Merging upstream version 1:9.18.24.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

9 files changed, 813 insertions, 731 deletions

diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh
index 6b969c3..fd01208 100644
--- a/bin/tests/system/autosign/ns1/keygen.sh
+++ b/bin/tests/system/autosign/ns1/keygen.sh
@@ -17,9 +17,9 @@ zone=.
 zonefile=root.db
 infile=root.db.in
 
-(cd ../ns2 && $SHELL keygen.sh )
+(cd ../ns2 && $SHELL keygen.sh)
 
-cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. > $zonefile
+cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. >$zonefile
 
 zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
 zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
@@ -34,20 +34,20 @@ rm $zsknopriv.private
 ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone)
 kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone)
 
-keyfile_to_static_ds $ksksby > trusted.conf
+keyfile_to_static_ds $ksksby >trusted.conf
 cp trusted.conf ../ns2/trusted.conf
 cp trusted.conf ../ns3/trusted.conf
 cp trusted.conf ../ns4/trusted.conf
 
-keyfile_to_static_ds $kskrev > trusted.conf
+keyfile_to_static_ds $kskrev >trusted.conf
 cp trusted.conf ../ns5/trusted.conf
 
-echo $zskact > ../active.key
-echo $zskvanish > ../vanishing.key
-echo $zskdel > ../del.key
-echo $zskinact > ../inact.key
-echo $zskunpub > ../unpub.key
-echo $zsknopriv > ../nopriv.key
-echo $zsksby > ../standby.key
-echo $zskactnowpub1d > ../activate-now-publish-1day.key
-$REVOKE -R $kskrev > ../rev.key
+echo $zskact >../active.key
+echo $zskvanish >../vanishing.key
+echo $zskdel >../del.key
+echo $zskinact >../inact.key
+echo $zskunpub >../unpub.key
+echo $zsknopriv >../nopriv.key
+echo $zsksby >../standby.key
+echo $zskactnowpub1d >../activate-now-publish-1day.key
+$REVOKE -R $kskrev >../rev.key
diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh
index 9b7c31d..c6fd69d 100644
--- a/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -14,52 +14,50 @@
 . ../../conf.sh
 
 # Have the child generate subdomain keys and pass DS sets to us.
-( cd ../ns3 && $SHELL keygen.sh )
+(cd ../ns3 && $SHELL keygen.sh)
 
 for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \
-		 nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
-		 cdnskey-delete
-do
-	cp ../ns3/dsset-$subdomain.example. .
+  nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
+  cdnskey-delete; do
+  cp ../ns3/dsset-$subdomain.example. .
 done
 
 # Create keys and pass the DS to the parent.
 zone=example
 zonefile="${zone}.db"
 infile="${zonefile}.in"
-cat $infile dsset-*.example. > $zonefile
+cat $infile dsset-*.example. >$zonefile
 
 kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
-$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
-$DSFROMKEY $kskname.key > dsset-${zone}.
+$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
+$DSFROMKEY $kskname.key >dsset-${zone}.
 
 # Create keys for a private secure zone.
 zone=private.secure.example
 zonefile="${zone}.db"
 infile="${zonefile}.in"
 ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
-$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
-keyfile_to_static_ds $ksk > private.conf
+$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
+keyfile_to_static_ds $ksk >private.conf
 cp private.conf ../ns4/private.conf
-$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null
+$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >/dev/null
 
 # Extract saved keys for the revoke-to-duplicate-key test
 zone=bar
 zonefile="${zone}.db"
 infile="${zonefile}.in"
-cat $infile > $zonefile
+cat $infile >$zonefile
 for i in Xbar.+013+59973.key Xbar.+013+59973.private \
-	 Xbar.+013+60101.key Xbar.+013+60101.private
-do
-    cp $i $(echo $i | sed s/X/K/)
+  Xbar.+013+60101.key Xbar.+013+60101.private; do
+  cp $i $(echo $i | sed s/X/K/)
 done
-$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
-$DSFROMKEY Kbar.+013+60101.key > dsset-bar.
+$KEYGEN -a ECDSAP256SHA256 -q $zone >/dev/null
+$DSFROMKEY Kbar.+013+60101.key >dsset-bar.
 
 # a zone with empty non-terminals.
 zone=optout-with-ent
 zonefile=optout-with-ent.db
 infile=optout-with-ent.db.in
-cat $infile > $zonefile
+cat $infile >$zonefile
 kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
-$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
+$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in
index c155a3b..a134019 100644
--- a/bin/tests/system/autosign/ns2/named.conf.in
+++ b/bin/tests/system/autosign/ns2/named.conf.in
@@ -38,7 +38,7 @@ controls {
 
 zone "." {
 	type hint;
-	file "../../common/root.hint";
+	file "../../_common/root.hint";
 };
 
 zone "example" {
diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
index 96158b3..b59cb50 100644
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -15,43 +15,43 @@
 
 SYSTESTDIR=autosign
 
-dumpit () {
-	echo_d "${debug}: dumping ${1}"
-	cat "${1}" | cat_d
+dumpit() {
+  echo_d "${debug}: dumping ${1}"
+  cat "${1}" | cat_d
 }
 
-setup () {
-	echo_i "setting up zone: $1"
-	debug="$1"
-	zone="$1"
-	zonefile="${zone}.db"
-	infile="${zonefile}.in"
-	n=$((${n:-0} + 1))
+setup() {
+  echo_i "setting up zone: $1"
+  debug="$1"
+  zone="$1"
+  zonefile="${zone}.db"
+  infile="${zonefile}.in"
+  n=$((${n:-0} + 1))
 }
 
 setup secure.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 #  NSEC3/NSEC test zone
 #
 setup secure.nsec3.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 #  NSEC3/NSEC3 test zone
 #
 setup nsec3.nsec3.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 #  Jitter/NSEC3 test zone
@@ -59,10 +59,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}.
 setup jitter.nsec3.example
 cp $infile $zonefile
 count=1
-while [ $count -le 1000 ]
-do
-    echo "label${count} IN TXT label${count}" >> $zonefile
-    count=$((count + 1))
+while [ $count -le 1000 ]; do
+  echo "label${count} IN TXT label${count}" >>$zonefile
+  count=$((count + 1))
 done
 # Don't create keys just yet, because the scenario we want to test
 # is an unsigned zone that has a NSEC3PARAM record added with
@@ -73,98 +72,100 @@ done
 #
 setup optout.nsec3.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # A nsec3 zone (non-optout).
 #
 setup nsec3.example
-cat $infile dsset-*.${zone}. > $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+cat $infile dsset-*.${zone}. >$zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # An NSEC3 zone, with NSEC3 parameters set prior to signing
 #
 setup autonsec3.example
-cat $infile > $zonefile
-ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-echo $ksk > ../autoksk.key
-zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
-echo $zsk > ../autozsk.key
-$DSFROMKEY $ksk.key > dsset-${zone}.
+cat $infile >$zonefile
+ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+echo $ksk >../autoksk.key
+zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
+echo $zsk >../autozsk.key
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 #  OPTOUT/NSEC test zone
 #
 setup secure.optout.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 #  OPTOUT/NSEC3 test zone
 #
 setup nsec3.optout.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 #  OPTOUT/OPTOUT test zone
 #
 setup optout.optout.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # A optout nsec3 zone.
 #
 setup optout.example
-cat $infile dsset-*.${zone}. > $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+cat $infile dsset-*.${zone}. >$zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # A RSASHA256 zone.
 #
 setup rsasha256.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a RSASHA256 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # A RSASHA512 zone.
 #
 setup rsasha512.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a RSASHA512 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # NSEC-only zone. A zone using NSEC-only DNSSEC algorithms.
 # None of these algorithms are supported for signing in FIPS mode
 # as they are MD5 and SHA1 based.
 #
-if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
-then
-    setup nsec-only.example
-    cp $infile $zonefile
-    ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out
-    $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
-    $DSFROMKEY $ksk.key > dsset-${zone}.
+if (
+  cd ..
+  $SHELL ../testcrypto.sh -q RSASHA1
+); then
+  setup nsec-only.example
+  cp $infile $zonefile
+  ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out
+  $KEYGEN -q -a RSASHA1 $zone >kg.out 2>&1 || dumpit kg.out
+  $DSFROMKEY $ksk.key >dsset-${zone}.
 else
-    echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
+  echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
 fi
 
 #
@@ -174,52 +175,59 @@ fi
 setup oldsigs.example
 cp $infile $zonefile
 count=1
-while [ $count -le 1000 ]
-do
-    echo "label${count} IN TXT label${count}" >> $zonefile
-    count=$((count + 1))
+while [ $count -le 1000 ]; do
+  echo "label${count} IN TXT label${count}" >>$zonefile
+  count=$((count + 1))
 done
-$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
-$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
+$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile >s.out || dumpit s.out
 mv $zonefile.signed $zonefile
 
 #
 # NSEC3->NSEC transition test zone.
 #
 setup nsec3-to-nsec.example
-$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
-$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
+$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
+
+#
+# NSEC3->NSEC3 transition test zone.
+#
+setup nsec3-to-nsec3.example
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
+$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
 
 #
 # secure-to-insecure transition test zone; used to test removal of
 # keys via nsupdate
 #
 setup secure-to-insecure.example
-$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out
-$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
+$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -q $zone >kg.out 2>&1 || dumpit kg.out
+$SIGNER -S -o $zone -f $zonefile $infile >s.out || dumpit s.out
 
 #
 # another secure-to-insecure transition test zone; used to test
 # removal of keys on schedule.
 #
 setup secure-to-insecure2.example
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-echo $ksk > ../del1.key
-zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
-echo $zsk > ../del2.key
-$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+echo $ksk >../del1.key
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
+echo $zsk >../del2.key
+$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
 
 #
 # Introducing a pre-published key test.
 #
 setup prepub.example
 infile="secure-to-insecure2.example.db.in"
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
-$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
 
 #
 # Key TTL tests.
@@ -227,46 +235,46 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
 
 # no default key TTL; DNSKEY should get SOA TTL
 setup ttl1.example
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 
 # default key TTL should be used
 setup ttl2.example
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 
 # mismatched key TTLs, should use shortest
 setup ttl3.example
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 
 # existing DNSKEY RRset, should retain TTL
 setup ttl4.example
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
-cat ${infile} K${zone}.+*.key > $zonefile
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone >kg.out 2>&1 || dumpit kg.out
+cat ${infile} K${zone}.+*.key >$zonefile
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone >kg.out 2>&1 || dumpit kg.out
 
 #
 # A zone with a DNSKEY RRset that is published before it's activated
 #
 setup delay.example
-ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-echo $ksk > ../delayksk.key
-zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
-echo $zsk > ../delayzsk.key
+ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+echo $ksk >../delayksk.key
+zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
+echo $zsk >../delayzsk.key
 
 #
 # A zone with signatures that are already expired, and the private KSK
 # is missing.
 #
 setup noksk.example
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
-$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
-echo $ksk > ../noksk-ksk.key
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
+$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
+echo $ksk >../noksk-ksk.key
 rm -f ${ksk}.private
 
 #
@@ -274,11 +282,11 @@ rm -f ${ksk}.private
 # is missing.
 #
 setup nozsk.example
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
-$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
-echo $ksk > ../nozsk-ksk.key
-echo $zsk > ../nozsk-zsk.key
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
+$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
+echo $ksk >../nozsk-ksk.key
+echo $zsk >../nozsk-zsk.key
 rm -f ${zsk}.private
 
 #
@@ -286,77 +294,77 @@ rm -f ${zsk}.private
 # is inactive.
 #
 setup inaczsk.example
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
-$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
-echo $ksk > ../inaczsk-ksk.key
-echo $zsk > ../inaczsk-zsk.key
-$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
+$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
+echo $ksk >../inaczsk-ksk.key
+echo $zsk >../inaczsk-zsk.key
+$SETTIME -I now $zsk >st.out 2>&1 || dumpit st.out
 
 #
 # A zone that is set to 'auto-dnssec maintain' during a reconfig
 #
 setup reconf.example
 cp secure.example.db.in $zonefile
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
 
 #
 # A zone which generates CDS and CDNSEY RRsets automatically
 #
 setup sync.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
-echo ns3/$ksk > ../sync.key
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
+echo ns3/$ksk >../sync.key
 
 #
 # A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly
 #
 setup kskonly.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # A zone that has a published inactive key that is autosigned.
 #
 setup inacksk2.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # A zone that has a published inactive key that is autosigned.
 #
 setup inaczsk2.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # A zone that starts with a active KSK + ZSK and a inactive ZSK.
 #
 setup inacksk3.example
 cp $infile $zonefile
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone >kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # A zone that starts with a active KSK + ZSK and a inactive ZSK.
 #
 setup inaczsk3.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # A zone that starts with an active KSK + ZSK and an inactive ZSK, with the
@@ -364,28 +372,28 @@ $DSFROMKEY $ksk.key > dsset-${zone}.
 #
 setup delzsk.example
 cp $infile $zonefile
-ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
 zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out
-echo $zsk > ../delzsk.key
+echo $zsk >../delzsk.key
 
 #
 # Check that NSEC3 are correctly signed and returned from below a DNAME
 #
 setup dname-at-apex-nsec3.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # Check that dynamically added CDS (DELETE) is kept in the zone after signing.
 #
 setup cds-delete.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
 
 #
 # Check that dynamically added CDNSKEY (DELETE) is kept in the zone after
@@ -393,6 +401,6 @@ $DSFROMKEY $ksk.key > dsset-${zone}.
 #
 setup cdnskey-delete.example
 cp $infile $zonefile
-ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}.
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key >dsset-${zone}.
diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
index 64196a1..cbdf8f7 100644
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -42,7 +42,7 @@ controls {
 
 zone "." {
 	type hint;
-	file "../../common/root.hint";
+	file "../../_common/root.hint";
 };
 
 zone "example" {
@@ -167,6 +167,7 @@ zone "nsec3-to-nsec.example" {
 	type primary;
 	file "nsec3-to-nsec.example.db";
 	allow-update { any; };
+	max-journal-size 10M;
 	auto-dnssec maintain;
 };
 
@@ -185,6 +186,14 @@ zone "secure-to-insecure2.example" {
 	dnssec-secure-to-insecure yes;
 };
 
+zone "nsec3-to-nsec3.example" {
+	type primary;
+	file "nsec3-to-nsec3.example.db";
+	allow-update { any; };
+	inline-signing no;
+	max-journal-size 10M;
+};
+
 zone "oldsigs.example" {
 	type primary;
 	file "oldsigs.example.db";
diff --git a/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in
new file mode 100644
index 0000000..0b11a00
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns4/named.conf.in b/bin/tests/system/autosign/ns4/named.conf.in
index b46ce91..13a8e89 100644
--- a/bin/tests/system/autosign/ns4/named.conf.in
+++ b/bin/tests/system/autosign/ns4/named.conf.in
@@ -28,7 +28,7 @@ options {
 
 zone "." {
 	type hint;
-	file "../../common/root.hint";
+	file "../../_common/root.hint";
 };
 
 include "trusted.conf";
diff --git a/bin/tests/system/autosign/ns5/named.conf.in b/bin/tests/system/autosign/ns5/named.conf.in
index 710dfa8..e0927da 100644
--- a/bin/tests/system/autosign/ns5/named.conf.in
+++ b/bin/tests/system/autosign/ns5/named.conf.in
@@ -27,7 +27,7 @@ options {
 
 zone "." {
 	type hint;
-	file "../../common/root.hint";
+	file "../../_common/root.hint";
 };
 
 include "trusted.conf";
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index ad23c22..5789fe7 100755
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -19,18 +19,18 @@ status=0
 n=0
 
 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
-RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
+RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
 
 # convert private-type records to readable form
 # $1 is the zone
 # $2 is the server
 # $3 is ignored
 # $4 is the alternate type
-showprivate () {
-    echo "-- $@ --"
-    $DIG $DIGOPTS +nodnssec +short @$2 -t ${4:-type65534} $1 | cut -f3 -d' ' |
-        while read record; do
-            $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
+showprivate() {
+  echo "-- $@ --"
+  $DIG $DIGOPTS +nodnssec +short @$2 -t ${4:-type65534} $1 | cut -f3 -d' ' \
+    | while read record; do
+      $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
                 die "invalid record" unless length($rdata) == 5;
                 my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
                 my $action = "signing";
@@ -38,107 +38,103 @@ showprivate () {
                 my $state = " (incomplete)";
                 $state = " (complete)" if $complete;
                 print ("$action: alg: $alg, key: $key$state\n");' $record
-        done
+    done
 }
 
 # check that signing records are marked as complete
 # if $3 is 1 then we are expecting "(incomplete)"
 # if $3 is 2 then we are not expecting either "(complete)" or "(incomplete)"
 # if $4 is present then that specifies any alternate type to check
-checkprivate () {
-    _ret=0
-    expected="${3:-0}"
-    x=$(showprivate "$@")
-    echo $x | grep "(complete)" > /dev/null || _ret=2
-    echo $x | grep "(incomplete)" > /dev/null && _ret=1
-
-    if [ $_ret = $expected ]; then
-        return 0
-    fi
-
-    echo "$x"
-    echo_i "failed"
-    return 1
+checkprivate() {
+  _ret=0
+  expected="${3:-0}"
+  x=$(showprivate "$@")
+  echo $x | grep "(complete)" >/dev/null || _ret=2
+  echo $x | grep "(incomplete)" >/dev/null && _ret=1
+
+  if [ $_ret = $expected ]; then
+    return 0
+  fi
+
+  echo "$x"
+  echo_i "failed"
+  return 1
 }
 
 # wait until notifies for zone $1 are sent by server $2. This is an indication
 # that the zone is signed with the active keys, and the changes have been
 # committed.
-wait_for_notifies () {
-	wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1
+wait_for_notifies() {
+  wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1
 }
 
 freq() {
-	_file=$1
-	# remove first and last line that has incomplete set and skews the distribution
-	awk '$4 == "RRSIG" {print substr($9,1,8)}' < "$_file" | sort | uniq -c | sed '1d;$d'
+  _file=$1
+  # remove first and last line that has incomplete set and skews the distribution
+  awk '$4 == "RRSIG" {print substr($9,1,8)}' <"$_file" | sort | uniq -c | sed '1d;$d'
 }
 # Check the signatures expiration times.  First check how many signatures
 # there are in total ($rrsigs).  Then see what the distribution of signature
 # expiration times is ($expiretimes).  Ignore the time part for a better
 # modelled distribution.
-checkjitter () {
-	_file=$1
-	_ret=0
-
-	if ! command -v bc >/dev/null 2>&1; then
-		echo_i "skip: bc not available"
-		return 0
-	fi
-
-	freq "$_file" | cat_i
-	_expiretimes=$(freq "$_file" | awk '{print $1}')
-
-	_count=0
-	# Check if we have at least 4 days
-	# This number has been tuned for `sig-validity-interval 10 2`, as
-	# 1 signature expiration dates should be spread out across at most 8 (10-2) days
-	# 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days
-	# 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2)
-	for _num in $_expiretimes
-	do
-		_count=$((_count+1))
-	done
-	if [ "$_count" -lt 4 ]; then
-		echo_i "error: not enough categories"
-		return 1
-	fi
-
-	# Calculate mean
-	_total=0
-	for _num in $_expiretimes
-	do
-		_total=$((_total+_num))
-	done
-	_mean=$(($_total / $_count))
-
-	# Calculate stddev
-	_stddev=0
-	for _num in $_expiretimes
-	do
-		_stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc)
-	done
-	_stddev=$(echo "sqrt($_stddev/$_count)" | bc)
-
-	# We expect the number of signatures not to exceed the mean +- 3 * stddev.
-	_limit=$((_stddev*3))
-	_low=$((_mean-_limit))
-	_high=$((_mean+_limit))
-	# Find outliers.
-	echo_i "checking whether all frequencies fall into <$_low;$_high> range"
-	for _num in $_expiretimes
-	do
-		if [ $_num -gt $_high ]; then
-			echo_i "error: too many RRSIG records ($_num) in expiration bucket"
-			_ret=1
-		fi
-		if [ $_num -lt $_low ]; then
-			echo_i "error: too few RRSIG records ($_num) in expiration bucket"
-			_ret=1
-		fi
-	done
-
-	return $_ret
+checkjitter() {
+  _file=$1
+  _ret=0
+
+  if ! command -v bc >/dev/null 2>&1; then
+    echo_i "skip: bc not available"
+    return 0
+  fi
+
+  freq "$_file" | cat_i
+  _expiretimes=$(freq "$_file" | awk '{print $1}')
+
+  _count=0
+  # Check if we have at least 4 days
+  # This number has been tuned for `sig-validity-interval 10 2`, as
+  # 1 signature expiration dates should be spread out across at most 8 (10-2) days
+  # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days
+  # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2)
+  for _num in $_expiretimes; do
+    _count=$((_count + 1))
+  done
+  if [ "$_count" -lt 4 ]; then
+    echo_i "error: not enough categories"
+    return 1
+  fi
+
+  # Calculate mean
+  _total=0
+  for _num in $_expiretimes; do
+    _total=$((_total + _num))
+  done
+  _mean=$(($_total / $_count))
+
+  # Calculate stddev
+  _stddev=0
+  for _num in $_expiretimes; do
+    _stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc)
+  done
+  _stddev=$(echo "sqrt($_stddev/$_count)" | bc)
+
+  # We expect the number of signatures not to exceed the mean +- 3 * stddev.
+  _limit=$((_stddev * 3))
+  _low=$((_mean - _limit))
+  _high=$((_mean + _limit))
+  # Find outliers.
+  echo_i "checking whether all frequencies fall into <$_low;$_high> range"
+  for _num in $_expiretimes; do
+    if [ $_num -gt $_high ]; then
+      echo_i "error: too many RRSIG records ($_num) in expiration bucket"
+      _ret=1
+    fi
+    if [ $_num -lt $_low ]; then
+      echo_i "error: too few RRSIG records ($_num) in expiration bucket"
+      _ret=1
+    fi
+  done
+
+  return $_ret
 }
 
 #
@@ -149,34 +145,30 @@ checkjitter () {
 #
 echo_i "waiting for autosign changes to take effect"
 i=0
-while [ $i -lt 30 ]
-do
-	ret=0
-	#
-	# Wait for the root DNSKEY RRset to be fully signed.
-	#
-	$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
-	grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1
-	for z in .
-	do
-		$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
-		grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
-	done
-	for z in bar. example. private.secure.example. optout-with-ent.
-	do
-		$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
-		grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
-	done
-	for z in bar. example. inacksk2.example. inacksk3.example \
-		 inaczsk2.example. inaczsk3.example noksk.example nozsk.example
-	do
-		$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
-		grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
-	done
-	i=$((i + 1))
-	if [ $ret = 0 ]; then break; fi
-	echo_i "waiting ... ($i)"
-	sleep 2
+while [ $i -lt 30 ]; do
+  ret=0
+  #
+  # Wait for the root DNSKEY RRset to be fully signed.
+  #
+  $DIG $DIGOPTS . @10.53.0.1 dnskey >dig.out.ns1.test$n || ret=1
+  grep "ANSWER: 10," dig.out.ns1.test$n >/dev/null || ret=1
+  for z in .; do
+    $DIG $DIGOPTS $z @10.53.0.1 nsec >dig.out.ns1.test$n || ret=1
+    grep "NS SOA" dig.out.ns1.test$n >/dev/null || ret=1
+  done
+  for z in bar. example. private.secure.example. optout-with-ent.; do
+    $DIG $DIGOPTS $z @10.53.0.2 nsec >dig.out.ns2.test$n || ret=1
+    grep "NS SOA" dig.out.ns2.test$n >/dev/null || ret=1
+  done
+  for z in bar. example. inacksk2.example. inacksk3.example \
+    inaczsk2.example. inaczsk3.example noksk.example nozsk.example; do
+    $DIG $DIGOPTS $z @10.53.0.3 nsec >dig.out.ns3.test$n || ret=1
+    grep "NS SOA" dig.out.ns3.test$n >/dev/null || ret=1
+  done
+  i=$((i + 1))
+  if [ $ret = 0 ]; then break; fi
+  echo_i "waiting ... ($i)"
+  sleep 2
 done
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "done"; fi
@@ -185,21 +177,21 @@ status=$((status + ret))
 echo_i "Convert optout-with-ent from nsec to nsec3"
 ($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
 
+echo_i "Convert nsec3-to-nsec3.example from having salt 'beef' to no salt"
+($RNDCCMD 10.53.0.3 signing -nsec3param 1 1 1 - nsec3-to-nsec3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+
 echo_i "Initial counts of RRSIG expiry fields values for auto signed zones"
-for z in .
-do
-	echo_i zone $z
-	$DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
+for z in .; do
+  echo_i zone $z
+  $DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
 done
-for z in bar. example. private.secure.example.
-do
-	echo_i zone $z
-	$DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
+for z in bar. example. private.secure.example.; do
+  echo_i zone $z
+  $DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
 done
-for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example
-do
-	echo_i zone $z
-	$DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
+for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example; do
+  echo_i zone $z
+  $DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
 done
 
 # Set logfile offset for wait_for_log usage.
@@ -213,14 +205,14 @@ echo_ic "resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
 echo_ic "is initially signed with a KSK and not a ZSK. ($n)"
 ret=0
 
-$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
+$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n
 
-zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
-       $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}')
-grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1
+zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \
+  | $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}')
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n >/dev/null || ret=1
 
 pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
-grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${pattern}" dig.out.ns3.test$n >/dev/null && ret=1
 
 count=$(awk 'BEGIN { count = 0 }
 	    $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
@@ -236,7 +228,7 @@ awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
 id=$(awk "${awk}" dig.out.ns3.test$n)
 
 keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
-$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
+$SETTIME -D now+5 "${keyfile}" >settime.out.test$n || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 
 n=$((n + 1))
@@ -250,11 +242,11 @@ echo_i "check that zone with active and inactive ZSK and active KSK is properly"
 echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone"
 echo_ic "is initially signed with a ZSK and not a KSK. ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
-kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
-       $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' )
-grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1
-grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
+$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n
+kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \
+  | $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}')
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n >/dev/null || ret=1
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null && ret=1
 count=$(awk 'BEGIN { count = 0 }
 	    $4 == "RRSIG" && $5 == "CNAME" { count++ }
 	    END {print count}' dig.out.ns3.test$n)
@@ -266,7 +258,7 @@ test $count -eq 3 || ret=1
 id=$(awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n)
 
 keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
-$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
+$SETTIME -D now+5 "${keyfile}" >settime.out.test$n || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -275,24 +267,24 @@ status=$((status + ret))
 echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)"
 ret=0
 # these commands should result in an empty file:
-$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
-grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1
-$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
-grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.1.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.1.test$n >/dev/null && ret=1
+$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.2.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.2.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking NSEC3->NSEC conversion prerequisites ($n)"
 ret=0
-$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
-grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 >dig.out.ns3.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "converting zones from nsec to nsec3"
-$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
+$NSUPDATE >/dev/null 2>&1 <<END || status=1
 server 10.53.0.3 ${PORT}
 zone nsec3.nsec3.example.
 update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
@@ -317,51 +309,50 @@ update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
 send
 END
 
-if $SHELL ../testcrypto.sh -q RSASHA1
-then
-    # try to convert nsec-only.example; this should fail due to
-    # non-NSEC3 compatible keys
-    echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
-    ret=0
-    $NSUPDATE > nsupdate.out 2>&1 <<END && ret=1
+if $SHELL ../testcrypto.sh -q RSASHA1; then
+  # try to convert nsec-only.example; this should fail due to
+  # non-NSEC3 compatible keys
+  echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
+  ret=0
+  $NSUPDATE >nsupdate.out 2>&1 <<END && ret=1
 server 10.53.0.3 ${PORT}
 zone nsec-only.example.
 update add nsec-only.example. 3600 NSEC3PARAM 1 0 10 BEEF
 send
 END
-    if [ $ret != 0 ]; then echo_i "failed"; fi
-    status=$((status + ret))
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
 fi
 
 echo_i "checking for nsec3param in unsigned zone ($n)"
 ret=0
-$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
-grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking for nsec3param signing record ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
-grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.3 signing -list autonsec3.example. >signing.out.test$n 2>&1
+grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "resetting nsec3param via rndc signing ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1
-$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1
+$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. >/dev/null 2>&1
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. >/dev/null 2>&1
 for i in 0 1 2 3 4 5 6 7 8 9; do
-	ret=0
-	$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
-	grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1
-	num=$(grep "Pending " signing.out.test$n | wc -l)
-	[ $num -eq 1 ] || ret=1
-	[ $ret -eq 0 ] && break
-	echo_i "waiting ... ($i)"
-	sleep 2
+  ret=0
+  $RNDCCMD 10.53.0.3 signing -list autonsec3.example. >signing.out.test$n 2>&1
+  grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n >/dev/null || ret=1
+  num=$(grep "Pending " signing.out.test$n | wc -l)
+  [ $num -eq 1 ] || ret=1
+  [ $ret -eq 0 ] && break
+  echo_i "waiting ... ($i)"
+  sleep 2
 done
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -370,15 +361,15 @@ status=$((status + ret))
 echo_i "signing preset nsec3 zone"
 zsk=$(cat autozsk.key)
 ksk=$(cat autoksk.key)
-$SETTIME -K ns3 -P now -A now $zsk > settime.out.test$n.zsk || ret=1
-$SETTIME -K ns3 -P now -A now $ksk > settime.out.test$n.ksk || ret=1
+$SETTIME -K ns3 -P now -A now $zsk >settime.out.test$n.zsk || ret=1
+$SETTIME -K ns3 -P now -A now $ksk >settime.out.test$n.ksk || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 
 echo_i "waiting for changes to take effect"
 sleep 3
 
 echo_i "converting zone from nsec3 to nsec"
-$NSUPDATE > /dev/null 2>&1 << END	|| status=1
+$NSUPDATE >/dev/null 2>&1 <<END || status=1
 server 10.53.0.3 ${PORT}
 zone nsec3-to-nsec.example.
 update delete nsec3-to-nsec.example. NSEC3PARAM
@@ -391,8 +382,8 @@ sleep 3
 missing=$(keyfile_to_key_id "$(cat noksk-ksk.key)")
 echo_i "checking that expired RRSIGs from missing KSK $missing are not deleted ($n)"
 ret=0
-$JOURNALPRINT ns3/noksk.example.db.jnl | \
-   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1
+$JOURNALPRINT ns3/noksk.example.db.jnl \
+  | awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -401,10 +392,10 @@ missing=$(keyfile_to_key_id "$(cat nozsk-zsk.key)")
 ksk=$(keyfile_to_key_id "$(cat nozsk-ksk.key)")
 echo_i "checking that expired RRSIGs from missing ZSK $missing are replaced ($n)"
 ret=0
-$JOURNALPRINT ns3/nozsk.example.db.jnl | \
-   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1
-$JOURNALPRINT ns3/nozsk.example.db.jnl | \
-   awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1
+$JOURNALPRINT ns3/nozsk.example.db.jnl \
+  | awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1
+$JOURNALPRINT ns3/nozsk.example.db.jnl \
+  | awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -413,10 +404,10 @@ inactive=$(keyfile_to_key_id "$(cat inaczsk-zsk.key)")
 ksk=$(keyfile_to_key_id "$(cat inaczsk-ksk.key)")
 echo_i "checking that expired RRSIGs from inactive ZSK $inactive are replaced ($n)"
 ret=0
-$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
-   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1
-$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
-   awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1
+$JOURNALPRINT ns3/inaczsk.example.db.jnl \
+  | awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1
+$JOURNALPRINT ns3/inaczsk.example.db.jnl \
+  | awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -446,20 +437,20 @@ echo_i "dumping zone files"
 
 now="$(TZ=UTC date +%Y%m%d%H%M%S)"
 check_expiry() (
-	$DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 > dig.out.test$n
-	nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' < dig.out.test$n | sort -n | head -1)"
-	if [ "$nearest_expiration" -le "$now" ]; then
-		echo_i "failed: $nearest_expiration <= $now"
-		return 1
-	fi
+  $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 >dig.out.test$n
+  nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' <dig.out.test$n | sort -n | head -1)"
+  if [ "$nearest_expiration" -le "$now" ]; then
+    echo_i "failed: $nearest_expiration <= $now"
+    return 1
+  fi
 )
 
 echo_i "checking expired signatures were updated ($n)"
 retry 10 check_expiry || ret=1
-$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -467,7 +458,7 @@ status=$((status + ret))
 # Check jitter distribution.
 echo_i "checking expired signatures were jittered correctly ($n)"
 ret=0
-$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 >dig.out.ns3.test$n || ret=1
 checkjitter dig.out.ns3.test$n || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -475,38 +466,37 @@ status=$((status + ret))
 
 echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
 ret=0
-$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
-grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
-$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.ok.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.ok.test$n >/dev/null || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking direct NSEC3 autosigning succeeded ($n)"
 ret=0
-$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
-[ -s  dig.out.ns3.ok.test$n ] || ret=1
-grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1
-$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.ok.test$n || ret=1
+[ -s dig.out.ns3.ok.test$n ] || ret=1
+grep "NSEC3PARAM" dig.out.ns3.ok.test$n >/dev/null || ret=1
+$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
 ret=0
-if $SHELL ../testcrypto.sh -q RSASHA1
-then
-    grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
+if $SHELL ../testcrypto.sh -q RSASHA1; then
+  grep "failed: REFUSED" nsupdate.out >/dev/null || ret=1
 else
-    echo_i "skip: RSASHA1 not supported"
+  echo_i "skip: RSASHA1 not supported"
 fi
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -515,39 +505,39 @@ status=$((status + ret))
 echo_i "checking NSEC3->NSEC conversion succeeded ($n)"
 ret=0
 # this command should result in an empty file:
-$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
-grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
-$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 >dig.out.ns3.nx.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.nx.test$n >/dev/null && ret=1
+$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1
+$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. >/dev/null 2>&1
 # this command should result in an empty file:
 no_nsec3param() (
- $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || return 1
- grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && return 1
- return 0
+  $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.nx.test$n || return 1
+  grep "NSEC3PARAM" dig.out.ns3.nx.test$n >/dev/null && return 1
+  return 0
 )
 retry_quiet 10 no_nsec3param || ret=1
-$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking TTLs of imported DNSKEYs (no default) ($n)"
 ret=0
-$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1
 [ -s dig.out.ns3.test$n ] || ret=1
 (awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
 n=$((n + 1))
@@ -556,7 +546,7 @@ status=$((status + ret))
 
 echo_i "checking TTLs of imported DNSKEYs (with default) ($n)"
 ret=0
-$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1
 [ -s dig.out.ns3.test$n ] || ret=1
 (awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
 n=$((n + 1))
@@ -565,7 +555,7 @@ status=$((status + ret))
 
 echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)"
 ret=0
-$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1
 [ -s dig.out.ns3.test$n ] || ret=1
 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
 n=$((n + 1))
@@ -574,7 +564,7 @@ status=$((status + ret))
 
 echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)"
 ret=0
-$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1
 [ -s dig.out.ns3.test$n ] || ret=1
 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
 n=$((n + 1))
@@ -583,10 +573,10 @@ status=$((status + ret))
 
 echo_i "checking positive validation NSEC ($n)"
 ret=0
-$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -594,11 +584,11 @@ status=$((status + ret))
 echo_i "checking positive validation NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.nsec3.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -606,22 +596,22 @@ status=$((status + ret))
 echo_i "checking positive validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.optout.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking negative validation NXDOMAIN NSEC ($n)"
 ret=0
-$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -629,12 +619,12 @@ status=$((status + ret))
 echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.nsec3.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth q.nsec3.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -642,25 +632,25 @@ status=$((status + ret))
 echo_i "checking negative validation NXDOMAIN OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.optout.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth q.optout.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
 # Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking negative validation NODATA NSEC ($n)"
 ret=0
-$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
-$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -668,13 +658,13 @@ status=$((status + ret))
 echo_i "checking negative validation NODATA NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.example. \
-	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 txt >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.nsec3.example. \
-	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 txt >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -682,13 +672,13 @@ status=$((status + ret))
 echo_i "checking negative validation NODATA OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.example. \
-	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 txt >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.optout.example. \
-	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 txt >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -697,12 +687,12 @@ status=$((status + ret))
 
 echo_i "checking 1-server insecurity proof NSEC ($n)"
 ret=0
-$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
 # Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -710,13 +700,13 @@ status=$((status + ret))
 echo_i "checking 1-server negative insecurity proof NSEC ($n)"
 ret=0
 $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
-	> dig.out.ns3.test$n || ret=1
+  >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
-	> dig.out.ns4.test$n || ret=1
+  >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
 # Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -726,12 +716,12 @@ status=$((status + ret))
 echo_i "checking multi-stage positive validation NSEC/NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.secure.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.secure.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -739,12 +729,12 @@ status=$((status + ret))
 echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.nsec3.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -752,12 +742,12 @@ status=$((status + ret))
 echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.optout.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -765,12 +755,12 @@ status=$((status + ret))
 echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -778,12 +768,12 @@ status=$((status + ret))
 echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -791,12 +781,12 @@ status=$((status + ret))
 echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -804,12 +794,12 @@ status=$((status + ret))
 echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.secure.optout.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.secure.optout.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -817,12 +807,12 @@ status=$((status + ret))
 echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -830,12 +820,12 @@ status=$((status + ret))
 echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.optout.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.optout.optout.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -843,11 +833,11 @@ status=$((status + ret))
 echo_i "checking empty NODATA OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth empty.optout.example. \
-	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth empty.optout.example. \
-	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -858,13 +848,13 @@ status=$((status + ret))
 echo_i "checking 2-server insecurity proof ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
-	> dig.out.ns2.test$n || ret=1
+  >dig.out.ns2.test$n || ret=1
 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
-	> dig.out.ns4.test$n || ret=1
+  >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
 # Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -873,43 +863,43 @@ status=$((status + ret))
 
 echo_i "checking 2-server insecurity proof with a negative answer ($n)"
 ret=0
-$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
-	|| ret=1
-$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
-	|| ret=1
+$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a >dig.out.ns2.test$n \
+  || ret=1
+$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a >dig.out.ns4.test$n \
+  || ret=1
 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
 # Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking security root query ($n)"
 ret=0
-$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
-grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+$DIG $DIGOPTS . @10.53.0.4 key >dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking positive validation RSASHA256 NSEC ($n)"
 ret=0
-$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking positive validation RSASHA512 NSEC ($n)"
 ret=0
-$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -917,12 +907,12 @@ status=$((status + ret))
 echo_i "checking that positive validation in a privately secure zone works ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
-	> dig.out.ns2.test$n || ret=1
+  >dig.out.ns2.test$n || ret=1
 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
-	> dig.out.ns4.test$n || ret=1
+  >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -930,22 +920,22 @@ status=$((status + ret))
 echo_i "checking that negative validation in a privately secure zone works ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
-	> dig.out.ns2.test$n || ret=1
+  >dig.out.ns2.test$n || ret=1
 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
-	> dig.out.ns4.test$n || ret=1
+  >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
 # Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking privately secure to nxdomain works ($n)"
 ret=0
-$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1
-grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 >dig.out.ns4.test$n || ret=1
+grep "NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -955,9 +945,9 @@ status=$((status + ret))
 
 echo_i "checking that validation returns insecure due to revoked trusted key ($n)"
 ret=0
-$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
-grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1
-grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+$DIG $DIGOPTS example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1
+grep "flags:.*; QUERY" dig.out.ns5.test$n >/dev/null || ret=1
+grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -965,8 +955,8 @@ status=$((status + ret))
 echo_i "checking that revoked key is present ($n)"
 ret=0
 id=$(cat rev.key)
-$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -974,8 +964,8 @@ status=$((status + ret))
 echo_i "checking that revoked key self-signs ($n)"
 ret=0
 id=$(cat rev.key)
-$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -983,8 +973,8 @@ status=$((status + ret))
 echo_i "checking for unpublished key ($n)"
 ret=0
 id=$(keyfile_to_key_id "$(cat unpub.key)")
-$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -992,8 +982,8 @@ status=$((status + ret))
 echo_i "checking for activated but unpublished key ($n)"
 ret=0
 id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)")
-$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1001,8 +991,8 @@ status=$((status + ret))
 echo_i "checking that standby key does not sign records ($n)"
 ret=0
 id=$(keyfile_to_key_id "$(cat standby.key)")
-$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1010,8 +1000,8 @@ status=$((status + ret))
 echo_i "checking that deactivated key does not sign records  ($n)"
 ret=0
 id=$(keyfile_to_key_id "$(cat inact.key)")
-$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1021,7 +1011,7 @@ ret=0
 id=$(keyfile_to_key_id "$(cat nopriv.key)")
 file="ns1/$(cat nopriv.key).key"
 keydata=$(grep DNSKEY $file)
-$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
+$NSUPDATE >/dev/null 2>&1 <<END || status=1
 server 10.53.0.1 ${PORT}
 zone .
 ttl 3600
@@ -1029,8 +1019,8 @@ update add $keydata
 send
 END
 sleep 1
-$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1038,27 +1028,27 @@ status=$((status + ret))
 echo_i "checking key deletion ($n)"
 ret=0
 id=$(keyfile_to_key_id "$(cat del.key)")
-$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking secure-to-insecure transition, nsupdate ($n)"
 ret=0
-$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
+$NSUPDATE >/dev/null 2>&1 <<END || status=1
 server 10.53.0.3 ${PORT}
 zone secure-to-insecure.example
 update delete secure-to-insecure.example dnskey
 send
 END
 for i in 0 1 2 3 4 5 6 7 8 9; do
-	ret=0
-	$DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
-	grep -E '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
-	[ $ret -eq 0 ] && break
-	echo_i "waiting ... ($i)"
-	sleep 2
+  ret=0
+  $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 >dig.out.ns3.test$n || ret=1
+  grep -E '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n >/dev/null && ret=1
+  [ $ret -eq 0 ] && break
+  echo_i "waiting ... ($i)"
+  sleep 2
 done
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1067,17 +1057,17 @@ status=$((status + ret))
 echo_i "checking secure-to-insecure transition, scheduled ($n)"
 ret=0
 file="ns3/$(cat del1.key).key"
-$SETTIME -I now -D now $file > settime.out.test$n.1 || ret=1
+$SETTIME -I now -D now $file >settime.out.test$n.1 || ret=1
 file="ns3/$(cat del2.key).key"
-$SETTIME -I now -D now $file > settime.out.test$n.2 || ret=1
+$SETTIME -I now -D now $file >settime.out.test$n.2 || ret=1
 ($RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 for i in 0 1 2 3 4 5 6 7 8 9; do
-	ret=0
-	$DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
-	grep -E '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
-	[ $ret -eq 0 ] && break
-	echo_i "waiting ... ($i)"
-	sleep 2
+  ret=0
+  $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 >dig.out.ns3.test$n || ret=1
+  grep -E '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n >/dev/null && ret=1
+  [ $ret -eq 0 ] && break
+  echo_i "waiting ... ($i)"
+  sleep 2
 done
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1086,7 +1076,7 @@ status=$((status + ret))
 echo_i "checking jitter in a newly signed NSEC3 zone ($n)"
 ret=0
 # Use DNS UPDATE to add an NSEC3PARAM record into the zone.
-$NSUPDATE > nsupdate.out.test$n 2>&1 <<END || ret=1
+$NSUPDATE >nsupdate.out.test$n 2>&1 <<END || ret=1
 server 10.53.0.3 ${PORT}
 zone jitter.nsec3.example.
 update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
@@ -1094,19 +1084,19 @@ send
 END
 [ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
 # Create DNSSEC keys in the zone directory.
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example > /dev/null
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example >/dev/null
 # Trigger zone signing.
 ($RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 # Wait until zone has been signed.
 check_if_nsec3param_exists() {
-	$DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 > dig.out.ns3.1.test$n || return 1
-	grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1
+  $DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 >dig.out.ns3.1.test$n || return 1
+  grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1
 }
 retry_quiet 40 check_if_nsec3param_exists || {
-	echo_i "error: NSEC3PARAM not present yet"
-	ret=1
+  echo_i "error: NSEC3PARAM not present yet"
+  ret=1
 }
-$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
+$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 >dig.out.ns3.2.test$n || ret=1
 # Check jitter distribution.
 checkjitter dig.out.ns3.2.test$n || ret=1
 n=$((n + 1))
@@ -1118,17 +1108,16 @@ ret=0
 oldserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}')
 oldinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u)
 
-$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example >/dev/null
 
 ($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
 newserial=$oldserial
 try=0
-while [ $oldserial -eq $newserial -a $try -lt 42 ]
-do
-	newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 |
-		 awk '$0 !~ /SOA/ {print $3}')
-	sleep 1
-	try=$((try + 1))
+while [ $oldserial -eq $newserial -a $try -lt 42 ]; do
+  newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 \
+    | awk '$0 !~ /SOA/ {print $3}')
+  sleep 1
+  try=$((try + 1))
 done
 newinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u)
 #echo "$oldserial : $newserial"
@@ -1151,8 +1140,8 @@ oldfile=$(cat active.key)
 oldid=$(keyfile_to_key_id "$(cat active.key)")
 newfile=$(cat standby.key)
 newid=$(keyfile_to_key_id "$(cat standby.key)")
-$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > settime.out.test$n.1 || ret=1
-$SETTIME -K ns1 -i 0 -S $oldfile $newfile > settime.out.test$n.2 || ret=1
+$SETTIME -K ns1 -I now+2s -D now+25 $oldfile >settime.out.test$n.1 || ret=1
+$SETTIME -K ns1 -i 0 -S $oldfile $newfile >settime.out.test$n.2 || ret=1
 
 # note previous zone serial number
 oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}')
@@ -1161,7 +1150,7 @@ oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}')
 sleep 4
 
 echo_i "revoking key to duplicated key ID"
-$SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1
+$SETTIME -R now -K ns2 Kbar.+013+59973.key >settime.out.test$n.3 || ret=1
 
 ($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
 
@@ -1170,17 +1159,17 @@ sleep 5
 
 echo_i "checking former standby key $newid is now active ($n)"
 ret=0
-$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking former standby key has only signed incrementally ($n)"
 ret=0
-$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
-grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS txt . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null && ret=1
+grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1189,15 +1178,15 @@ echo_i "checking that signing records have been marked as complete ($n)"
 ret=0
 checkprivate . 10.53.0.1 || ret=1
 checkprivate bar 10.53.0.2 || ret=1
-checkprivate example 10.53.0.2 0 type65280 || ret=1 # sig-signing-type 65280
+checkprivate example 10.53.0.2 0 type65280 || ret=1      # sig-signing-type 65280
 checkprivate private.secure.example 10.53.0.3 2 || ret=1 # pre-signed
 checkprivate nsec3.example 10.53.0.3 || ret=1
 checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1
 checkprivate nsec3.optout.example 10.53.0.3 || ret=1
-checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed
-if $SHELL ../testcrypto.sh -q RSASHA1
-then
-    checkprivate nsec-only.example 10.53.0.3 || ret=1
+checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1  # automatically removed
+checkprivate nsec3-to-nsec3.example 10.53.0.3 2 || ret=1 # automatically removed
+if $SHELL ../testcrypto.sh -q RSASHA1; then
+  checkprivate nsec-only.example 10.53.0.3 || ret=1
 fi
 checkprivate oldsigs.example 10.53.0.3 2 || ret=1 # pre-signed
 checkprivate optout.example 10.53.0.3 || ret=1
@@ -1209,8 +1198,8 @@ checkprivate rsasha512.example 10.53.0.3 || ret=1
 checkprivate secure.example 10.53.0.3 || ret=1
 checkprivate secure.nsec3.example 10.53.0.3 || ret=1
 checkprivate secure.optout.example 10.53.0.3 || ret=1
-checkprivate secure-to-insecure2.example 10.53.0.3 2|| ret=1 # automatically removed
-checkprivate secure-to-insecure.example 10.53.0.3 2 || ret=1 # automatically removed
+checkprivate secure-to-insecure2.example 10.53.0.3 2 || ret=1 # automatically removed
+checkprivate secure-to-insecure.example 10.53.0.3 2 || ret=1  # automatically removed
 checkprivate ttl1.example 10.53.0.3 || ret=1
 checkprivate ttl2.example 10.53.0.3 || ret=1
 checkprivate ttl3.example 10.53.0.3 || ret=1
@@ -1226,8 +1215,8 @@ sleep 5
 
 echo_i "checking former standby key has now signed fully ($n)"
 ret=0
-$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS txt . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1245,11 +1234,11 @@ ret=0
 zsk=$(cat delayzsk.key)
 ksk=$(cat delayksk.key)
 # publication and activation times should be unset
-$SETTIME -K ns3 -pA -pP $zsk > settime.out.test$n.zsk || ret=1
+$SETTIME -K ns3 -pA -pP $zsk >settime.out.test$n.zsk || ret=1
 grep -v UNSET settime.out.test$n.zsk >/dev/null && ret=1
-$SETTIME -K ns3 -pA -pP $ksk > settime.out.test$n.ksk || ret=1
+$SETTIME -K ns3 -pA -pP $ksk >settime.out.test$n.ksk || ret=1
 grep -v UNSET settime.out.test$n.ksk >/dev/null && ret=1
-$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1
 # DNSKEY not expected:
 awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
 n=$((n + 1))
@@ -1260,14 +1249,14 @@ echo_i "checking scheduled key publication, not activation ($n)"
 ret=0
 # Ensure initial zone is loaded.
 wait_for_notifies "delay.example" "ns3" || ret=1
-$SETTIME -K ns3 -P now+3s -A none $zsk > settime.out.test$n.zsk || ret=1
-$SETTIME -K ns3 -P now+3s -A none $ksk > settime.out.test$n.ksk || ret=1
+$SETTIME -K ns3 -P now+3s -A none $zsk >settime.out.test$n.zsk || ret=1
+$SETTIME -K ns3 -P now+3s -A none $ksk >settime.out.test$n.ksk || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
 echo_i "waiting for changes to take effect"
 sleep 3
 wait_for_notifies "delay.example" "ns3" || ret=1
 
-$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1
 # DNSKEY expected:
 awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1
 # RRSIG not expected:
@@ -1278,19 +1267,19 @@ status=$((status + ret))
 
 echo_i "checking scheduled key activation ($n)"
 ret=0
-$SETTIME -K ns3 -A now+3s $zsk > settime.out.test$n.zsk || ret=1
-$SETTIME -K ns3 -A now+3s $ksk > settime.out.test$n.ksk || ret=1
+$SETTIME -K ns3 -A now+3s $zsk >settime.out.test$n.zsk || ret=1
+$SETTIME -K ns3 -A now+3s $ksk >settime.out.test$n.ksk || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
 echo_i "waiting for changes to take effect"
 sleep 3
 wait_for_log_re 10 "add delay\.example\..*NSEC.a\.delay\.example\. NS SOA RRSIG NSEC DNSKEY" ns3/named.run
 check_is_signed() {
-  $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || return 1
+  $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.1.test$n || return 1
   # DNSKEY expected:
   awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1
   # RRSIG expected:
   awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1
-  $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || return 1
+  $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 >dig.out.ns3.2.test$n || return 1
   # A expected:
   awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || return 1
   # RRSIG expected:
@@ -1310,12 +1299,15 @@ echo_i "checking former active key was removed ($n)"
 now=$($PERL -e 'print time(), "\n";')
 sleep=$((starttime + 29 - now))
 case $sleep in
--*|0);;
-*) echo_i "waiting for timer to have activated"; sleep $sleep;;
+  -* | 0) ;;
+  *)
+    echo_i "waiting for timer to have activated"
+    sleep $sleep
+    ;;
 esac
 ret=0
-$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep '; key id = '"$oldid"'$' dig.out.ns1.test$n >/dev/null && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1323,8 +1315,8 @@ status=$((status + ret))
 echo_i "checking private key file removal caused no immediate harm ($n)"
 ret=0
 id=$(keyfile_to_key_id "$(cat vanishing.key)")
-$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
-grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1333,12 +1325,12 @@ echo_i "checking revoked key with duplicate key ID ($n)"
 ret=0
 id=59973
 rid=60101
-$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1
-grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 >dig.out.ns2.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns2.test$n >/dev/null && ret=1
 keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l)
 test $keys -eq 2 || ret=1
-$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+$DIG $DIGOPTS dnskey bar @10.53.0.4 >dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1356,10 +1348,10 @@ status=$((status + ret))
 # this confirms that key events are never scheduled more than
 # 'dnssec-loadkeys-interval' minutes in the future, and that the
 # event scheduled is within 10 seconds of expected interval.
-check_interval () {
-        awk '/next key event/ {print $2 ":" $9}' $1/named.run |
-	sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' |
-            awk -F: '
+check_interval() {
+  awk '/next key event/ {print $2 ":" $9}' $1/named.run \
+    | sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' \
+    | awk -F: '
                      {
                        x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000);
 		       # abs(x) < 1000 ms treat as 'now'
@@ -1377,7 +1369,7 @@ check_interval () {
                          exit (1);
                      }
                      END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2 || return $?
-        return 0
+  return 0
 }
 
 echo_i "checking automatic key reloading interval ($n)"
@@ -1403,8 +1395,8 @@ echo_i "forcing full sign with unreadable keys ($n)"
 ret=0
 chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1
 ($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
-$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
-grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS . @10.53.0.1 dnskey >dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1419,12 +1411,12 @@ rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l)
 ($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 rndc_reconfig ns3 10.53.0.3
 for i in 0 1 2 3 4 5 6 7 8 9; do
-    lret=0
-    rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l)
-    [ "$rekey_calls" -gt 0 ] || lret=1
-    if [ "$lret" -eq 0 ]; then break; fi
-    echo_i "waiting ... ($i)"
-    sleep 1
+  lret=0
+  rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l)
+  [ "$rekey_calls" -gt 0 ] || lret=1
+  if [ "$lret" -eq 0 ]; then break; fi
+  echo_i "waiting ... ($i)"
+  sleep 1
 done
 n=$((n + 1))
 if [ "$lret" != 0 ]; then ret=$lret; fi
@@ -1433,19 +1425,19 @@ status=$((status + ret))
 
 echo_i "test CDS and CDNSKEY auto generation ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
-$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
-grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1
-grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n
+$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n
+grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n >/dev/null || ret=1
+grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n
-$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
-$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
+$DIG $DIGOPTS @10.53.0.3 sync.example dnskey >dig.out.ns3.dnskeytest$n
+$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n
+$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n
 lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l)
 test ${lines:-0} -eq 2 || ret=1
 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l)
@@ -1458,9 +1450,9 @@ status=$((status + ret))
 
 echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n
-$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n
-$DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n
+$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey >dig.out.ns3.dnskeytest$n
+$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey >dig.out.ns3.cdnskeytest$n
+$DIG $DIGOPTS @10.53.0.3 kskonly.example cds >dig.out.ns3.cdstest$n
 lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l)
 test ${lines:-0} -eq 1 || ret=1
 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l)
@@ -1472,16 +1464,16 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'"
-$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1
+$SETTIME -D sync now $(cat sync.key) >settime.out.test$n || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1
 
 echo_i "checking that the CDS and CDNSKEY are deleted ($n)"
 ret=0
 ensure_cds_and_cdnskey_are_deleted() {
-	$DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1
-	awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1
-	$DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1
-	awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1
+  $DIG $DIGOPTS @10.53.0.3 sync.example. CDS >dig.out.ns3.cdstest$n || return 1
+  awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1
+  $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY >dig.out.ns3.cdnskeytest$n || return 1
+  awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1
 }
 retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1
 n=$((n + 1))
@@ -1490,7 +1482,7 @@ status=$((status + ret))
 
 echo_i "check that dnssec-settime -p Dsync works ($n)"
 ret=0
-$SETTIME -p Dsync $(cat sync.key) > settime.out.test$n || ret=1
+$SETTIME -p Dsync $(cat sync.key) >settime.out.test$n || ret=1
 grep "SYNC Delete:" settime.out.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1498,7 +1490,7 @@ status=$((status + ret))
 
 echo_i "check that dnssec-settime -p Psync works ($n)"
 ret=0
-$SETTIME -p Psync $(cat sync.key) > settime.out.test$n || ret=1
+$SETTIME -p Psync $(cat sync.key) >settime.out.test$n || ret=1
 grep "SYNC Publish:" settime.out.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1506,17 +1498,17 @@ status=$((status + ret))
 
 echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
+$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example >dig.out.ns3.test$n
 
-zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
-       $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' )
+zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \
+  | $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}')
 pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
-grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
+grep "${pattern}" dig.out.ns3.test$n >/dev/null || ret=1
 
-kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
-       $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' )
+kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \
+  | $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}')
 pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} "
-grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${pattern}" dig.out.ns3.test$n >/dev/null && ret=1
 
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1524,8 +1516,8 @@ status=$((status + ret))
 
 echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
-grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example >dig.out.ns3.test$n
+grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1538,12 +1530,12 @@ echo_ic "resigned after the active KSK is deleted - stage 2: Verify that DNSKEY"
 echo_ic "is now signed with the ZSK. ($n)"
 ret=0
 
-$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
+$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n
 
-zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
-       $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' )
+zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \
+  | $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}')
 pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
-grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
+grep "${pattern}" dig.out.ns3.test$n >/dev/null || ret=1
 
 count=$(awk 'BEGIN { count = 0 }
        $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
@@ -1566,10 +1558,10 @@ echo_i "check that zone with active and inactive ZSK and active KSK is properly"
 echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone"
 echo_ic "is now signed with the KSK. ($n)"
 ret=0
-$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
-kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
-       $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' )
-grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n
+kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \
+  | $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}')
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null || ret=1
 count=$(awk 'BEGIN { count = 0 }
        $4 == "RRSIG" && $5 == "CNAME" { count++ }
        END {print count}' dig.out.ns3.test$n)
@@ -1585,45 +1577,54 @@ status=$((status + ret))
 echo_i "checking for out-of-zone NSEC3 records after ZSK removal ($n)"
 ret=0
 # Switch the zone over to NSEC3 and wait until the transition is complete.
-$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. > signing.out.1.test$n 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. >signing.out.1.test$n 2>&1 || ret=1
 for i in 0 1 2 3 4 5 6 7 8 9; do
-	_ret=1
-	$DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 > dig.out.ns3.1.test$n 2>&1 || ret=1
-	{ grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n > /dev/null 2>&1; rc=$?; } || true
-	if [ $rc -eq 0 ]; then
-		$RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.2.test$n 2>&1
-		{ grep "Creating NSEC3 chain " signing.out.2.test$n > /dev/null 2>&1; rc=$?; } || true
-		if [ $rc -ne 0 ]; then
-			_ret=0
-			break
-		fi
-	fi
-	sleep 1
+  _ret=1
+  $DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 >dig.out.ns3.1.test$n 2>&1 || ret=1
+  {
+    grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n >/dev/null 2>&1
+    rc=$?
+  } || true
+  if [ $rc -eq 0 ]; then
+    $RNDCCMD 10.53.0.3 signing -list delzsk.example >signing.out.2.test$n 2>&1
+    {
+      grep "Creating NSEC3 chain " signing.out.2.test$n >/dev/null 2>&1
+      rc=$?
+    } || true
+    if [ $rc -ne 0 ]; then
+      _ret=0
+      break
+    fi
+  fi
+  sleep 1
 done
 if [ $_ret -ne 0 ]; then
-	echo_i "timed out waiting for NSEC3 chain creation"
-	ret=1
+  echo_i "timed out waiting for NSEC3 chain creation"
+  ret=1
 fi
 # Mark the inactive ZSK as pending removal.
 file="ns3/$(cat delzsk.key).key"
-$SETTIME -D now-1h $file > settime.out.test$n || ret=1
+$SETTIME -D now-1h $file >settime.out.test$n || ret=1
 # Trigger removal of the inactive ZSK and wait until its completion.
 ($RNDCCMD 10.53.0.3 loadkeys delzsk.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 for i in 0 1 2 3 4 5 6 7 8 9; do
-	_ret=1
-	$RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.3.test$n 2>&1
-	{ grep "Signing " signing.out.3.test$n > /dev/null 2>&1; rc=$?; } || true
-	if [ $rc -ne 0 ]; then
-		if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then
-			_ret=0
-			break
-		fi
-	fi
-	sleep 1
+  _ret=1
+  $RNDCCMD 10.53.0.3 signing -list delzsk.example >signing.out.3.test$n 2>&1
+  {
+    grep "Signing " signing.out.3.test$n >/dev/null 2>&1
+    rc=$?
+  } || true
+  if [ $rc -ne 0 ]; then
+    if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then
+      _ret=0
+      break
+    fi
+  fi
+  sleep 1
 done
 if [ $_ret -ne 0 ]; then
-	echo_i "timed out waiting for key removal"
-	ret=1
+  echo_i "timed out waiting for key removal"
+  ret=1
 fi
 # Check whether key removal caused NSEC3 records to be erroneously created for
 # glue records due to a secure delegation already being signed by the active key
@@ -1634,26 +1635,26 @@ fi
 #     $ nsec3hash 12345678 1 10 ns.sub.delzsk.example.
 #     589R358VSPJUFVAJU949JPVF74D9PTGH (salt=12345678, hash=1, iterations=10)
 #
-$DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 > dig.out.ns3.3.test$n || ret=1
-grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n > /dev/null 2>&1 && ret=1
+$DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 >dig.out.ns3.3.test$n || ret=1
+grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n >/dev/null 2>&1 && ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
 ret=0
-$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
-grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1
+grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n >/dev/null || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 echo_i "checking that DNAME is not treated as a delegation when signing ($n)"
 ret=0
-$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
-grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n > /dev/null 2>&1 || ret=1
-$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
-grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n > /dev/null 2>&1 || ret=1
+$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 >dig.out.ns3.1.test$n || ret=1
+grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n >/dev/null 2>&1 || ret=1
+$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 >dig.out.ns3.2.test$n || ret=1
+grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n >/dev/null 2>&1 || ret=1
 n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -1677,7 +1678,7 @@ status=$((status + ret))
 echo_i "checking that CDS (DELETE) persists after zone sign ($n)"
 echo_i "update add cds-delete.example. CDS 0 0 00"
 ret=0
-$NSUPDATE > nsupdate.out 2>&1 <<END
+$NSUPDATE >nsupdate.out 2>&1 <<END
 server 10.53.0.3 ${PORT}
 zone cds-delete.example.
 update add cds-delete.example. 3600 CDS 0 0 0 00
@@ -1685,14 +1686,14 @@ send
 END
 
 _cds_delete() (
-	$DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1
-	grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1
-	return 0
+  $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 >dig.out.ns3.test$n || return 1
+  grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n >/dev/null 2>&1 || return 1
+  return 0
 )
 _cdnskey_delete_nx() {
-	$DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1
-	grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1
-	return 0
+  $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 >dig.out.ns3.test$n || return 1
+  grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n >/dev/null 2>&1 && return 1
+  return 0
 }
 
 echo_i "query cds-delete.example. CDS"
@@ -1702,7 +1703,7 @@ retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1
 
 echo_i "sign cds-delete.example."
 nextpart ns3/named.run >/dev/null
-$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 sign cds-delete.example >/dev/null 2>&1 || ret=1
 wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run
 # The CDS (DELETE) record should still be here.
 echo_i "query cds-delete.example. CDS"
@@ -1718,7 +1719,7 @@ status=$((status + ret))
 echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)"
 echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA=="
 ret=0
-$NSUPDATE > nsupdate.out 2>&1 <<END
+$NSUPDATE >nsupdate.out 2>&1 <<END
 server 10.53.0.3 ${PORT}
 zone cdnskey-delete.example.
 update add cdnskey-delete.example. 3600 CDNSKEY 0 3 0 AA==
@@ -1726,14 +1727,14 @@ send
 END
 
 _cds_delete_nx() (
-	$DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1
-	grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1
-	return 0
+  $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 >dig.out.ns3.test$n || return 1
+  grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n >/dev/null 2>&1 && return 1
+  return 0
 )
 _cdnskey_delete() {
-	$DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1
-	grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1
-	return 0
+  $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 >dig.out.ns3.test$n || return 1
+  grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n >/dev/null 2>&1 || return 1
+  return 0
 }
 
 echo_i "query cdnskey-delete.example. CDNSKEY"
@@ -1743,7 +1744,7 @@ retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1
 
 echo_i "sign cdsnskey-delete.example."
 nextpart ns3/named.run >/dev/null
-$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 sign cdnskey-delete.example >/dev/null 2>&1 || ret=1
 wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run
 # The CDNSKEY (DELETE) record should still be here.
 echo_i "query cdnskey-delete.example. CDNSKEY"
@@ -1761,40 +1762,80 @@ ret=0
 zone=optout-with-ent
 hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL
 # check that NSEC3 for ENT is present
-$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n
 grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1
-grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1
-grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n >/dev/null || ret=1
+grep "^${hash}.${zone}." dig.out.pre.ns2.test$n >/dev/null || ret=1
 # remove first delegation of two delegations, NSEC3 for ENT should remain.
 (
-echo zone $zone
-echo server 10.53.0.2 "$PORT"
-echo update del sub1.ent.$zone NS
-echo send
+  echo zone $zone
+  echo server 10.53.0.2 "$PORT"
+  echo update del sub1.ent.$zone NS
+  echo send
 ) | $NSUPDATE
 # check that NSEC3 for ENT is still present
-$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
-$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.mid.ns2.test$n
 grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1
-grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1
-grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n >/dev/null || ret=1
+grep "^${hash}.${zone}." dig.out.mid.ns2.test$n >/dev/null || ret=1
 # remove second delegation of two delegations, NSEC3 for ENT should be deleted.
 (
-echo zone $zone
-echo server 10.53.0.2 "$PORT"
-echo update del sub2.ent.$zone NS
-echo send
+  echo zone $zone
+  echo server 10.53.0.2 "$PORT"
+  echo update del sub2.ent.$zone NS
+  echo send
 ) | $NSUPDATE
 # check that NSEC3 for ENT is gone present
-$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.post.ns2.test$n
 grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1
-grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1
-grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1
-$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n
-grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1
-n=$((n+1))
+grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n >/dev/null || ret=1
+grep "^${hash}.${zone}." dig.out.post.ns2.test$n >/dev/null && ret=1
+$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" >dig.out.axfr.ns2.test$n
+grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n >/dev/null && ret=1
+n=$((n + 1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+status=$((status + ret))
+
+echo_i "check that the startup change from NSEC3 to NSEC is properly signed ($n)"
+ret=0
+$JOURNALPRINT ns3/nsec3-to-nsec.example.db.jnl \
+  | awk 'BEGIN { private=0; rrsig=0; ok=0 }
+$1 == "del" && $5 == "SOA" { if (private || rrsig) { if (private == rrsig) { exit(0); } else { exit(1); } } }
+$1 == "add" && $5 == "TYPE65534" { private=1 }
+$1 == "add" && $5 == "RRSIG" && $6 == "TYPE65534" { rrsig=1 }
+END { if (private || rrsig) { if (private == rrsig) { exit(0); } else { exit(1); } } else { exit (1); } }
+' || ret=1
+n=$((n + 1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "check that NSEC3 to NSEC builds the NSEC chain first ($n)"
+ret=0
+$JOURNALPRINT ns3/nsec3-to-nsec.example.db.jnl \
+  | awk 'BEGIN { nsec3param=0; nsec=0 }
+$1 == "del" && $5 == "SOA" { if (nsec3param || nsec) { if (nsec3param && !nsec) { exit(1); } else { exit(0); } } }
+$1 == "del" && $5 == "NSEC3PARAM" { nsec3param=1 }
+$1 == "add" && $2 == "nsec3-to-nsec.example." && $5 == "NSEC" { nsec=1 }
+END { if (nsec3param || nsec) { if (nsec3param && !nsec) { exit(1); } else { exit(0); } } else { exit(1); } }
+' || ret=1
+n=$((n + 1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "check that NSEC3 to NSEC3 builds the new NSEC3 chain first ($n)"
+ret=0
+$JOURNALPRINT ns3/nsec3-to-nsec3.example.db.jnl \
+  | awk 'BEGIN { addnsec3param=0; delnsec3param=0; nsec3=0 }
+$1 == "del" && $5 == "SOA" { if (delnsec3param || nsec3 || addnsec3param) { if (delnsec3param && (!nsec3 || !addnsec3param)) { exit(1); } else { exit(0); } } }
+$1 == "del" && $5 == "NSEC3PARAM" { delnsec3param=1 }
+$1 == "add" && $5 == "NSEC3PARAM" { addnsec3param=1 }
+$1 == "add" && $5 == "NSEC3" { nsec3=1 }
+END { if (delnsec3param || nsec3 || addnsec3param) { if (delnsec3param && (!nsec3 || !addnsec3param)) { exit(1); } else { exit(0); } } else { exit(1); } }
+' || ret=1
+n=$((n + 1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1