inline: use $DEFAULT_ALGORITHM

diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh
index 8114d770c2ace954972f25924a6732cb8bfb4ab5..c231713a0238b96322bdff5d1200a9946ffc38c3 100644 (file)
--- a/bin/tests/system/inline/ns1/sign.sh
+++ b/bin/tests/system/inline/ns1/sign.sh
@@ -16,8 +16,8 @@
 zone=.
 rm -f K.+*+*.key
 rm -f K.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out
 [ $? = 0 ] || cat signer.out
 

diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh
index 76241800011e97964c54af52ae1bcb25801c1461..a4c9e14221058913068cc51e678c59d4f6d56355 100755 (executable)
--- a/bin/tests/system/inline/ns3/sign.sh
+++ b/bin/tests/system/inline/ns3/sign.sh
@@ -21,36 +21,36 @@ mv ${unsupportedkey}.tmp ${unsupportedkey}.key
 zone=bits
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=noixfr
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=primary
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=dynamic
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=updated
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 $SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
 cp primary2.db.in updated.db
@@ -59,92 +59,92 @@ cp primary2.db.in updated.db
 zone=expired
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 $SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
 
 zone=retransfer
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=nsec3
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=retransfer3
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=inactiveksk
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 -f KSK $zone`
-keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=inactivezsk
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 $zone`
-keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
-keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=delayedkeys
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 # Keys for the "delayedkeys" zone should not be initially accessible.
 mv K${zone}.+*+*.* ../
 
 zone=removedkeys-primary
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 
 zone=removedkeys-secondary
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 
 for s in a c d h k l m q z
 do
        zone=test-$s
-       keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+       keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
 done
 
 for s in b f i o p t v
 do
        zone=test-$s
-       keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
-       keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+       keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+       keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 done
 
 zone=externalkey
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
 
-for alg in ECDSAP256SHA256 NSEC3RSASHA1
+for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM}
 do
-    k1=`$KEYGEN -q -a $alg -b 1024 -n zone -f KSK $zone`
-    k2=`$KEYGEN -q -a $alg -b 1024 -n zone $zone`
-    k3=`$KEYGEN -q -a $alg -b 1024 -n zone $zone`
-    k4=`$KEYGEN -q -a $alg -b 1024 -n zone -f KSK $zone`
+    k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone)
+    k2=$($KEYGEN -q -a $alg -n zone $zone)
+    k3=$($KEYGEN -q -a $alg -n zone $zone)
+    k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone)
     $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db
 
     # Convert k1 and k2 in to External Keys.

diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh
index 66965cc77af7dd9efef29c6e11f501dca87218c2..8ab8288bca35589c4e1bbc25aa93bf082d2e1bd4 100755 (executable)
--- a/bin/tests/system/inline/ns7/sign.sh
+++ b/bin/tests/system/inline/ns7/sign.sh
@@ -19,6 +19,6 @@
 zone=nsec3-loop
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)

diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh
index dd9790fa181f045b28ebb03eb598caf0fa2ef59f..d9b95e4ab26c1db7a8675a342afde873a3d72abd 100755 (executable)
--- a/bin/tests/system/inline/ns8/sign.sh
+++ b/bin/tests/system/inline/ns8/sign.sh
@@ -20,8 +20,8 @@ for zone in example01.com example02.com example03.com example04.com \
 do
   rm -f K${zone}.+*+*.key
   rm -f K${zone}.+*+*.private
-  keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
-  keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone`
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone)
   cp example.com.db.in ${zone}.db
   $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
 done
@@ -29,7 +29,7 @@ done
 for zone in example unsigned-serial-test; do
   rm -f K${zone}.+*+*.key
   rm -f K${zone}.+*+*.private
-  keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
-  keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone`
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone)
   cp example.db.in ${zone}.db
 done

diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
index 8d4026bd0d5eb6b022302c1bf9be2caf088e4bd5..a8f8860a01f5c309a4128e6aaba3be0a756fe266 100755 (executable)
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@@ -37,55 +37,55 @@ $RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1
 
 for i in 1 2 3 4 5 6 7 8 9 0
 do
-       nsec3param=`$DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.`
+       nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.)
        test "$nsec3param" = "1 0 0 -" && break
        sleep 1
 done
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that an unsupported algorithm is not used for signing ($n)"
 ret=0
 grep -q "algorithm is unsupported" ns3/named.run || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that rrsigs are replaced with ksk only ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.3 axfr nsec3. |
        awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that the zone is signed on initial transfer ($n)"
 ret=0
 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
 do
        ret=0
        $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
-       keys=`grep '^Done signing' signing.out.test$n | wc -l`
+       keys=$(grep '^Done signing' signing.out.test$n | wc -l)
        [ $keys = 2 ] || ret=1
        if [ $ret = 0 ]; then break; fi
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking expired signatures are updated on load ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n
-expiry=`awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n`
+expiry=$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n)
 [ "$expiry" = "20110101000000" ] && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking removal of private type record via 'rndc signing -clear' ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
-keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
+keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n)
 for key in $keys; do
        $RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1
        break;  # We only want to remove 1 record for now.
@@ -95,16 +95,16 @@ for i in 1 2 3 4 5 6 7 8 9 10
 do
        ans=0
        $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
-        num=`grep "Done signing with" signing.out.test$n | wc -l`
+        num=$(grep "Done signing with" signing.out.test$n | wc -l)
        [ $num = 1 ] && break
        sleep 1
 done
 [ $ans = 0 ] || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking private type was properly signed ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
@@ -112,9 +112,9 @@ grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1
@@ -130,9 +130,9 @@ done
 [ $ans = 0 ] || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking negative private type response was properly signed ($n)"
 ret=0
 sleep 1
@@ -142,7 +142,7 @@ grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 $NSUPDATE << EOF
 zone bits
@@ -151,16 +151,16 @@ update add added.bits 0 A 1.2.3.4
 send
 EOF
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that the record is added on the hidden primary ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 added.bits A > dig.out.ns2.test$n
 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that update has been transferred and has been signed ($n)"
 ret=0
 for i in 1 2 3 4 5 6 7 8 9 10
@@ -173,7 +173,7 @@ do
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 $NSUPDATE << EOF
 zone bits
@@ -182,7 +182,7 @@ update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600
 send
 EOF
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
@@ -190,9 +190,9 @@ grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
 grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)"
 for i in 1 2 3 4 5 6 7 8 9 10
 do
@@ -205,22 +205,22 @@ do
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that the zone is signed on initial transfer, noixfr ($n)"
 ret=0
 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
 do
        ret=0
        $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1
-       keys=`grep '^Done signing' signing.out.test$n | wc -l`
+       keys=$(grep '^Done signing' signing.out.test$n | wc -l)
        [ $keys = 2 ] || ret=1
        if [ $ret = 0 ]; then break; fi
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 $NSUPDATE << EOF
 zone noixfr
@@ -229,16 +229,16 @@ update add added.noixfr 0 A 1.2.3.4
 send
 EOF
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that the record is added on the hidden primary, noixfr ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.4 added.noixfr A > dig.out.ns4.test$n
 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that update has been transferred and has been signed, noixfr ($n)"
 ret=0
 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
@@ -251,7 +251,7 @@ do
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 $NSUPDATE << EOF
 zone noixfr
@@ -260,7 +260,7 @@ update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600
 send
 EOF
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary, noixfr ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
@@ -268,9 +268,9 @@ grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
 grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)"
 for i in 1 2 3 4 5 6 7 8 9 10
 do
@@ -283,28 +283,28 @@ do
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that the primary zone signed on initial load ($n)"
 ret=0
 for i in 1 2 3 4 5 6 7 8 9 10
 do
        ret=0
        $RNDCCMD 10.53.0.3 signing -list primary  > signing.out.test$n 2>&1
-       keys=`grep '^Done signing' signing.out.test$n | wc -l`
+       keys=$(grep '^Done signing' signing.out.test$n | wc -l)
        [ $keys = 2 ] || ret=1
        if [ $ret = 0 ]; then break; fi
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking removal of private type record via 'rndc signing -clear' (primary) ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1
-keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
+keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n)
 for key in $keys; do
        $RNDCCMD 10.53.0.3 signing -clear ${key} primary > /dev/null || ret=1
        break;  # We only want to remove 1 record for now.
@@ -314,16 +314,16 @@ for i in 1 2 3 4 5 6 7 8 9
 do
        ans=0
        $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1
-        num=`grep "Done signing with" signing.out.test$n | wc -l`
+        num=$(grep "Done signing with" signing.out.test$n | wc -l)
        [ $num = 1 ] && break
        sleep 1
 done
 [ $ans = 0 ] || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking private type was properly signed (primary) ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.6 primary TYPE65534 > dig.out.ns6.test$n
@@ -331,9 +331,9 @@ grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking removal of remaining private type record via 'rndc signing -clear' (primary) ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 signing -clear all primary > /dev/null || ret=1
@@ -348,9 +348,9 @@ done
 [ $ans = 0 ] || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check adding of record to unsigned primary ($n)"
 ret=0
 cp ns3/primary2.db.in ns3/primary.db
@@ -366,9 +366,9 @@ do
 done
 [ $ans = 0 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check adding record fails when SOA serial not changed ($n)"
 ret=0
 echo "c A 10.0.0.3" >> ns3/primary.db
@@ -377,9 +377,9 @@ sleep 1
 $DIG $DIGOPTS @10.53.0.3 c.primary A > dig.out.ns3.test$n
 grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check adding record works after updating SOA serial ($n)"
 ret=0
 cp ns3/primary3.db.in ns3/primary.db
@@ -395,9 +395,9 @@ do
 done
 [ $ans = 0 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check the added record was properly signed ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.3 e.primary A > dig.out.ns6.test$n
@@ -405,28 +405,28 @@ grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1
 grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1
 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that the dynamic primary zone signed on initial load ($n)"
 ret=0
 for i in 1 2 3 4 5 6 7 8 9 10
 do
        ret=0
        $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1
-       keys=`grep '^Done signing' signing.out.test$n | wc -l`
+       keys=$(grep '^Done signing' signing.out.test$n | wc -l)
        [ $keys = 2 ] || ret=1
        if [ $ret = 0 ]; then break; fi
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking primary zone that was updated while offline is correct ($n)"
 ret=0
 $DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n
-serial=`awk '{print $3}' dig.out.ns2.soa.test$n`
+serial=$(awk '{print $3}' dig.out.ns2.soa.test$n)
 # serial should have changed
 [ "$serial" = "2000042407" ] && ret=1
 # e.updated should exist and should be signed
@@ -438,14 +438,14 @@ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
 # records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
 # (SOA/RRSIG, NSEC/RRSIG).
 $JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n
-serial=`awk '/Source serial =/ {print $4}' journalprint.out.test$n`
+serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n)
 [ "$serial" = "2000042408" ] || ret=1
-diffsize=`wc -l < journalprint.out.test$n`
+diffsize=$(wc -l < journalprint.out.test$n)
 [ "$diffsize" -le 13 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking adding of record to unsigned primary using UPDATE ($n)"
 ret=0
 
@@ -473,21 +473,21 @@ done
 [ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; }
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "stop bump in the wire signer server ($n)"
 ret=0
 stop_server inline ns3 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "restart bump in the wire signer server ($n)"
 ret=0
 start_server --noclean --restart --port ${PORT} inline ns3 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 $NSUPDATE << EOF
 zone bits
@@ -496,7 +496,7 @@ update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600
 send
 EOF
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
@@ -504,9 +504,9 @@ grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
 grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)"
 for i in 1 2 3 4 5 6 7 8 9 10
 do
@@ -519,7 +519,7 @@ do
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 $NSUPDATE << EOF
 zone noixfr
@@ -528,7 +528,7 @@ update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600
 send
 EOF
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary, noixfr ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
@@ -536,9 +536,9 @@ grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
 grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)"
 for i in 1 2 3 4 5 6 7 8 9 10
 do
@@ -551,7 +551,7 @@ do
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 $NSUPDATE << EOF
 zone bits
@@ -560,7 +560,7 @@ update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600
 send
 EOF
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking forwarded update on hidden primary ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
@@ -568,9 +568,9 @@ grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
 grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking forwarded update on signed zone ($n)"
 for i in 1 2 3 4 5 6 7 8 9 10
 do
@@ -583,7 +583,7 @@ do
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 $NSUPDATE << EOF
 zone noixfr
@@ -592,7 +592,7 @@ update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600
 send
 EOF
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking forwarded update on hidden primary, noixfr ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
@@ -600,9 +600,9 @@ grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
 grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking forwarded update on signed zone, noixfr ($n)"
 for i in 1 2 3 4 5 6 7 8 9 10
 do
@@ -615,19 +615,19 @@ do
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 ret=0
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking turning on of inline signing in a secondary zone via reload ($n)"
 $DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n
 grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
 grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "setup broken"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 copy_setports ns5/named.conf.post ns5/named.conf
-(cd ns5; $KEYGEN -q -a rsasha256 bits) > /dev/null 2>&1
-(cd ns5; $KEYGEN -q -a rsasha256 -f KSK bits) > /dev/null 2>&1
+(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits) > /dev/null 2>&1
+(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits) > /dev/null 2>&1
 rndc_reload ns5 10.53.0.5
 for i in 1 2 3 4 5 6 7 8 9 10
 do
@@ -639,9 +639,9 @@ do
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1;  }
@@ -650,10 +650,10 @@ $RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynami
 sleep 1
 grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null ||  ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1
@@ -664,9 +664,9 @@ awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
 mv ns3/dynamic.db.new ns3/dynamic.db
 $RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check added record freeze1.dynamic ($n)"
 for i in 1 2 3 4 5 6 7 8 9
 do
@@ -678,12 +678,12 @@ do
     sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 # allow 1 second so that file time stamps change
 sleep 1
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking rndc freeze/thaw of server ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1
@@ -694,9 +694,9 @@ awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
 mv ns3/dynamic.db.new ns3/dynamic.db
 $RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check added record freeze2.dynamic ($n)"
 for i in 1 2 3 4 5 6 7 8 9
 do
@@ -708,17 +708,17 @@ do
     sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check rndc reload allows reuse of inline-signing zones ($n)"
 ret=0
 { $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i
 grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check rndc sync removes both signed and unsigned journals ($n)"
 ret=0
 [ -f ns3/dynamic.db.jnl ] || ret=1
@@ -727,7 +727,7 @@ $RNDCCMD 10.53.0.3 sync -clean dynamic 2>&1 || ret=1
 [ -f ns3/dynamic.db.jnl ] && ret=1
 [ -f ns3/dynamic.db.signed.jnl ] && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 $NSUPDATE << EOF
 zone retransfer
@@ -737,16 +737,16 @@ send
 
 EOF
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that the retransfer record is added on the hidden primary ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 added.retransfer A > dig.out.ns2.test$n
 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that the change has not been transferred due to notify ($n)"
 ret=0
 for i in 0 1 2 3 4 5 6 7 8 9
@@ -758,9 +758,9 @@ do
        sleep 1
 done
 if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check rndc retransfer of a inline secondary zone works ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1
@@ -775,9 +775,9 @@ do
 done
 [ $ans = 1 ] && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)"
 ret=0
 # The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2,
@@ -803,8 +803,8 @@ $RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1
 for i in 0 1 2 3 4 5 6 7 8 9
 do
        $RNDCCMD 10.53.0.3 signing -list retransfer3 > signing.out.test$n.$i 2>&1
-       keys_done=`grep "Done signing" signing.out.test$n.$i | wc -l`
-       nsec3_pending=`grep "NSEC3 chain" signing.out.test$n.$i | wc -l`
+       keys_done=$(grep "Done signing" signing.out.test$n.$i | wc -l)
+       nsec3_pending=$(grep "NSEC3 chain" signing.out.test$n.$i | wc -l)
        test $keys_done -eq 2 -a $nsec3_pending -eq 0 && break
        sleep 1
 done
@@ -813,9 +813,9 @@ $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n
 grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ret=1
 grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
@@ -840,11 +840,11 @@ do
 done
 [ $ans = 1 ] && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 # NOTE: The test below should be considered fragile.  More details can be found
 # in the comment inside ns7/named.conf.
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check rndc retransfer of a inline nsec3 secondary does not trigger an infinite loop ($n)"
 ret=0
 zone=nsec3-loop
@@ -856,7 +856,7 @@ for i in 1 2 3 4 5 6 7 8 9 0
 do
        ret=1
        $RNDCCMD 10.53.0.7 signing -list $zone > signing.out.test$n 2>&1
-       keys=`grep '^Done signing' signing.out.test$n | wc -l`
+       keys=$(grep '^Done signing' signing.out.test$n | wc -l)
        [ $keys -eq 3 ] && ret=0 && break
        sleep 1
 done
@@ -866,7 +866,7 @@ $RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1
 for i in 1 2 3 4 5 6 7 8 9 0
 do
        ret=1
-       nsec3param=`$DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone`
+       nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone)
        test "$nsec3param" = "1 0 2 12345678" && ret=0 && break
        sleep 1
 done
@@ -887,27 +887,27 @@ do
        sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "stop bump in the wire signer server ($n)"
 ret=0
 stop_server inline ns3 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 echo_i "update SOA record while stopped"
 cp ns3/primary4.db.in ns3/primary.db
 rm ns3/primary.db.jnl
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "restart bump in the wire signer server ($n)"
 ret=0
 start_server --noclean --restart --port ${PORT} inline ns3 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)"
 ret=0
 for i in 1 2 3 4 5 6 7 8 9
@@ -921,9 +921,9 @@ do
 done
 [ $ans = 0 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check that reloading all zones does not cause zone maintenance to cease for inline-signed zones ($n)"
 ret=1
 # Ensure "rndc reload" attempts to load ns3/primary.db by waiting 1 second so
@@ -946,9 +946,9 @@ done
 $DIG $DIGOPTS @10.53.0.3 primary SOA > dig.out.ns3.test$n || ret=1
 grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check that reloading errors prevent synchronization ($n)"
 ret=1
 $DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.1 || ret=1
@@ -969,14 +969,14 @@ done
 $DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.2 || ret=1
 diff dig.out.ns3.test$n.1  dig.out.ns3.test$n.2 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check inline-signing with an include file ($n)"
 ret=0
 $DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 sleep 1
 nextpart ns3/named.run > /dev/null
 cp ns3/primary7.db.in ns3/primary.db
@@ -993,9 +993,9 @@ retry_quiet 10 _includefile_loaded
 $DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.2 || ret=1
 diff dig.out.ns3.test$n.1  dig.out.ns3.test$n.2 > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "test add/del zone combinations ($n)"
 ret=0
 for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z
@@ -1009,34 +1009,35 @@ $RNDCCMD 10.53.0.3 addzone test-$zone \
 $RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "testing adding external keys to a inline zone ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n
-for alg in 7 13
+for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER}
 do
    [ $alg = 13 -a ! -f checkecdsa ] && continue;
 
    case $alg in
    7) echo_i "checking NSEC3RSASHA1";;
+   8) echo_i "checking RSASHA256";;
    13) echo_i "checking ECDSAP256SHA256";;
    *) echo_i "checking $alg";;
    esac
 
-   dnskeys=`grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l`
-   rrsigs=`grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l`
+   dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l)
+   rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l)
    test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
    test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "testing imported key won't overwrite a private key ($n)"
 ret=0
-key=`$KEYGEN -q -a rsasha256 import.example`
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} import.example)
 cp ${key}.key import.key
 # import should fail
 $IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
@@ -1046,90 +1047,90 @@ $IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
 # now that it's an external key, re-import should succeed
 $IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "testing updating inline secure serial via 'rndc signing -serial' ($n)"
 ret=0
 $DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
-newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n`
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
 $RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
 retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "testing updating inline secure serial via 'rndc signing -serial' with negative change ($n)"
 ret=0
 $DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
-oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n`
-newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n`
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
 $RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
 sleep 1
 $DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.ns3.post.test$n
-serial=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
+serial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
 [ ${oldserial:-0} -eq ${serial:-1} ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 #
 # Freezing only operates on the raw zone.
 #
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "testing updating inline secure serial via 'rndc signing -serial' when frozen ($n)"
 ret=0
 $DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
-oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n`
-newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n`
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
 $RNDCCMD 10.53.0.3 freeze nsec3 > /dev/null 2>&1
 $RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
 $RNDCCMD 10.53.0.3 thaw nsec3 > /dev/null 2>&1
 retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post1.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "testing updating dynamic serial via 'rndc signing -serial' ($n)"
 ret=0
 $DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
-newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n`
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
 $RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-0}" dig.out.ns2.post.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "testing updating dynamic serial via 'rndc signing -serial' with negative change ($n)"
 ret=0
 $DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
-oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n`
-newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n`
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
 $RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1
 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "testing updating dynamic serial via 'rndc signing -serial' when frozen ($n)"
 ret=0
 $DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
-oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n`
-newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n`
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
 $RNDCCMD 10.53.0.2 freeze bits > /dev/null 2>&1
 $RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
 $RNDCCMD 10.53.0.2 thaw bits > /dev/null 2>&1
 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1
 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)"
 ret=0
 
 $DIG $DIGOPTS @10.53.0.3 soa inactivezsk  > dig.out.ns3.pre.test$n || ret=1
-soa1=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n`
+soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n)
 
 $NSUPDATE << EOF
 server 10.53.0.2 ${PORT}
@@ -1140,7 +1141,7 @@ EOF
 for i in 1 2 3 4 5 6 7 8 9 10
 do
     $DIG $DIGOPTS @10.53.0.3 soa inactivezsk  > dig.out.ns3.post.test$n || ret=1
-    soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
+    soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
     test ${soa1:-0} -ne ${soa2:-0} && break
     sleep 1
 done
@@ -1149,44 +1150,44 @@ test ${soa1:-0} -ne ${soa2:-0} || ret=1
 $DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1
 grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
 grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
-grep "TXT 7 2" dig.out.ns3.test$n > /dev/null || ret=1
-grep "TXT 8 2" dig.out.ns3.test$n > /dev/null || ret=1
+grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
+grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)"
 ret=0
 
 $DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n
 
 #
-#  check that DNSKEY is signed with ZSK for algorithm 7
+#  check that DNSKEY is signed with ZSK for default algorithm
 #
-awk='$4 == "DNSKEY" && $5 == 256 && $7 == 7 { print }'
-zskid=`awk "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' `
-grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1
-awk='$4 == "DNSKEY" && $5 == 257 && $7 == 7 { print }'
-kskid=`awk "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' `
-grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
+awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
+zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1
+awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
+kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
 
 #
-#  check that DNSKEY is signed with KSK for algorithm 8
+#  check that DNSKEY is signed with KSK for alternative algorithm
 #
-awk='$4 == "DNSKEY" && $5 == 256 && $7 == 8 { print }'
-zskid=`awk "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' `
-grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1
-awk='$4 == "DNSKEY" && $5 == 257 && $7 == 8 { print }'
-kskid=`awk "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' `
-grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
+awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
+zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1
+awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
+kskid=$(awk  -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
 
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 # Wait until an update to the raw part of a given inline signed zone is fully
 # processed.  As waiting for a fixed amount of time is suboptimal and there is
@@ -1206,7 +1207,7 @@ wait_until_raw_zone_update_is_processed() {
        done
 }
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that changes to raw zone are applied to a previously unsigned secure zone ($n)"
 ret=0
 # Query for bar.nokeys/A and ensure the response is negative.  As this zone
@@ -1231,9 +1232,9 @@ $DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.post.test$n 2>&1
 grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null || ret=1
 grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (primary) ($n)"
 ret=0
 # Query for bar.removedkeys-primary/A and ensure the response is negative.  As
@@ -1260,16 +1261,16 @@ $DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.post.test$n 2>
 grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1
 grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that backlogged changes to raw zone are applied after keys become available (primary) ($n)"
 ret=0
 # Restore the signing keys for this zone.
 mv ns3/removedkeys/Kremovedkeys-primary* ns3
 $RNDCCMD 10.53.0.3 loadkeys removedkeys-primary > /dev/null 2>&1
 # Determine what a SOA record with a bumped serial number should look like.
-BUMPED_SOA=`sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}'`
+BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}')
 # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
 # log messages generated before the raw zone is updated.
 nextpart ns3/named.run > /dev/null
@@ -1288,9 +1289,9 @@ $DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.test$n 2>&1
 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
 grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (secondary) ($n)"
 ret=0
 # Query for bar.removedkeys-secondary/A and ensure the response is negative.  As this
@@ -1317,16 +1318,16 @@ $DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.post.test$n
 grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1
 grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that backlogged changes to raw zone are applied after keys become available (secondary) ($n)"
 ret=0
 # Restore the signing keys for this zone.
 mv ns3/removedkeys/Kremovedkeys-secondary* ns3
 $RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary > /dev/null 2>&1
 # Determine what a SOA record with a bumped serial number should look like.
-BUMPED_SOA=`sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}'`
+BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}')
 # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
 # log messages generated before the raw zone is updated.
 nextpart ns3/named.run > /dev/null
@@ -1345,7 +1346,7 @@ $DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.test$n 2>&1
 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
 grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 # Check that the file $2 for zone $1 does not contain RRSIG records
 # while the journal file for that zone does contain them.
@@ -1356,7 +1357,7 @@ ensure_sigs_only_in_journal() {
        $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1
 }
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking that records added from a journal are scheduled to be resigned ($n)"
 ret=0
 # Signing keys for the "delayedkeys" zone are not yet accessible.  Thus, the
@@ -1368,7 +1369,7 @@ $RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
 # Wait until the zone is signed.
 check_done_signing () (
     $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1
-    num=`grep "Done signing with" signing.out.test$n | wc -l`
+    num=$(grep "Done signing with" signing.out.test$n | wc -l)
     [ $num -eq 2 ]
 )
 retry_quiet 10 check_done_signing || ret=1
@@ -1395,30 +1396,30 @@ wait_for_log 20 "all zones loaded" ns3/named.run || ret=1
 $RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1
 grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check that zonestatus reports 'type: primary' for an inline primary zone ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 zonestatus primary > rndc.out.ns3.test$n
 grep "type: primary" rndc.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "check that zonestatus reports 'type: secondary' for an inline secondary zone ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 zonestatus bits > rndc.out.ns3.test$n
 grep "type: secondary" rndc.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking reload of touched inline zones ($n)"
 ret=0
 echo_ic "pre-reload 'next key event'"
 nextpart ns8/named.run > nextpart.pre$n.out
-count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l`
+count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l)
 echo_ic "found: $count/16"
 [ $count -eq 16 ] || ret=1
 echo_ic "touch and reload"
@@ -1427,13 +1428,13 @@ $RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
 sleep 5
 echo_ic "post-reload 'next key event'"
 nextpart ns8/named.run > nextpart.post$n.out
-count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l`
+count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l)
 echo_ic "found: $count/16"
 [ $count -eq 16 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
-n=`expr $n + 1`
+n=$((n + 1))
 echo_i "checking second reload of touched inline zones ($n)"
 ret=0
 nextpart ns8/named.run > nextpart.pre$n.out
@@ -1442,7 +1443,7 @@ sleep 5
 nextpart ns8/named.run > nextpart.post$n.out
 grep "ixfr-from-differences: unchanged" nextpart.post$n.out && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status + ret))
 
 n=$((n+1))
 echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)"