9 files changed, 481 insertions, 341 deletions

diff --git a/bin/tests/system/doth/ns1/named.conf.in b/bin/tests/system/doth/ns1/named.conf.in
index 500675f..6a8bcdb 100644
--- a/bin/tests/system/doth/ns1/named.conf.in
+++ b/bin/tests/system/doth/ns1/named.conf.in
@@ -11,7 +11,7 @@
  * information regarding copyright ownership.
  */
 
-include "../../common/rndc.key";
+include "../../_common/rndc.key";
 
 controls {
 	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
@@ -89,6 +89,7 @@ options {
 	listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.1; };             // DoT
 	listen-on port @EXTRAPORT5@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; }; // DoT
 	listen-on port @EXTRAPORT6@ tls tls-forward-secrecy-mutual-tls http local { 10.53.0.1; }; // DoH
+	listen-on port @EXTRAPORT7@ tls tls-forward-secrecy { 10.53.0.1; }; // DoT
 	recursion no;
 	notify explicit;
 	also-notify { 10.53.0.2 port @PORT@; };
@@ -170,3 +171,27 @@ zone "example11" {
 	file "example.db";
 	allow-transfer port @EXTRAPORT5@ transport tls { any; };
 };
+
+zone "example12" {
+	type primary;
+	file "example.db";
+	allow-transfer port @EXTRAPORT7@ transport tls { any; };
+};
+
+zone "example13" {
+	type primary;
+	file "example.db";
+	allow-transfer port @EXTRAPORT7@ transport tls { any; };
+};
+
+zone "example14" {
+	type primary;
+	file "example.db";
+	allow-transfer port @EXTRAPORT7@ transport tls { any; };
+};
+
+zone "example15" {
+	type primary;
+	file "example.db";
+	allow-transfer port @EXTRAPORT7@ transport tls { any; };
+};
diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in
index 3cb2042..e533f47 100644
--- a/bin/tests/system/doth/ns2/named.conf.in
+++ b/bin/tests/system/doth/ns2/named.conf.in
@@ -11,7 +11,7 @@
  * information regarding copyright ownership.
  */
 
-include "../../common/rndc.key";
+include "../../_common/rndc.key";
 
 controls {
 	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
@@ -55,7 +55,7 @@ options {
 
 zone "." {
 	type hint;
-	file "../../common/root.hint";
+	file "../../_common/root.hint";
 };
 
 tls tls-example-primary {
diff --git a/bin/tests/system/doth/ns3/named.conf.in b/bin/tests/system/doth/ns3/named.conf.in
index 74d3957..cd1ab9c 100644
--- a/bin/tests/system/doth/ns3/named.conf.in
+++ b/bin/tests/system/doth/ns3/named.conf.in
@@ -11,7 +11,7 @@
  * information regarding copyright ownership.
  */
 
-include "../../common/rndc.key";
+include "../../_common/rndc.key";
 
 controls {
 	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
@@ -48,7 +48,7 @@ options {
 
 zone "." {
 	type hint;
-	file "../../common/root.hint";
+	file "../../_common/root.hint";
 };
 
 tls tls-v1.2-pfs {
diff --git a/bin/tests/system/doth/ns4/named.conf.in b/bin/tests/system/doth/ns4/named.conf.in
index 077226a..c7c6c91 100644
--- a/bin/tests/system/doth/ns4/named.conf.in
+++ b/bin/tests/system/doth/ns4/named.conf.in
@@ -18,7 +18,7 @@
 # startup/reconfiguration was known to cause timeout issues in the CI
 # system, where many tests run in parallel.
 
-include "../../common/rndc.key";
+include "../../_common/rndc.key";
 
 controls {
 	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
@@ -56,7 +56,7 @@ options {
 
 zone "." {
 	type hint;
-	file "../../common/root.hint";
+	file "../../_common/root.hint";
 };
 
 tls tls-v1.2-pfs {
diff --git a/bin/tests/system/doth/ns5/named.conf.in b/bin/tests/system/doth/ns5/named.conf.in
new file mode 100644
index 0000000..6808618
--- /dev/null
+++ b/bin/tests/system/doth/ns5/named.conf.in
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# We need a separate instance for the "rndc reconfig" test in order to
+# ensure that it does not use ephemeral keys (these are costly to
+# generate) and creates a minimal amount of TLS contexts, reducing the
+# time needed for startup/reconfiguration. Long
+# startup/reconfiguration was known to cause timeout issues in the CI
+# system, where many tests run in parallel.
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	tls-port @TLSPORT@;
+	https-port @HTTPSPORT@;
+	http-port @HTTPPORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	ixfr-from-differences yes;
+	check-integrity no;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
+
+# Let's reuse the same entry multiple times to see if transfers will succeed
+
+tls tls-v1.2 {
+	protocols { TLSv1.2; };
+	prefer-server-ciphers yes;
+};
+
+zone "example12" {
+	type secondary;
+	primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; };
+	file "example12.db";
+	allow-transfer { any; };
+};
+
+zone "example13" {
+	type secondary;
+	primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; };
+	file "example13.db";
+	allow-transfer { any; };
+};
+
+zone "example14" {
+	type secondary;
+	primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; };
+	file "example14.db";
+	allow-transfer { any; };
+};
+
+zone "example15" {
+	type secondary;
+	primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; };
+	file "example15.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/doth/prereq.sh b/bin/tests/system/doth/prereq.sh
index 36a8e37..c745136 100644
--- a/bin/tests/system/doth/prereq.sh
+++ b/bin/tests/system/doth/prereq.sh
@@ -14,7 +14,7 @@
 . ../conf.sh
 
 $FEATURETEST --with-libnghttp2 || {
-	echo_i "This test requires libnghttp2 support." >&2
-	exit 255
+  echo_i "This test requires libnghttp2 support." >&2
+  exit 255
 }
 exit 0
diff --git a/bin/tests/system/doth/setup.sh b/bin/tests/system/doth/setup.sh
index c50c31f..775dd33 100644
--- a/bin/tests/system/doth/setup.sh
+++ b/bin/tests/system/doth/setup.sh
@@ -15,18 +15,19 @@
 
 $SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 >ns1/example.db
 
-echo '; huge answer' >> ns1/example.db
+echo '; huge answer' >>ns1/example.db
 x=1
 while [ $x -le 50 ]; do
-    y=1
-    while [ $y -le 50 ]; do
-        printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >> ns1/example.db
-        y=$((y+1))
-    done
-    x=$((x+1))
+  y=1
+  while [ $y -le 50 ]; do
+    printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >>ns1/example.db
+    y=$((y + 1))
+  done
+  x=$((x + 1))
 done
 
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
diff --git a/bin/tests/system/doth/stress_http_quota.py b/bin/tests/system/doth/stress_http_quota.py
index 12e29c8..05ad043 100755
--- a/bin/tests/system/doth/stress_http_quota.py
+++ b/bin/tests/system/doth/stress_http_quota.py
@@ -161,12 +161,12 @@ class SubDIG:
 # and examining their statuses in one logical operation.
 class MultiDIG:
     def __init__(self, numdigs, http_secure=None, extra_args=None):
-        assert int(numdigs) > 0
+        assert int(numdigs) > 0, f"numdigs={numdigs}"
         digs = []
         for _ in range(1, int(numdigs) + 1):
             digs.append(SubDIG(http_secure=http_secure, extra_args=extra_args))
         self.digs = digs
-        assert len(self.digs) == int(numdigs)
+        assert len(self.digs) == int(numdigs), f"len={len(self.digs)} numdigs={numdigs}"
 
     def run(self):
         for p in self.digs:
diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh
index a95bd8c..aad2352 100644
--- a/bin/tests/system/doth/tests.sh
+++ b/bin/tests/system/doth/tests.sh
@@ -23,9 +23,9 @@ msg_peer_verification_failed=";; TLS peer certificate verification"
 ca_file="./CA/CA.pem"
 
 if [ -x "$PYTHON" ]; then
-	OPENSSL_VERSION=$("$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/get_openssl_version.py")
-	OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 1)
-	OPENSSL_VERSION_MINOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 2)
+  OPENSSL_VERSION=$("$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/get_openssl_version.py")
+  OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 1)
+  OPENSSL_VERSION_MINOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 2)
 fi
 
 # According to the RFC 8310, Section 8.1, Subject field MUST
@@ -44,91 +44,91 @@ fi
 # ignore the tests checking the correct handling of absence of
 # SubjectAltName.
 if [ -n "$OPENSSL_VERSION" ]; then
-	if [ $OPENSSL_VERSION_MAJOR -gt 1 ]; then
-		run_san_tests=1
-	elif  [ $OPENSSL_VERSION_MAJOR -eq 1 ] && [ $OPENSSL_VERSION_MINOR -ge 1 ]; then
-		run_san_tests=1
-	fi
+  if [ $OPENSSL_VERSION_MAJOR -gt 1 ]; then
+    run_san_tests=1
+  elif [ $OPENSSL_VERSION_MAJOR -eq 1 ] && [ $OPENSSL_VERSION_MINOR -ge 1 ]; then
+    run_san_tests=1
+  fi
 fi
 
 dig_with_tls_opts() {
-	# shellcheck disable=SC2086
-	"$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@"
+  # shellcheck disable=SC2086
+  "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@"
 }
 
 dig_with_https_opts() {
-	# shellcheck disable=SC2086
-	"$DIG" +https $common_dig_options -p "${HTTPSPORT}" "$@"
+  # shellcheck disable=SC2086
+  "$DIG" +https $common_dig_options -p "${HTTPSPORT}" "$@"
 }
 
 dig_with_http_opts() {
-	# shellcheck disable=SC2086
-	"$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@"
+  # shellcheck disable=SC2086
+  "$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@"
 }
 
 dig_with_opts() {
-	# shellcheck disable=SC2086
-	"$DIG" $common_dig_options -p "${PORT}" "$@"
+  # shellcheck disable=SC2086
+  "$DIG" $common_dig_options -p "${PORT}" "$@"
 }
 
 wait_for_tls_xfer() (
-	srv_number="$1"
-	shift
-	zone_name="$1"
-	shift
-	# Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces
-	dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR > "dig.out.ns$srv_number.${zone_name}.test$n" || return 1
-	grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" > /dev/null && return 1
-	return 0
+  srv_number="$1"
+  shift
+  zone_name="$1"
+  shift
+  # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces
+  dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR >"dig.out.ns$srv_number.${zone_name}.test$n" || return 1
+  grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" >/dev/null && return 1
+  return 0
 )
 
 status=0
 n=0
 
-n=$((n+1))
+n=$((n + 1))
 echo_i "testing XoT server functionality (using dig) ($n)"
 ret=0
-dig_with_tls_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1
+dig_with_tls_opts example. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1
 grep "^;" dig.out.ns1.test$n | cat_i
 digcomp example.axfr.good dig.out.ns1.test$n || ret=1
-if test $ret != 0 ; then echo_i "failed"; fi
-status=$((status+ret))
+if test $ret != 0; then echo_i "failed"; fi
+status=$((status + ret))
 
-n=$((n+1))
+n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the first secondary) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 2 example; then
-	digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1
+  digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1
 else
-	echo_i "timed out waiting for zone transfer"
-	grep "^;" "dig.out.ns2.example.test$n" | cat_i
-	ret=1
+  echo_i "timed out waiting for zone transfer"
+  grep "^;" "dig.out.ns2.example.test$n" | cat_i
+  ret=1
 fi
-if test $ret != 0 ; then echo_i "failed"; fi
-status=$((status+ret))
+if test $ret != 0; then echo_i "failed"; fi
+status=$((status + ret))
 
 if [ -n "$run_san_tests" ]; then
-	n=$((n + 1))
-	echo_i "testing incoming XoT functionality (from the first secondary, no SubjectAltName, failure expected) ($n)"
-	ret=0
-	if retry_quiet 10 wait_for_tls_xfer 2 example3; then
-		ret=1
-	else
-		echo_i "timed out waiting for zone transfer"
-	fi
-	if [ $ret != 0 ]; then echo_i "failed"; fi
-	status=$((status + ret))
+  n=$((n + 1))
+  echo_i "testing incoming XoT functionality (from the first secondary, no SubjectAltName, failure expected) ($n)"
+  ret=0
+  if retry_quiet 10 wait_for_tls_xfer 2 example3; then
+    ret=1
+  else
+    echo_i "timed out waiting for zone transfer"
+  fi
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
 fi
 
 n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via implicit IP) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 2 example4; then
-	retry_quiet 5 test -f "ns2/example4.db" || ret=1
+  retry_quiet 5 test -f "ns2/example4.db" || ret=1
 else
-	echo_i "timed out waiting for zone transfer"
-	grep "^;" "dig.out.ns2.example4.test$n" | cat_i
-	ret=1
+  echo_i "timed out waiting for zone transfer"
+  grep "^;" "dig.out.ns2.example4.test$n" | cat_i
+  ret=1
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -137,11 +137,11 @@ n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via specified IPv4) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 2 example5; then
-	retry_quiet 5 test -f "ns2/example5.db" || ret=1
+  retry_quiet 5 test -f "ns2/example5.db" || ret=1
 else
-	echo_i "timed out waiting for zone transfer"
-	grep "^;" "dig.out.ns2.example5.test$n" | cat_i
-	ret=1
+  echo_i "timed out waiting for zone transfer"
+  grep "^;" "dig.out.ns2.example5.test$n" | cat_i
+  ret=1
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -150,11 +150,11 @@ n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via specified IPv6) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 2 example6; then
-	retry_quiet 5 test -f "ns2/example6.db" || ret=1
+  retry_quiet 5 test -f "ns2/example6.db" || ret=1
 else
-	echo_i "timed out waiting for zone transfer"
-	grep "^;" "dig.out.ns2.example6.test$n" | cat_i
-	ret=1
+  echo_i "timed out waiting for zone transfer"
+  grep "^;" "dig.out.ns2.example6.test$n" | cat_i
+  ret=1
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -163,9 +163,9 @@ n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the first secondary, wrong hostname, failure expected) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 2 example7; then
-	ret=1
+  ret=1
 else
-	echo_i "timed out waiting for zone transfer"
+  echo_i "timed out waiting for zone transfer"
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -174,9 +174,9 @@ n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the first secondary, expired certificate, failure expected) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 2 example8; then
-	ret=1
+  ret=1
 else
-	echo_i "timed out waiting for zone transfer"
+  echo_i "timed out waiting for zone transfer"
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -185,11 +185,11 @@ n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 2 example9; then
-	retry_quiet 5 test -f "ns2/example9.db" || ret=1
+  retry_quiet 5 test -f "ns2/example9.db" || ret=1
 else
-	echo_i "timed out waiting for zone transfer"
-	grep "^;" "dig.out.ns2.example9.test$n" | cat_i
-	ret=1
+  echo_i "timed out waiting for zone transfer"
+  grep "^;" "dig.out.ns2.example9.test$n" | cat_i
+  ret=1
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -198,9 +198,9 @@ n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS, no client cert, failure expected) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 2 example10; then
-	ret=1
+  ret=1
 else
-	echo_i "timed out waiting for zone transfer"
+  echo_i "timed out waiting for zone transfer"
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@@ -209,96 +209,96 @@ n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS, expired client cert, failure expected) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 2 example11; then
-	ret=1
+  ret=1
 else
-	echo_i "timed out waiting for zone transfer"
+  echo_i "timed out waiting for zone transfer"
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-n=$((n+1))
+n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the second secondary) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 3 example; then
-	digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1
+  digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1
 else
-	echo_i "timed out waiting for zone transfer"
-	grep "^;" "dig.out.ns3.example.test$n" | cat_i
-	ret=1
+  echo_i "timed out waiting for zone transfer"
+  grep "^;" "dig.out.ns3.example.test$n" | cat_i
+  ret=1
 fi
-if test $ret != 0 ; then echo_i "failed"; fi
-status=$((status+ret))
+if test $ret != 0; then echo_i "failed"; fi
+status=$((status + ret))
 
-n=$((n+1))
+n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the second secondary, mismatching ciphers, failure expected) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 3 example2; then
-	ret=1
+  ret=1
 else
-	echo_i "timed out waiting for zone transfer"
+  echo_i "timed out waiting for zone transfer"
 fi
-if test $ret != 0 ; then echo_i "failed"; fi
-status=$((status+ret))
+if test $ret != 0; then echo_i "failed"; fi
+status=$((status + ret))
 
-n=$((n+1))
+n=$((n + 1))
 echo_i "testing incoming XoT functionality (from the third secondary) ($n)"
 ret=0
 if retry_quiet 10 wait_for_tls_xfer 4 example; then
-	digcomp example.axfr.good "dig.out.ns4.example.test$n" || ret=1
+  digcomp example.axfr.good "dig.out.ns4.example.test$n" || ret=1
 else
-	echo_i "timed out waiting for zone transfer"
-	grep "^;" "dig.out.ns4.example.test$n" | cat_i
-	ret=1
+  echo_i "timed out waiting for zone transfer"
+  grep "^;" "dig.out.ns4.example.test$n" | cat_i
+  ret=1
 fi
-if test $ret != 0 ; then echo_i "failed"; fi
-status=$((status+ret))
+if test $ret != 0; then echo_i "failed"; fi
+status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoT query (ephemeral key) ($n)"
 ret=0
-dig_with_tls_opts @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_tls_opts @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoT query via IPv6 (ephemeral key) ($n)"
 ret=0
-dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoT query (static key) ($n)"
 ret=0
-dig_with_tls_opts @10.53.0.2 example SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_tls_opts @10.53.0.2 example SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoT query via IPv6 (static key) ($n)"
 ret=0
-dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoT XFR ($n)"
 ret=0
-dig_with_tls_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_tls_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 # zone transfers are allowed only via TLS
-n=$((n+1))
+n=$((n + 1))
 echo_i "testing zone transfer over Do53 server functionality (using dig, failure expected) ($n)"
 ret=0
-dig_with_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1
-grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1
+dig_with_opts example. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1
+grep "; Transfer failed." dig.out.ns1.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -306,8 +306,8 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking Do53 query ($n)"
 ret=0
-dig_with_opts @10.53.0.1 example SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_opts @10.53.0.1 example SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -321,8 +321,8 @@ n=$((n + 1))
 echo_i "checking DoT XFR with wrong ALPN token (h2, failure expected) ($n)"
 ret=0
 # shellcheck disable=SC2086
-"$DIG" +tls $common_dig_options -p "${HTTPSPORT}" +comm @10.53.0.1 . AXFR > dig.out.test$n
-grep "$msg_xfrs_not_allowed" dig.out.test$n > /dev/null || ret=1
+"$DIG" +tls $common_dig_options -p "${HTTPSPORT}" +comm @10.53.0.1 . AXFR >dig.out.test$n
+grep "$msg_xfrs_not_allowed" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -332,279 +332,279 @@ n=$((n + 1))
 echo_i "checking DoH query when ALPN is expected to fail (dot, failure expected) ($n)"
 ret=0
 # shellcheck disable=SC2086
-"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA > dig.out.test$n && ret=1
-grep "ALPN for HTTP/2 failed." dig.out.test$n > /dev/null || ret=1
+"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA >dig.out.test$n && ret=1
+grep "ALPN for HTTP/2 failed." dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (POST) ($n)"
 ret=0
-dig_with_https_opts +stat @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep -F "(HTTPS)" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +stat @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep -F "(HTTPS)" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query via IPv6 (POST) ($n)"
 ret=0
-dig_with_https_opts +stat -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep -F "(HTTPS)" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +stat -6 @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep -F "(HTTPS)" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (POST, static key) ($n)"
 ret=0
-dig_with_https_opts @10.53.0.2 example SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts @10.53.0.2 example SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query via IPv6 (POST, static key) ($n)"
 ret=0
-dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (POST, nonstandard endpoint) ($n)"
 ret=0
-dig_with_https_opts +https=/alter @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +https=/alter @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query via IPv6 (POST, nonstandard endpoint) ($n)"
 ret=0
-dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (POST, undefined endpoint, failure expected) ($n)"
 ret=0
-dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA > dig.out.test$n && ret=1
-grep "communications error" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA >dig.out.test$n && ret=1
+grep "communications error" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query via IPv6 (POST, undefined endpoint, failure expected) ($n)"
 ret=0
-dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n && ret=1
-grep "communications error" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n && ret=1
+grep "communications error" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH XFR (POST) (failure expected) ($n)"
 ret=0
-dig_with_https_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1
-grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1
+grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (GET) ($n)"
 ret=0
-dig_with_https_opts +stat +https-get @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep -F "(HTTPS-GET)" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +stat +https-get @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep -F "(HTTPS-GET)" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query via IPv6 (GET) ($n)"
 ret=0
-dig_with_https_opts -6 +stat +https-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep -F "(HTTPS-GET)" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts -6 +stat +https-get @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep -F "(HTTPS-GET)" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (GET, static key) ($n)"
 ret=0
-dig_with_https_opts +https-get @10.53.0.2 example SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +https-get @10.53.0.2 example SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query via IPv6 (GET, static key) ($n)"
 ret=0
-dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (GET, nonstandard endpoint) ($n)"
 ret=0
-dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query via IPv6 (GET, nonstandard endpoint) ($n)"
 ret=0
-dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (GET, undefined endpoint, failure expected) ($n)"
 ret=0
-dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA > dig.out.test$n && ret=1
-grep "communications error" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA >dig.out.test$n && ret=1
+grep "communications error" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query via IPv6 (GET, undefined endpoint, failure expected) ($n)"
 ret=0
-dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n && ret=1
-grep "communications error" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n && ret=1
+grep "communications error" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH XFR (GET) (failure expected) ($n)"
 ret=0
-dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1
-grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1
+grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking unencrypted DoH query (POST) ($n)"
 ret=0
-dig_with_http_opts +stat @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep -F "(HTTP)" dig.out.test$n > /dev/null || ret=1
+dig_with_http_opts +stat @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep -F "(HTTP)" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking unencrypted DoH query via IPv6 (POST) ($n)"
 ret=0
-dig_with_http_opts -6 +stat @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep -F "(HTTP)" dig.out.test$n > /dev/null || ret=1
+dig_with_http_opts -6 +stat @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep -F "(HTTP)" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking unencrypted DoH query (GET) ($n)"
 ret=0
-dig_with_http_opts +stat +http-plain-get @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep -F "(HTTP-GET)" dig.out.test$n > /dev/null || ret=1
+dig_with_http_opts +stat +http-plain-get @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep -F "(HTTP-GET)" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking unencrypted DoH query via IPv6 (GET) ($n)"
 ret=0
-dig_with_http_opts -6 +stat +http-plain-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep -F "(HTTP-GET)" dig.out.test$n > /dev/null || ret=1
+dig_with_http_opts -6 +stat +http-plain-get @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep -F "(HTTP-GET)" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking unencrypted DoH XFR (failure expected) ($n)"
 ret=0
-dig_with_http_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1
-grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1
+dig_with_http_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1
+grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query for a large answer (POST) ($n)"
 ret=0
-dig_with_https_opts @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query via IPv6 for a large answer (POST) ($n)"
 ret=0
-dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query for a large answer (GET) ($n)"
 ret=0
-dig_with_https_opts +https-get @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +https-get @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query via IPv6 for a large answer (GET) ($n)"
 ret=0
-dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking unencrypted DoH query for a large answer (POST) ($n)"
 ret=0
-dig_with_http_opts @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+dig_with_http_opts @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking unencrypted DoH query via IPv6 for a large answer (POST) ($n)"
 ret=0
-dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking unencrypted DoH query for a large answer (GET) ($n)"
 ret=0
-dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking unencrypted DoH query via IPv6 for a large answer (GET) ($n)"
 ret=0
-dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-wait_for_tlsctx_update_ns4 () {
-	grep "updating TLS context on 10.53.0.4#${HTTPSPORT}" ns4/named.run > /dev/null || return 1
-	grep "updating TLS context on 10.53.0.4#${TLSPORT}" ns4/named.run > /dev/null || return 1
-	return 0
+wait_for_tlsctx_update_ns4() {
+  grep "updating TLS context on 10.53.0.4#${HTTPSPORT}" ns4/named.run >/dev/null || return 1
+  grep "updating TLS context on 10.53.0.4#${TLSPORT}" ns4/named.run >/dev/null || return 1
+  return 0
 }
 
 n=$((n + 1))
@@ -618,16 +618,16 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking DoT query after a reconfiguration ($n)"
 ret=0
-dig_with_tls_opts @10.53.0.4 example SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_tls_opts @10.53.0.4 example SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (POST) after a reconfiguration ($n)"
 ret=0
-dig_with_https_opts @10.53.0.4 example SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts @10.53.0.4 example SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -635,7 +635,7 @@ n=$((n + 1))
 echo_i "doing rndc reconfig to see if HTTP endpoints have gotten reconfigured ($n)"
 ret=0
 # 'sed -i ...' is not portable. Sigh...
-sed 's/\/dns-query/\/dns-query-test/g' "ns4/named.conf" >  "ns4/named.conf.sed"
+sed 's/\/dns-query/\/dns-query-test/g' "ns4/named.conf" >"ns4/named.conf.sed"
 mv -f "ns4/named.conf.sed" "ns4/named.conf"
 rndc_reconfig ns4 10.53.0.4 60
 retry_quiet 15 wait_for_tlsctx_update_ns4 || ret=1
@@ -645,40 +645,40 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking DoH query (POST) to verify HTTP endpoint reconfiguration ($n)"
 ret=0
-dig_with_https_opts +https='/dns-query-test' @10.53.0.4 example SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +https='/dns-query-test' @10.53.0.4 example SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoT query (with TLS verification enabled) ($n)"
 ret=0
-dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (with TLS verification enabled, self-signed cert, failure expected) ($n)"
 ret=0
-dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoT query (with TLS verification using the system's CA store, failure expected) ($n)"
 ret=0
-dig_with_tls_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1
+dig_with_tls_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (with TLS verification using the system's CA store, failure expected) ($n)"
 ret=0
-dig_with_https_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -687,30 +687,30 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking DoT query (with TLS verification, hostname is not specified, IP address is used instead) ($n)"
 ret=0
-dig_with_tls_opts +tls-ca="$ca_file" @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null && ret=1
+dig_with_tls_opts +tls-ca="$ca_file" @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 if [ -n "$run_san_tests" ]; then
-	# SubjectAltName is required for DoT as according to RFC 8310, Subject
-	# field MUST NOT be inspected when verifying hostname for DoT.
-	n=$((n + 1))
-	echo_i "checking DoT query (with TLS verification enabled when SubjectAltName is not set, failure expected) ($n)"
-	ret=0
-	dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1
-	grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1
-	if [ $ret != 0 ]; then echo_i "failed"; fi
-	status=$((status + ret))
-
-	n=$((n + 1))
-	echo_i "checking DoT XFR over a TLS port where SubjectAltName is not set (failure expected) ($n)"
-	ret=0
-	# shellcheck disable=SC2086
-	dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT2}" +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1
-	grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1
-	if [ $ret != 0 ]; then echo_i "failed"; fi
-	status=$((status + ret))
+  # SubjectAltName is required for DoT as according to RFC 8310, Subject
+  # field MUST NOT be inspected when verifying hostname for DoT.
+  n=$((n + 1))
+  echo_i "checking DoT query (with TLS verification enabled when SubjectAltName is not set, failure expected) ($n)"
+  ret=0
+  dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1
+  grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
+
+  n=$((n + 1))
+  echo_i "checking DoT XFR over a TLS port where SubjectAltName is not set (failure expected) ($n)"
+  ret=0
+  # shellcheck disable=SC2086
+  dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT2}" +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1
+  grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
 fi
 
 # SubjectAltName is not required for HTTPS. Having a properly set
@@ -718,48 +718,48 @@ fi
 n=$((n + 1))
 echo_i "checking DoH query (when SubjectAltName is not set) ($n)"
 ret=0
-dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT3}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT3}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoT query (expired certificate, Opportunistic TLS) ($n)"
 ret=0
-dig_with_tls_opts +tls -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_tls_opts +tls -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoT query (expired certificate, Strict TLS, failure expected) ($n)"
 ret=0
-dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1
+dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-n=$((n+1))
+n=$((n + 1))
 echo_i "testing XoT server functionality (using dig, client certificate required, failure expected) ($n)"
 ret=0
-dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1
-grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1
-if test $ret != 0 ; then echo_i "failed"; fi
+dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1
+grep "; Transfer failed." dig.out.ns1.test$n >/dev/null || ret=1
+if test $ret != 0; then echo_i "failed"; fi
 status=$((status + ret))
 
-n=$((n+1))
+n=$((n + 1))
 echo_i "testing XoT server functionality (using dig, client certificate used) ($n)"
 ret=0
-dig_with_tls_opts +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1
-digcomp dig.out.ns1.test$n example8.axfr.good > /dev/null || ret=1
-if test $ret != 0 ; then echo_i "failed"; fi
+dig_with_tls_opts +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1
+digcomp dig.out.ns1.test$n example8.axfr.good >/dev/null || ret=1
+if test $ret != 0; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
 echo_i "checking DoH query (client certificate required, failure expected) ($n)"
 ret=0
-dig_with_https_opts +tls-ca="$ca_file" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA > dig.out.test$n && ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
+dig_with_https_opts +tls-ca="$ca_file" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA >dig.out.test$n && ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -767,8 +767,8 @@ n=$((n + 1))
 echo_i "checking DoH query (client certificate used) ($n)"
 ret=0
 # shellcheck disable=SC2086
-dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
@@ -777,64 +777,63 @@ n=$((n + 1))
 echo_i "checking DoH query (client certificate used - session resumption when using Mutual TLS) ($n)"
 ret=0
 # shellcheck disable=SC2086
-dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA . SOA > dig.out.test$n || ret=1
-grep "TLS error" dig.out.test$n > /dev/null && ret=1
+dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA . SOA >dig.out.test$n || ret=1
+grep "TLS error" dig.out.test$n >/dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 test_opcodes() {
-	EXPECT_STATUS="$1"
-	shift
-	for op in "$@";
-	do
-		n=$((n + 1))
-		echo_i "checking unexpected opcode query over DoH for opcode $op ($n)"
-		ret=0
-		dig_with_https_opts +https @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1
-		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
-		if [ $ret != 0 ]; then echo_i "failed"; fi
-		status=$((status + ret))
-
-		n=$((n + 1))
-		echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)"
-		ret=0
-		dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1
-		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
-		if [ $ret != 0 ]; then echo_i "failed"; fi
-		status=$((status + ret))
-
-		n=$((n + 1))
-		echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)"
-		ret=0
-		dig_with_http_opts +http-plain @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1
-		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
-		if [ $ret != 0 ]; then echo_i "failed"; fi
-		status=$((status + ret))
-
-		n=$((n + 1))
-		echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)"
-		ret=0
-		dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1
-		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
-		if [ $ret != 0 ]; then echo_i "failed"; fi
-		status=$((status + ret))
-
-		n=$((n + 1))
-		echo_i "checking unexpected opcode query over DoT for opcode $op ($n)"
-		ret=0
-		dig_with_tls_opts +tls @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1
-		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
-		if [ $ret != 0 ]; then echo_i "failed"; fi
-		status=$((status + ret))
-
-		n=$((n + 1))
-		echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)"
-		ret=0
-		dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1
-		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
-		if [ $ret != 0 ]; then echo_i "failed"; fi
-		status=$((status + ret))
-	done
+  EXPECT_STATUS="$1"
+  shift
+  for op in "$@"; do
+    n=$((n + 1))
+    echo_i "checking unexpected opcode query over DoH for opcode $op ($n)"
+    ret=0
+    dig_with_https_opts +https @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1
+    grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+
+    n=$((n + 1))
+    echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)"
+    ret=0
+    dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1
+    grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+
+    n=$((n + 1))
+    echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)"
+    ret=0
+    dig_with_http_opts +http-plain @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1
+    grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+
+    n=$((n + 1))
+    echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)"
+    ret=0
+    dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1
+    grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+
+    n=$((n + 1))
+    echo_i "checking unexpected opcode query over DoT for opcode $op ($n)"
+    ret=0
+    dig_with_tls_opts +tls @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1
+    grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+
+    n=$((n + 1))
+    echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)"
+    ret=0
+    dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1
+    grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+  done
 }
 
 test_opcodes NOERROR 0
@@ -845,45 +844,77 @@ n=$((n + 1))
 echo_i "checking server quotas for both encrypted and unencrypted HTTP ($n)"
 ret=0
 if [ -x "$PYTHON" ]; then
-	BINDHOST="10.53.0.1" "$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/stress_http_quota.py" || ret=$?
+  BINDHOST="10.53.0.1" "$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/stress_http_quota.py" || ret=$?
 else
-	echo_i "Python is not available. Skipping the test..."
+  echo_i "Python is not available. Skipping the test..."
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 # check whether we can use curl for sending test queries.
-if [ -x "${CURL}" ] ; then
-	CURL_HTTP2="$(${CURL} --version | grep -E '^Features:.* HTTP2( |$)' || true)"
-
-	if [ -n "$CURL_HTTP2" ]; then
-		testcurl=1
-	else
-		echo_i "The available version of CURL does not have HTTP/2 support"
-	fi
+if [ -x "${CURL}" ]; then
+  CURL_HTTP2="$(${CURL} --version | grep -E '^Features:.* HTTP2( |$)' || true)"
+
+  if [ -n "$CURL_HTTP2" ]; then
+    testcurl=1
+  else
+    echo_i "The available version of CURL does not have HTTP/2 support"
+  fi
 fi
 
 # Note: see README.curl for information on how to generate curl
 # queries.
 if [ -n "$testcurl" ]; then
-	n=$((n + 1))
-	echo_i "checking max-age for positive answer ($n)"
-	ret=0
-	# use curl to query for 'example/SOA'
-	$CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ" > /dev/null 2>&1 || ret=1
-	grep "cache-control: max-age=86400" headers.$n > /dev/null || ret=1
-	if [ $ret != 0 ]; then echo_i "failed"; fi
-	status=$((status + ret))
-
-	n=$((n + 1))
-	echo_i "checking max-age for negative answer ($n)"
-	ret=0
-	# use curl to query for 'fake.example/TXT'
-	$CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAABGZha2UHZXhhbXBsZQAAEAAB" > /dev/null 2>&1 || ret=1
-	grep "cache-control: max-age=3600" headers.$n > /dev/null || ret=1
-	if [ $ret != 0 ]; then echo_i "failed"; fi
-	status=$((status + ret))
+  n=$((n + 1))
+  echo_i "checking max-age for positive answer ($n)"
+  ret=0
+  # use curl to query for 'example/SOA'
+  $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ" >/dev/null 2>&1 || ret=1
+  grep "cache-control: max-age=86400" headers.$n >/dev/null || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
+
+  n=$((n + 1))
+  echo_i "checking max-age for negative answer ($n)"
+  ret=0
+  # use curl to query for 'fake.example/TXT'
+  $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAABGZha2UHZXhhbXBsZQAAEAAB" >/dev/null 2>&1 || ret=1
+  grep "cache-control: max-age=3600" headers.$n >/dev/null || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
 fi
 
+n=$((n + 1))
+echo_i "checking Do53 query to NS5 for zone \"example12\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)"
+ret=0
+dig_with_opts +comm @10.53.0.5 example12 SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking Do53 query to NS5 for zone \"example13\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)"
+ret=0
+dig_with_opts +comm @10.53.0.5 example13 SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking Do53 query to NS5 for zone \"example14\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)"
+ret=0
+dig_with_opts +comm @10.53.0.5 example14 SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking Do53 query to NS5 for zone \"example15\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)"
+ret=0
+dig_with_opts +comm @10.53.0.5 example15 SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1