118,15 +115,14 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1
+$RNDCCMD 10.53.0.3 signing -clear all bits >/dev/null || ret=1
 
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ans=0
-	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
-	grep "No signing records found" signing.out.test$n > /dev/null || ans=1
-	[ $ans = 1 ] || break
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ans=0
+  $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1
+  grep "No signing records found" signing.out.test$n >/dev/null || ans=1
+  [ $ans = 1 ] || break
+  sleep 1
 done
 [ $ans = 0 ] || ret=1
 
@@ -137,15 +133,15 @@ n=$((n + 1))
 echo_i "checking negative private type response was properly signed ($n)"
 ret=0
 sleep 1
-$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
-grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
-grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
-grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 >dig.out.ns6.test$n
+grep "status: NOERROR" dig.out.ns6.test$n >/dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns6.test$n >/dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 zone bits
 server 10.53.0.2 ${PORT}
 update add added.bits 0 A 1.2.3.4
@@ -155,28 +151,27 @@ EOF
 n=$((n + 1))
 echo_i "checking that the record is added on the hidden primary ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 added.bits A > dig.out.ns2.test$n
-grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.2 added.bits A >dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking that update has been transferred and has been signed ($n)"
 ret=0
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 added.bits A >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 zone bits
 server 10.53.0.2 ${PORT}
 update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600
@@ -186,24 +181,23 @@ EOF
 n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
-grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
-grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.2 bits SOA >dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1
+grep "2011072400" dig.out.ns2.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)"
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
-	grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 bits SOA >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
+  grep "2011072400" dig.out.ns3.test$n >/dev/null || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -211,19 +205,18 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking that the zone is signed on initial transfer, noixfr ($n)"
 ret=0
-for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1
-	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
-	[ $keys = 2 ] || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $RNDCCMD 10.53.0.3 signing -list noixfr >signing.out.test$n 2>&1
+  keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+  [ $keys = 2 ] || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 zone noixfr
 server 10.53.0.4 ${PORT}
 update add added.noixfr 0 A 1.2.3.4
@@ -233,28 +226,27 @@ EOF
 n=$((n + 1))
 echo_i "checking that the record is added on the hidden primary, noixfr ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.4 added.noixfr A > dig.out.ns4.test$n
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.4 added.noixfr A >dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking that update has been transferred and has been signed, noixfr ($n)"
 ret=0
-for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 added.noixfr A >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 zone noixfr
 server 10.53.0.4 ${PORT}
 update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600
@@ -264,24 +256,23 @@ EOF
 n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary, noixfr ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
-grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.4 noixfr SOA >dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1
+grep "2011072400" dig.out.ns4.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)"
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
-	grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 noixfr SOA >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
+  grep "2011072400" dig.out.ns3.test$n >/dev/null || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -289,14 +280,13 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking that the primary zone signed on initial load ($n)"
 ret=0
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$RNDCCMD 10.53.0.3 signing -list master  > signing.out.test$n 2>&1
-	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
-	[ $keys = 2 ] || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $RNDCCMD 10.53.0.3 signing -list master >signing.out.test$n 2>&1
+  keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+  [ $keys = 2 ] || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -304,20 +294,19 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking removal of private type record via 'rndc signing -clear' (primary) ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
+$RNDCCMD 10.53.0.3 signing -list master >signing.out.test$n 2>&1
 keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n)
 for key in $keys; do
-	$RNDCCMD 10.53.0.3 signing -clear ${key} master > /dev/null || ret=1
-	break;	# We only want to remove 1 record for now.
-done 2>&1 |sed 's/^/ns3 /' | cat_i
-
-for i in 1 2 3 4 5 6 7 8 9
-do
-	ans=0
-	$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
-        num=$(grep "Done signing with" signing.out.test$n | wc -l)
-	[ $num = 1 ] && break
-	sleep 1
+  $RNDCCMD 10.53.0.3 signing -clear ${key} master >/dev/null || ret=1
+  break # We only want to remove 1 record for now.
+done 2>&1 | sed 's/^/ns3 /' | cat_i
+
+for i in 1 2 3 4 5 6 7 8 9; do
+  ans=0
+  $RNDCCMD 10.53.0.3 signing -list master >signing.out.test$n 2>&1
+  num=$(grep "Done signing with" signing.out.test$n | wc -l)
+  [ $num = 1 ] && break
+  sleep 1
 done
 [ $ans = 0 ] || ret=1
 
@@ -327,9 +316,9 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking private type was properly signed (primary) ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.6 master TYPE65534 > dig.out.ns6.test$n
-grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
-grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.6 master TYPE65534 >dig.out.ns6.test$n
+grep "ANSWER: 2," dig.out.ns6.test$n >/dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -337,14 +326,13 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking removal of remaining private type record via 'rndc signing -clear' (primary) ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 signing -clear all master > /dev/null || ret=1
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ans=0
-	$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
-	grep "No signing records found" signing.out.test$n > /dev/null || ans=1
-	[ $ans = 1 ] || break
-	sleep 1
+$RNDCCMD 10.53.0.3 signing -clear all master >/dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ans=0
+  $RNDCCMD 10.53.0.3 signing -list master >signing.out.test$n 2>&1
+  grep "No signing records found" signing.out.test$n >/dev/null || ans=1
+  [ $ans = 1 ] || break
+  sleep 1
 done
 [ $ans = 0 ] || ret=1
 
@@ -356,14 +344,13 @@ echo_i "check adding of record to unsigned primary ($n)"
 ret=0
 cp ns3/master2.db.in ns3/master.db
 rndc_reload ns3 10.53.0.3 master
-for i in 1 2 3 4 5 6 7 8 9
-do
-	ans=0
-	$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n
-	grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
-	[ $ans = 1 ] || break
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9; do
+  ans=0
+  $DIG $DIGOPTS @10.53.0.3 e.master A >dig.out.ns3.test$n
+  grep "10.0.0.5" dig.out.ns3.test$n >/dev/null || ans=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1
+  [ $ans = 1 ] || break
+  sleep 1
 done
 [ $ans = 0 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -372,11 +359,11 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "check adding record fails when SOA serial not changed ($n)"
 ret=0
-echo "c A 10.0.0.3" >> ns3/master.db
+echo "c A 10.0.0.3" >>ns3/master.db
 rndc_reload ns3 10.53.0.3
 sleep 1
-$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
-grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 c.master A >dig.out.ns3.test$n
+grep "NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -385,14 +372,13 @@ echo_i "check adding record works after updating SOA serial ($n)"
 ret=0
 cp ns3/master3.db.in ns3/master.db
 $RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i
-for i in 1 2 3 4 5 6 7 8 9
-do
-	ans=0
-	$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
-	grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
-	[ $ans = 1 ] || break
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9; do
+  ans=0
+  $DIG $DIGOPTS @10.53.0.3 c.master A >dig.out.ns3.test$n
+  grep "10.0.0.3" dig.out.ns3.test$n >/dev/null || ans=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1
+  [ $ans = 1 ] || break
+  sleep 1
 done
 [ $ans = 0 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -401,24 +387,23 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "check the added record was properly signed ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns6.test$n
-grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1
-grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1
-grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1
+$DIG $DIGOPTS @10.53.0.3 e.master A >dig.out.ns6.test$n
+grep "10.0.0.5" dig.out.ns6.test$n >/dev/null || ans=1
+grep "ANSWER: 2," dig.out.ns6.test$n >/dev/null || ans=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ans=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking that the dynamic primary zone signed on initial load ($n)"
 ret=0
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1
-	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
-	[ $keys = 2 ] || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $RNDCCMD 10.53.0.3 signing -list dynamic >signing.out.test$n 2>&1
+  keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+  [ $keys = 2 ] || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -431,9 +416,9 @@ serial=$(awk '{print $3}' dig.out.ns2.soa.test$n)
 # serial should have changed
 [ "$serial" = "2000042407" ] && ret=1
 # e.updated should exist and should be signed
-$DIG $DIGOPTS @10.53.0.3 e.updated A > dig.out.ns3.test$n
-grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 e.updated A >dig.out.ns3.test$n
+grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
 # updated.db.signed.jnl should exist, should have the source serial
 # of master2.db, and should show a minimal diff: no more than 8 added
 # records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
@@ -441,7 +426,7 @@ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
 $JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n
 serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n)
 [ "$serial" = "2000042408" ] || ret=1
-diffsize=$(wc -l < journalprint.out.test$n)
+diffsize=$(wc -l <journalprint.out.test$n)
 [ "$diffsize" -le 13 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -450,28 +435,37 @@ n=$((n + 1))
 echo_i "checking adding of record to unsigned primary using UPDATE ($n)"
 ret=0
 
-[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo_i "journal exists (pretest)" ; }
+[ -f ns3/dynamic.db.jnl ] && {
+  ret=1
+  echo_i "journal exists (pretest)"
+}
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 zone dynamic
 server 10.53.0.3 ${PORT}
 update add e.dynamic 0 A 1.2.3.4
 send
 EOF
 
-[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo_i "journal does not exist (posttest)" ; }
-
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ans=0
-	$DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
-	grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1
-	[ $ans = 0 ] && break
-	sleep 1
+[ -f ns3/dynamic.db.jnl ] || {
+  ret=1
+  echo_i "journal does not exist (posttest)"
+}
+
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ans=0
+  $DIG $DIGOPTS @10.53.0.3 e.dynamic >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ans=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1
+  grep "1.2.3.4" dig.out.ns3.test$n >/dev/null || ans=1
+  [ $ans = 0 ] && break
+  sleep 1
 done
-[ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; }
+[ $ans = 0 ] || {
+  ret=1
+  echo_i "signed record not found"
+  cat dig.out.ns3.test$n
+}
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -490,7 +484,7 @@ start_server --noclean --restart --port ${PORT} ns3 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 zone bits
 server 10.53.0.2 ${PORT}
 update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600
@@ -500,29 +494,28 @@ EOF
 n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
-grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
-grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.2 bits SOA >dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1
+grep "2011072450" dig.out.ns2.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)"
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
-	grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 bits SOA >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
+  grep "2011072450" dig.out.ns3.test$n >/dev/null || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 zone noixfr
 server 10.53.0.4 ${PORT}
 update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600
@@ -532,29 +525,28 @@ EOF
 n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary, noixfr ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
-grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.4 noixfr SOA >dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1
+grep "2011072450" dig.out.ns4.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)"
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
-	grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 noixfr SOA >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
+  grep "2011072450" dig.out.ns3.test$n >/dev/null || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 zone bits
 server 10.53.0.3 ${PORT}
 update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600
@@ -564,29 +556,28 @@ EOF
 n=$((n + 1))
 echo_i "checking forwarded update on hidden primary ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
-grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
-grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.2 bits SOA >dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1
+grep "2011072460" dig.out.ns2.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking forwarded update on signed zone ($n)"
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
-	grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 bits SOA >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
+  grep "2011072460" dig.out.ns3.test$n >/dev/null || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 zone noixfr
 server 10.53.0.3 ${PORT}
 update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600
@@ -596,24 +587,23 @@ EOF
 n=$((n + 1))
 echo_i "checking forwarded update on hidden primary, noixfr ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
-grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.4 noixfr SOA >dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1
+grep "2011072460" dig.out.ns4.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking forwarded update on signed zone, noixfr ($n)"
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
-	grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 noixfr SOA >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
+  grep "2011072460" dig.out.ns3.test$n >/dev/null || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -621,23 +611,28 @@ status=$((status + ret))
 ret=0
 n=$((n + 1))
 echo_i "checking turning on of inline signing in a secondary zone via reload ($n)"
-$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n
-grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA >dig.out.ns5.test$n
+grep "status: NOERROR" dig.out.ns5.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "setup broken"; fi
 status=$((status + ret))
 copy_setports ns5/named.conf.post ns5/named.conf
-(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits) > /dev/null 2>&1
-(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits) > /dev/null 2>&1
+(
+  cd ns5
+  $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits
+) >/dev/null 2>&1
+(
+  cd ns5
+  $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits
+) >/dev/null 2>&1
 rndc_reload ns5 10.53.0.5
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.5 bits SOA > dig.out.ns5.test$n
-	grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
-	grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.5 bits SOA >dig.out.ns5.test$n
+  grep "status: NOERROR" dig.out.ns5.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns5.test$n >/dev/null || ret=1
+  if [ $ret = 0 ]; then break; fi
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -645,38 +640,42 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1;  }
+$RNDCCMD 10.53.0.3 freeze dynamic >freeze.test$n 2>&1 || {
+  echo_i "/' < freeze.test$n"
+  ret=1
+}
 sleep 1
-$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynamic failed" ; ret=1; }
+$RNDCCMD 10.53.0.3 thaw dynamic >thaw.test$n 2>&1 || {
+  echo_i "rndc thaw dynamic failed"
+  ret=1
+}
 sleep 1
-grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null ||  ret=1
+grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-
 n=$((n + 1))
 echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 freeze dynamic >freeze.test$n 2>&1 || ret=1
 sleep 1
 awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
      { print; }
-     END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new
+     END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db >ns3/dynamic.db.new
 mv ns3/dynamic.db.new ns3/dynamic.db
-$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 thaw dynamic >thaw.test$n 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "check added record freeze1.dynamic ($n)"
-for i in 1 2 3 4 5 6 7 8 9
-do
-    ret=0
-    $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT > dig.out.ns3.test$n
-    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
-    test $ret = 0 && break
-    sleep 1
+for i in 1 2 3 4 5 6 7 8 9; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
+  test $ret = 0 && break
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -687,26 +686,25 @@ sleep 1
 n=$((n + 1))
 echo_i "checking rndc freeze/thaw of server ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 freeze >freeze.test$n 2>&1 || ret=1
 sleep 1
 awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
      { print; }
-     END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new
+     END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db >ns3/dynamic.db.new
 mv ns3/dynamic.db.new ns3/dynamic.db
-$RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 thaw >thaw.test$n 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "check added record freeze2.dynamic ($n)"
-for i in 1 2 3 4 5 6 7 8 9
-do
-    ret=0
-    $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT > dig.out.ns3.test$n
-    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
-    test $ret = 0 && break
-    sleep 1
+for i in 1 2 3 4 5 6 7 8 9; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1
+  test $ret = 0 && break
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -714,8 +712,8 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "check rndc reload allows reuse of inline-signing zones ($n)"
 ret=0
-{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i
-grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1
+{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1; } | sed 's/^/ns3 /' | cat_i
+grep "not reusable" ns3/named.run >/dev/null 2>&1 && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -730,7 +728,7 @@ $RNDCCMD 10.53.0.3 sync -clean dynamic 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 zone retransfer
 server 10.53.0.2 ${PORT}
 update add added.retransfer 0 A 1.2.3.4
@@ -741,38 +739,39 @@ EOF
 n=$((n + 1))
 echo_i "checking that the retransfer record is added on the hidden primary ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 added.retransfer A > dig.out.ns2.test$n
-grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.2 added.retransfer A >dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking that the change has not been transferred due to notify ($n)"
 ret=0
-for i in 0 1 2 3 4 5 6 7 8 9
-do
-	ans=0
-	$DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
-	[ $ans = 0 ] && break
-	sleep 1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+  ans=0
+  $DIG $DIGOPTS @10.53.0.3 added.retransfer A >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ans=1
+  [ $ans = 0 ] && break
+  sleep 1
 done
-if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi
+if [ $ans != 1 ]; then
+  echo_i "failed"
+  ret=1
+fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "check rndc retransfer of a inline secondary zone works ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1
-for i in 0 1 2 3 4 5 6 7 8 9
-do
-	ans=0
-	$DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
-	[ $ans = 0 ] && break
-	sleep 1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+  ans=0
+  $DIG $DIGOPTS @10.53.0.3 added.retransfer A >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ans=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1
+  [ $ans = 0 ] && break
+  sleep 1
 done
 [ $ans = 1 ] && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -783,29 +782,28 @@ echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are
 ret=0
 # The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2,
 # which means it should not yet be available on ns3.
-$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n
-grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA >dig.out.ns3.pre.test$n
+grep "status: SERVFAIL" dig.out.ns3.pre.test$n >/dev/null || ret=1
 # Switch the zone to NSEC3.  An "NSEC3 -> NSEC -> NSEC3" sequence is used purely
 # to test that multiple queued "rndc signing -nsec3param" requests are handled
 # properly.
-$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
-$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1
-$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 >/dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 >/dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 >/dev/null 2>&1 || ret=1
 # Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone.
-sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new
+sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf >ns2/named.conf.new
 mv ns2/named.conf.new ns2/named.conf
 $RNDCCMD 10.53.0.2 reconfig || ret=1
 # Request ns3 to retransfer the "retransfer3" zone.
 $RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1
 # Check whether "retransfer3" uses NSEC3 as requested.
-for i in 0 1 2 3 4 5 6 7 8 9
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i
-	grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
-	grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
-	test $ret -eq 0 && break
-	sleep 1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A >dig.out.ns3.post.test$n.$i
+  grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i >/dev/null || ret=1
+  grep "NSEC3" dig.out.ns3.post.test$n.$i >/dev/null || ret=1
+  test $ret -eq 0 && break
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -813,25 +811,23 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
-for i in 0 1 2 3 4 5 6 7 8 9
-do
-	ans=0
-	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n
-	grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1
-	grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1
-	[ $ans = 0 ] && break
-	sleep 1
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 >/dev/null 2>&1 || ret=1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+  ans=0
+  $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A >dig.out.ns3.pre.test$n
+  grep "status: NXDOMAIN" dig.out.ns3.pre.test$n >/dev/null || ans=1
+  grep "NSEC3" dig.out.ns3.pre.test$n >/dev/null || ans=1
+  [ $ans = 0 ] && break
+  sleep 1
 done
 $RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1
-for i in 0 1 2 3 4 5 6 7 8 9
-do
-	ans=0
-	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n
-	grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1
-	grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1
-	[ $ans = 0 ] && break
-	sleep 1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+  ans=0
+  $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A >dig.out.ns3.post.test$n
+  grep "status: NXDOMAIN" dig.out.ns3.post.test$n >/dev/null || ans=1
+  grep "NSEC3" dig.out.ns3.post.test$n >/dev/null || ans=1
+  [ $ans = 0 ] && break
+  sleep 1
 done
 [ $ans = 1 ] && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -845,25 +841,23 @@ ret=0
 zone=nsec3-loop
 # Add secondary zone using rndc
 $RNDCCMD 10.53.0.7 addzone $zone \
-	'{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };'
+  '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };'
 # Wait until secondary zone is fully signed using NSEC
-for i in 1 2 3 4 5 6 7 8 9 0
-do
-	ret=1
-	$RNDCCMD 10.53.0.7 signing -list $zone > signing.out.test$n 2>&1
-	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
-	[ $keys -eq 3 ] && ret=0 && break
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 0; do
+  ret=1
+  $RNDCCMD 10.53.0.7 signing -list $zone >signing.out.test$n 2>&1
+  keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+  [ $keys -eq 3 ] && ret=0 && break
+  sleep 1
 done
 # Switch secondary zone to NSEC3
-$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1
+$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone >/dev/null 2>&1
 # Wait until secondary zone is fully signed using NSEC3
-for i in 1 2 3 4 5 6 7 8 9 0
-do
-	ret=1
-	nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone)
-	test "$nsec3param" = "1 0 2 12345678" && ret=0 && break
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 0; do
+  ret=1
+  nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone)
+  test "$nsec3param" = "1 0 2 12345678" && ret=0 && break
+  sleep 1
 done
 # Attempt to retransfer the secondary zone from primary
 $RNDCCMD 10.53.0.7 retransfer $zone
@@ -874,12 +868,11 @@ $RNDCCMD 10.53.0.7 retransfer $zone
 # instead of sending SOA queries to the signer as these may influence its
 # behavior in a way which may prevent the desired scenario from being
 # reproduced (see comment in ns7/named.conf)
-for i in 1 2 3 4 5 6 7 8 9 0
-do
-	ret=1
-	grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run > /dev/null 2>&1
-	[ $? -eq 0 ] && ret=0 && break
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 0; do
+  ret=1
+  grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run >/dev/null 2>&1
+  [ $? -eq 0 ] && ret=0 && break
+  sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -905,14 +898,13 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)"
 ret=0
-for i in 1 2 3 4 5 6 7 8 9
-do
-	ans=0
-	$DIG $DIGOPTS @10.53.0.3 master SOA > dig.out.ns3.test$n
-	grep "hostmaster" dig.out.ns3.test$n > /dev/null || ans=1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
-	[ $ans = 1 ] || break
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9; do
+  ans=0
+  $DIG $DIGOPTS @10.53.0.3 master SOA >dig.out.ns3.test$n
+  grep "hostmaster" dig.out.ns3.test$n >/dev/null || ans=1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1
+  [ $ans = 1 ] || break
+  sleep 1
 done
 [ $ans = 0 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -925,83 +917,82 @@ ret=1
 # that the file modification time has no possibility of being equal to
 # the one stored during server startup.
 sleep 1
-nextpart ns3/named.run > /dev/null
+nextpart ns3/named.run >/dev/null
 cp ns3/master5.db.in ns3/master.db
 rndc_reload ns3 10.53.0.3
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	if nextpart ns3/named.run | grep "zone master.*sending notifies" > /dev/null; then
-		ret=0
-		break
-	fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  if nextpart ns3/named.run | grep "zone master.*sending notifies" >/dev/null; then
+    ret=0
+    break
+  fi
+  sleep 1
 done
 # Sanity check: file updates should be reflected in the signed zone,
 # i.e. SOA RNAME should no longer be set to "hostmaster".
-$DIG $DIGOPTS @10.53.0.3 master SOA > dig.out.ns3.test$n || ret=1
-grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1
+$DIG $DIGOPTS @10.53.0.3 master SOA >dig.out.ns3.test$n || ret=1
+grep "hostmaster" dig.out.ns3.test$n >/dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "check that reloading errors prevent synchronization ($n)"
 ret=1
-$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.1 || ret=1
+$DIG $DIGOPTS +short @10.53.0.3 master SOA >dig.out.ns3.test$n.1 || ret=1
 sleep 1
-nextpart ns3/named.run > /dev/null
+nextpart ns3/named.run >/dev/null
 cp ns3/master6.db.in ns3/master.db
 rndc_reload ns3 10.53.0.3
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-	if nextpart ns3/named.run | grep "not loaded due to errors" > /dev/null
-        then
-		ret=0
-		break
-	fi
-	sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  if nextpart ns3/named.run | grep "not loaded due to errors" >/dev/null; then
+    ret=0
+    break
+  fi
+  sleep 1
 done
 # Sanity check: the SOA record should be unchanged
-$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.2 || ret=1
-$DIFF dig.out.ns3.test$n.1  dig.out.ns3.test$n.2 > /dev/null || ret=1
+$DIG $DIGOPTS +short @10.53.0.3 master SOA >dig.out.ns3.test$n.2 || ret=1
+$DIFF dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "check inline-signing with an include file ($n)"
 ret=0
-$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.1 || ret=1
+$DIG $DIGOPTS +short @10.53.0.3 master SOA >dig.out.ns3.test$n.1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 sleep 1
-nextpart ns3/named.run > /dev/null
+nextpart ns3/named.run >/dev/null
 cp ns3/master7.db.in ns3/master.db
 rndc_reload ns3 10.53.0.3
 _includefile_loaded() {
-	$DIG $DIGOPTS @10.53.0.3 f.master A > dig.out.ns3.test$n
-	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || return 1
-	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || return 1
-	grep "10\.0\.0\.7" dig.out.ns3.test$n > /dev/null || return 1
-	return 0
+  $DIG $DIGOPTS @10.53.0.3 f.master A >dig.out.ns3.test$n
+  grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || return 1
+  grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || return 1
+  grep "10\.0\.0\.7" dig.out.ns3.test$n >/dev/null || return 1
+  return 0
 }
 retry_quiet 10 _includefile_loaded
 # Sanity check: the SOA record should be changed
-$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.2 || ret=1
-$DIFF dig.out.ns3.test$n.1  dig.out.ns3.test$n.2 > /dev/null && ret=1
+$DIG $DIGOPTS +short @10.53.0.3 master SOA >dig.out.ns3.test$n.2 || ret=1
+$DIFF dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 >/dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "test add/del zone combinations ($n)"
 ret=0
-for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z
-do
-$RNDCCMD 10.53.0.2 addzone test-$zone \
-	'{ type primary; file "bits.db.in"; allow-transfer { any; }; };'
-$DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n
-grep "status: NOERROR," dig.out.ns2.$zone.test$n  > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; }
-$RNDCCMD 10.53.0.3 addzone test-$zone \
-	'{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };'
-$RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1
+for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z; do
+  $RNDCCMD 10.53.0.2 addzone test-$zone \
+    '{ type primary; file "bits.db.in"; allow-transfer { any; }; };'
+  $DIG $DIGOPTS @10.53.0.2 test-$zone SOA >dig.out.ns2.$zone.test$n
+  grep "status: NOERROR," dig.out.ns2.$zone.test$n >/dev/null || {
+    ret=1
+    cat dig.out.ns2.$zone.test$n
+  }
+  $RNDCCMD 10.53.0.3 addzone test-$zone \
+    '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };'
+  $RNDCCMD 10.53.0.3 delzone test-$zone >/dev/null 2>&1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1009,22 +1000,27 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "testing adding external keys to a inline zone ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n
-for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER}
-do
-   [ $alg = 13 -a ! -f checkecdsa ] && continue;
-
-   case $alg in
-   7) echo_i "checking NSEC3RSASHA1";;
-   8) echo_i "checking RSASHA256";;
-   13) echo_i "checking ECDSAP256SHA256";;
-   *) echo_i "checking $alg";;
-   esac
-
-   dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l)
-   rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l)
-   test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
-   test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
+$DIG $DIGOPTS @10.53.0.3 dnskey externalkey >dig.out.ns3.test$n
+for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER}; do
+  [ $alg = 13 -a ! -f checkecdsa ] && continue
+
+  case $alg in
+    7) echo_i "checking NSEC3RSASHA1" ;;
+    8) echo_i "checking RSASHA256" ;;
+    13) echo_i "checking ECDSAP256SHA256" ;;
+    *) echo_i "checking $alg" ;;
+  esac
+
+  dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l)
+  rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l)
+  test ${dnskeys:-0} -eq 3 || {
+    echo_i "failed $alg (dnskeys ${dnskeys:-0})"
+    ret=1
+  }
+  test ${rrsigs:-0} -eq 2 || {
+    echo_i "failed $alg (rrsigs ${rrsigs:-0})"
+    ret=1
+  }
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1035,21 +1031,21 @@ ret=0
 key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} import.example)
 cp ${key}.key import.key
 # import should fail
-$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
+$IMPORTKEY -f import.key import.example >/dev/null 2>&1 && ret=1
 rm -f ${key}.private
 # private key removed; import should now succeed
-$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
+$IMPORTKEY -f import.key import.example >/dev/null 2>&1 || ret=1
 # now that it's an external key, re-import should succeed
-$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
+$IMPORTKEY -f import.key import.example >/dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "testing updating inline secure serial via 'rndc signing -serial' ($n)"
 ret=0
-$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
-newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
-$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.n3.pre.test$n
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' <dig.out.n3.pre.test$n)
+$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 >/dev/null 2>&1
 retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1057,12 +1053,12 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "testing updating inline secure serial via 'rndc signing -serial' with negative change ($n)"
 ret=0
-$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.n3.pre.test$n
 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n)
-newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
-$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' <dig.out.n3.pre.test$n)
+$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 >/dev/null 2>&1
 sleep 1
-$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.ns3.post.test$n
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.ns3.post.test$n
 serial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
 [ ${oldserial:-0} -eq ${serial:-1} ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1074,12 +1070,12 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "testing updating inline secure serial via 'rndc signing -serial' when frozen ($n)"
 ret=0
-$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.n3.pre.test$n
 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n)
-newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
-$RNDCCMD 10.53.0.3 freeze nsec3 > /dev/null 2>&1
-$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
-$RNDCCMD 10.53.0.3 thaw nsec3 > /dev/null 2>&1
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' <dig.out.n3.pre.test$n)
+$RNDCCMD 10.53.0.3 freeze nsec3 >/dev/null 2>&1
+$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 >/dev/null 2>&1
+$RNDCCMD 10.53.0.3 thaw nsec3 >/dev/null 2>&1
 retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post1.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1087,9 +1083,9 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "testing updating dynamic serial via 'rndc signing -serial' ($n)"
 ret=0
-$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
-newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
-$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
+$DIG $DIGOPTS bits. SOA @10.53.0.2 >dig.out.ns2.pre.test$n
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' <dig.out.ns2.pre.test$n)
+$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits >/dev/null 2>&1
 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-0}" dig.out.ns2.post.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1097,10 +1093,10 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "testing updating dynamic serial via 'rndc signing -serial' with negative change ($n)"
 ret=0
-$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
+$DIG $DIGOPTS bits. SOA @10.53.0.2 >dig.out.ns2.pre.test$n
 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n)
-newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
-$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' <dig.out.ns2.pre.test$n)
+$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits >/dev/null 2>&1
 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1
 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1109,12 +1105,12 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "testing updating dynamic serial via 'rndc signing -serial' when frozen ($n)"
 ret=0
-$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
+$DIG $DIGOPTS bits. SOA @10.53.0.2 >dig.out.ns2.pre.test$n
 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n)
-newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
-$RNDCCMD 10.53.0.2 freeze bits > /dev/null 2>&1
-$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
-$RNDCCMD 10.53.0.2 thaw bits > /dev/null 2>&1
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' <dig.out.ns2.pre.test$n)
+$RNDCCMD 10.53.0.2 freeze bits >/dev/null 2>&1
+$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits >/dev/null 2>&1
+$RNDCCMD 10.53.0.2 thaw bits >/dev/null 2>&1
 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1
 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1124,29 +1120,28 @@ n=$((n + 1))
 echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)"
 ret=0
 
-$DIG $DIGOPTS @10.53.0.3 soa inactivezsk  > dig.out.ns3.pre.test$n || ret=1
+$DIG $DIGOPTS @10.53.0.3 soa inactivezsk >dig.out.ns3.pre.test$n || ret=1
 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n)
 
-$NSUPDATE << EOF
+$NSUPDATE <<EOF
 server 10.53.0.2 ${PORT}
 update add added.inactivezsk 0 IN TXT added record
 send
 EOF
 
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-    $DIG $DIGOPTS @10.53.0.3 soa inactivezsk  > dig.out.ns3.post.test$n || ret=1
-    soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
-    test ${soa1:-0} -ne ${soa2:-0} && break
-    sleep 1
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  $DIG $DIGOPTS @10.53.0.3 soa inactivezsk >dig.out.ns3.post.test$n || ret=1
+  soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
+  test ${soa1:-0} -ne ${soa2:-0} && break
+  sleep 1
 done
 test ${soa1:-0} -ne ${soa2:-0} || ret=1
 
-$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1
-grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
-grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
-grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
-grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk >dig.out.ns3.test$n || ret=1
+grep "ANSWER: 3," dig.out.ns3.test$n >/dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n >/dev/null || ret=1
+grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1
+grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1155,31 +1150,31 @@ n=$((n + 1))
 echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)"
 ret=0
 
-$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n
+$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk >dig.out.ns3.test$n
 
 #
 #  check that DNSKEY is signed with ZSK for default algorithm
 #
 awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
-zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
-grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1
+zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \
+  | $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}')
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n >/dev/null || ret=1
 awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
-kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
-grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
+kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \
+  | $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}')
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null && ret=1
 
 #
 #  check that DNSKEY is signed with KSK for alternative algorithm
 #
 awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
-zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
-grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1
+zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \
+  | $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}')
+grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n >/dev/null && ret=1
 awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
-kskid=$(awk  -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
-grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
+kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \
+  | $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}')
+grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1192,14 +1187,13 @@ status=$((status + ret))
 # is logged (which means the zone was not modified and will not be modified any
 # further in response to the relevant raw zone update).
 wait_until_raw_zone_update_is_processed() {
-	zone="$1"
-	for i in 1 2 3 4 5 6 7 8 9 10
-	do
-		if nextpart ns3/named.run | grep -E "zone ${zone}.*(sending notifies|receive_secure_serial)" > /dev/null; then
-			return
-		fi
-		sleep 1
-	done
+  zone="$1"
+  for i in 1 2 3 4 5 6 7 8 9 10; do
+    if nextpart ns3/named.run | grep -E "zone ${zone}.*(sending notifies|receive_secure_serial)" >/dev/null; then
+      return
+    fi
+    sleep 1
+  done
 }
 
 n=$((n + 1))
@@ -1207,14 +1201,14 @@ echo_i "checking that changes to raw zone are applied to a previously unsigned s
 ret=0
 # Query for bar.nokeys/A and ensure the response is negative.  As this zone
 # does not have any signing keys set up, the response must be unsigned.
-$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.pre.test$n 2>&1 || ret=1
-grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1
-grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1
+$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A >dig.out.ns3.pre.test$n 2>&1 || ret=1
+grep "status: NOERROR" dig.out.ns3.pre.test$n >/dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null && ret=1
 # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
 # log messages generated before the raw zone is updated.
-nextpart ns3/named.run > /dev/null
+nextpart ns3/named.run >/dev/null
 # Add a record to the raw zone on the primary.
-$NSUPDATE << EOF || ret=1
+$NSUPDATE <<EOF || ret=1
 zone nokeys.
 server 10.53.0.2 ${PORT}
 update add bar.nokeys. 0 A 127.0.0.1
@@ -1223,9 +1217,9 @@ EOF
 wait_until_raw_zone_update_is_processed "nokeys"
 # Query for bar.nokeys/A again and ensure the signer now returns a positive,
 # yet still unsigned response.
-$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.post.test$n 2>&1
-grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null || ret=1
-grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1
+$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A >dig.out.ns3.post.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.post.test$n >/dev/null || ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -1234,16 +1228,16 @@ echo_i "checking that changes to raw zone are not applied to a previously signed
 ret=0
 # Query for bar.removedkeys-primary/A and ensure the response is negative.  As
 # this zone has signing keys set up, the response must be signed.
-$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1
-grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1
-grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A >dig.out.ns3.pre.test$n 2>&1 || ret=1
+grep "status: NOERROR" dig.out.ns3.pre.test$n >/dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1
 # Remove the signing keys for this zone.
 mv -f ns3/Kremovedkeys-primary* ns3/removedkeys
 # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
 # log messages generated before the raw zone is updated.
-nextpart ns3/named.run > /dev/null
+nextpart ns3/named.run >/dev/null
 # Add a record to the raw zone on the primary.
-$NSUPDATE << EOF || ret=1
+$NSUPDATE <<EOF || ret=1
 zone removedkeys-primary.
 server 10.53.0.3 ${PORT}
 update add bar.removedkeys-primary. 0 A 127.0.0.1
@@ -1252,9 +1246,9 @@ EOF
 wait_until_raw_zone_update_is_processed "removedkeys-primary"
 # Query for bar.removedkeys-primary/A again and ensure the signer still returns
 # a negative, signed response.
-$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.post.test$n 2>&1
-grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1
-grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A >dig.out.ns3.post.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.post.test$n >/dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -1263,14 +1257,14 @@ echo_i "checking that backlogged changes to raw zone are applied after keys beco
 ret=0
 # Restore the signing keys for this zone.
 mv ns3/removedkeys/Kremovedkeys-primary* ns3
-$RNDCCMD 10.53.0.3 loadkeys removedkeys-primary > /dev/null 2>&1
+$RNDCCMD 10.53.0.3 loadkeys removedkeys-primary >/dev/null 2>&1
 # Determine what a SOA record with a bumped serial number should look like.
 BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}')
 # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
 # log messages generated before the raw zone is updated.
-nextpart ns3/named.run > /dev/null
+nextpart ns3/named.run >/dev/null
 # Bump the SOA serial number of the raw zone.
-$NSUPDATE << EOF || ret=1
+$NSUPDATE <<EOF || ret=1
 zone removedkeys-primary.
 server 10.53.0.3 ${PORT}
 update del removedkeys-primary. SOA
@@ -1280,9 +1274,9 @@ EOF
 wait_until_raw_zone_update_is_processed "removedkeys-primary"
 # Query for bar.removedkeys-primary/A again and ensure the signer now returns a
 # positive, signed response.
-$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.test$n 2>&1
-grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A >dig.out.ns3.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -1291,16 +1285,16 @@ echo_i "checking that changes to raw zone are not applied to a previously signed
 ret=0
 # Query for bar.removedkeys-secondary/A and ensure the response is negative.  As this
 # zone does have signing keys set up, the response must be signed.
-$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1
-grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1
-grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A >dig.out.ns3.pre.test$n 2>&1 || ret=1
+grep "status: NOERROR" dig.out.ns3.pre.test$n >/dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1
 # Remove the signing keys for this zone.
 mv -f ns3/Kremovedkeys-secondary* ns3/removedkeys
 # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
 # log messages generated before the raw zone is updated.
-nextpart ns3/named.run > /dev/null
+nextpart ns3/named.run >/dev/null
 # Add a record to the raw zone on the primary.
-$NSUPDATE << EOF || ret=1
+$NSUPDATE <<EOF || ret=1
 zone removedkeys-secondary.
 server 10.53.0.2 ${PORT}
 update add bar.removedkeys-secondary. 0 A 127.0.0.1
@@ -1309,9 +1303,9 @@ EOF
 wait_until_raw_zone_update_is_processed "removedkeys-secondary"
 # Query for bar.removedkeys-secondary/A again and ensure the signer still returns a
 # negative, signed response.
-$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.post.test$n 2>&1
-grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1
-grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A >dig.out.ns3.post.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.post.test$n >/dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -1320,14 +1314,14 @@ echo_i "checking that backlogged changes to raw zone are applied after keys beco
 ret=0
 # Restore the signing keys for this zone.
 mv ns3/removedkeys/Kremovedkeys-secondary* ns3
-$RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary > /dev/null 2>&1
+$RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary >/dev/null 2>&1
 # Determine what a SOA record with a bumped serial number should look like.
 BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}')
 # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
 # log messages generated before the raw zone is updated.
-nextpart ns3/named.run > /dev/null
+nextpart ns3/named.run >/dev/null
 # Bump the SOA serial number of the raw zone on the primary.
-$NSUPDATE << EOF || ret=1
+$NSUPDATE <<EOF || ret=1
 zone removedkeys-secondary.
 server 10.53.0.2 ${PORT}
 update del removedkeys-secondary. SOA
@@ -1337,19 +1331,19 @@ EOF
 wait_until_raw_zone_update_is_processed "removedkeys-secondary"
 # Query for bar.removedkeys-secondary/A again and ensure the signer now returns
 # a positive, signed response.
-$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.test$n 2>&1
-grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
-grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A >dig.out.ns3.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 # Check that the file $2 for zone $1 does not contain RRSIG records
 # while the journal file for that zone does contain them.
 ensure_sigs_only_in_journal() {
-	origin="$1"
-	masterfile="$2"
-	$CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null && ret=1
-	$CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1
+  origin="$1"
+  masterfile="$2"
+  $CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG >/dev/null && ret=1
+  $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG >/dev/null || ret=1
 }
 
 n=$((n + 1))
@@ -1360,12 +1354,12 @@ ret=0
 # Move keys into place now and load them, which will cause DNSSEC records to
 # only be present in the journal for the signed version of the zone.
 mv Kdelayedkeys* ns3/
-$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 loadkeys delayedkeys >rndc.out.ns3.pre.test$n 2>&1 || ret=1
 # Wait until the zone is signed.
-check_done_signing () (
-    $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1
-    num=$(grep "Done signing with" signing.out.test$n | wc -l)
-    [ $num -eq 2 ]
+check_done_signing() (
+  $RNDCCMD 10.53.0.3 signing -list delayedkeys >signing.out.test$n 2>&1
+  num=$(grep "Done signing with" signing.out.test$n | wc -l)
+  [ $num -eq 2 ]
 )
 retry_quiet 10 check_done_signing || ret=1
 # Halt rather than stopping the server to prevent the file from being
@@ -1381,31 +1375,31 @@ start_server --noclean --restart --port ${PORT} ns3
 # receive_secure_serial() should refrain from introducing any zone changes.
 stop_server --use-rndc --halt --port ${CONTROLPORT} ns3
 ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed
-nextpart ns3/named.run > /dev/null
+nextpart ns3/named.run >/dev/null
 start_server --noclean --restart --port ${PORT} ns3
 # We can now test whether the secure zone journal was correctly processed:
 # unless the records contained in it were scheduled for resigning, no resigning
 # event will be scheduled at all since the secure zone file contains no
 # DNSSEC records.
 wait_for_log 20 "all zones loaded" ns3/named.run || ret=1
-$RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1
-grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.3 zonestatus delayedkeys >rndc.out.ns3.post.test$n 2>&1 || ret=1
+grep "next resign node:" rndc.out.ns3.post.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "check that zonestatus reports 'type: primary' for an inline primary zone ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 zonestatus master > rndc.out.ns3.test$n
-grep "type: primary" rndc.out.ns3.test$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.3 zonestatus master >rndc.out.ns3.test$n
+grep "type: primary" rndc.out.ns3.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "check that zonestatus reports 'type: secondary' for an inline secondary zone ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 zonestatus bits > rndc.out.ns3.test$n
-grep "type: secondary" rndc.out.ns3.test$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.3 zonestatus bits >rndc.out.ns3.test$n
+grep "type: secondary" rndc.out.ns3.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -1413,7 +1407,7 @@ n=$((n + 1))
 echo_i "checking reload of touched inline zones ($n)"
 ret=0
 echo_ic "pre-reload 'next key event'"
-nextpart ns8/named.run > nextpart.pre$n.out
+nextpart ns8/named.run >nextpart.pre$n.out
 count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l)
 echo_ic "found: $count/16"
 [ $count -eq 16 ] || ret=1
@@ -1422,7 +1416,7 @@ touch ns8/example??.com.db
 $RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
 sleep 5
 echo_ic "post-reload 'next key event'"
-nextpart ns8/named.run > nextpart.post$n.out
+nextpart ns8/named.run >nextpart.post$n.out
 count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l)
 echo_ic "found: $count/16"
 [ $count -eq 16 ] || ret=1
@@ -1432,24 +1426,24 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking second reload of touched inline zones ($n)"
 ret=0
-nextpart ns8/named.run > nextpart.pre$n.out
+nextpart ns8/named.run >nextpart.pre$n.out
 $RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
 sleep 5
-nextpart ns8/named.run > nextpart.post$n.out
+nextpart ns8/named.run >nextpart.post$n.out
 grep "ixfr-from-differences: unchanged" nextpart.post$n.out && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-n=$((n+1))
+n=$((n + 1))
 echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)"
 ret=0
-dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1
+dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa1 || ret=1
 cp ns8/example2.db.in ns8/example.db || ret=1
-nextpart ns8/named.run > /dev/null
+nextpart ns8/named.run >/dev/null
 rndccmd 10.53.0.8 reload || ret=1
 wait_for_log 3 "all zones loaded" ns8/named.run
 sleep 1
-dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1
+dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa2 || ret=1
 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1)
 soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2)
 ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1)
@@ -1458,22 +1452,22 @@ test ${soa1:-1000} -lt ${soa2:-0} || ret=1
 test ${ttl1:-0} -eq 300 || ret=1
 test ${ttl2:-0} -eq 300 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
-n=$((n+1))
+n=$((n + 1))
 echo_i "Check that restart with zone changes and deleted journal works ($n)"
 TSIG=
 ret=0
-dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1
+dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa1 || ret=1
 stop_server --use-rndc --port ${CONTROLPORT} ns8
 # TTL of all records change from 300 to 400
 cp ns8/example3.db.in ns8/example.db || ret=1
 rm ns8/example.db.jnl
-nextpart ns8/named.run > /dev/null
+nextpart ns8/named.run >/dev/null
 start_server --noclean --restart --port ${PORT} ns8
 wait_for_log 3 "all zones loaded" ns8/named.run
 sleep 1
-dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1
+dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa2 || ret=1
 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1)
 soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2)
 ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1)
@@ -1482,7 +1476,7 @@ test ${soa1:-1000} -lt ${soa2:-0} || ret=1
 test ${ttl1:-0} -eq 300 || ret=1
 test ${ttl2:-0} -eq 400 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
-- 
cgit v1.2.3