From: Mukund Sivaraman <muks@isc.org>
Date: Fri, 21 Apr 2017 06:24:23 +0000 (+0530)
Subject: Increase minimum RSA keygen size to 1024 bits (#36895)
X-Git-Tag: v9.12.0a1~368
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd7d1df874c825e7478999e8c4c43e470cc2c2c5;p=thirdparty%2Fbind9.git

Increase minimum RSA keygen size to 1024 bits (#36895)
---

diff --git a/CHANGES b/CHANGES
index 30c96118029..8aee60fc87a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4595.	[func]		dnssec-keygen will no longer generate RSA keys
+			less than 1024 bits in length. dnssec-keymgr
+			was similarly updated. [RT #36895]
+
 4594.	[func]		"dnstap-read -x" prints a hex dump of the wire
 			format of each logged DNS message. [RT #44816]
 
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 524b26b146c..1df9f0c2366 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -89,10 +89,10 @@ usage(void) {
 			       "NSEC3RSASHA1 if using -3)\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -b <key size in bits>:\n");
-	fprintf(stderr, "        RSAMD5:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        RSASHA1:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        RSASHA256:\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSAMD5:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA1:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA256:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA512:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
 	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
@@ -748,7 +748,7 @@ main(int argc, char **argv) {
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
 	case DNS_KEYALG_RSASHA256:
-		if (size != 0 && (size < 512 || size > MAX_RSA))
+		if (size != 0 && (size < 1024 || size > MAX_RSA))
 			fatal("RSA key size %d out of range", size);
 		break;
 	case DNS_KEYALG_RSASHA512:
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index f0b566506d7..58c222b68f3 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -144,7 +144,7 @@
 	  <para>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
-	    between 512 and 2048 bits.  Diffie Hellman keys must be between
+	    between 1024 and 2048 bits.  Diffie Hellman keys must be between
 	    128 and 4096 bits.  DSA keys must be between 512 and 1024
 	    bits and an exact multiple of 64.  HMAC keys must be
 	    between 1 and 512 bits. Elliptic curve algorithms don't need
diff --git a/bin/python/isc/policy.py.in b/bin/python/isc/policy.py.in
index 9dec2b8cf3d..8a1d511582b 100644
--- a/bin/python/isc/policy.py.in
+++ b/bin/python/isc/policy.py.in
@@ -131,11 +131,11 @@ class Policy:
     directory = None
     valid_key_sz_per_algo = {'DSA': [512, 1024],
                              'NSEC3DSA': [512, 1024],
-                             'RSAMD5': [512, 4096],
-                             'RSASHA1': [512, 4096],
+                             'RSAMD5': [1024, 4096],
+                             'RSASHA1': [1024, 4096],
                              'NSEC3RSASHA1': [512, 4096],
-                             'RSASHA256': [512, 4096],
-                             'RSASHA512': [512, 4096],
+                             'RSASHA256': [1024, 4096],
+                             'RSASHA512': [1024, 4096],
                              'ECCGOST': None,
                              'ECDSAP256SHA256': None,
                              'ECDSAP384SHA384': None}
diff --git a/bin/tests/system/autosign/setup.sh b/bin/tests/system/autosign/setup.sh
index cab648f747f..cf2e1b15dc7 100644
--- a/bin/tests/system/autosign/setup.sh
+++ b/bin/tests/system/autosign/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
 
 . ./clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 echo "I:generating keys and preparing zones"
 cd ns1 && $SHELL keygen.sh
diff --git a/bin/tests/system/dlv/setup.sh b/bin/tests/system/dlv/setup.sh
index 677720c9a25..cb98ad6702c 100644
--- a/bin/tests/system/dlv/setup.sh
+++ b/bin/tests/system/dlv/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 (cd ns1 && $SHELL -e sign.sh)
diff --git a/bin/tests/system/dlvauto/ns1/sign.sh b/bin/tests/system/dlvauto/ns1/sign.sh
index 8826ddca562..a181b3650b6 100644
--- a/bin/tests/system/dlvauto/ns1/sign.sh
+++ b/bin/tests/system/dlvauto/ns1/sign.sh
@@ -13,7 +13,7 @@ zone=dlv.isc.org
 infile=dlv.isc.org.db.in
 zonefile=dlv.isc.org.db
 
-dlvkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+dlvkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 cat $infile $dlvkey.key > $zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
 
@@ -21,7 +21,7 @@ zone=.
 infile=root.db.in
 zonefile=root.db
 
-rootkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+rootkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 cat $infile $rootkey.key > $zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
 
diff --git a/bin/tests/system/dlvauto/setup.sh b/bin/tests/system/dlvauto/setup.sh
index 13cd35780ab..a31ea34336c 100644
--- a/bin/tests/system/dlvauto/setup.sh
+++ b/bin/tests/system/dlvauto/setup.sh
@@ -11,6 +11,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh 
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/dlzexternal/setup.sh b/bin/tests/system/dlzexternal/setup.sh
index cce22f6e826..7d23b3587f9 100644
--- a/bin/tests/system/dlzexternal/setup.sh
+++ b/bin/tests/system/dlzexternal/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
diff --git a/bin/tests/system/dns64/setup.sh b/bin/tests/system/dns64/setup.sh
index 99689bf0bfa..ff5233c9435 100644
--- a/bin/tests/system/dns64/setup.sh
+++ b/bin/tests/system/dns64/setup.sh
@@ -11,6 +11,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 514924b37cc..4d59010cf43 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -24,7 +24,7 @@ cp ../ns2/dsset-in-addr.arpa$TP .
 grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP
 cp ../ns6/dsset-optout-tld$TP .
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key > $zonefile
 
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index be711ca5791..d92ec0d4cbd 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -98,7 +98,7 @@ privzone=private.secure.example.
 privinfile=private.secure.example.db.in
 privzonefile=private.secure.example.db
 
-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $privzone`
 
 cat $privinfile $privkeyname.key >$privzonefile
 
@@ -112,7 +112,7 @@ dlvinfile=dlv.db.in
 dlvzonefile=dlv.db
 dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP
 
-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $dlvzone`
 
 cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
 
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 43aad4e0cab..c689cb6e096 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -13,9 +13,9 @@ zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
 
-cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone`
-dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 1024 -n host cnameandkey.$zone`
+dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 1024 -n host dnameandkey.$zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile
 
@@ -25,7 +25,7 @@ zone=bogus.example.
 infile=bogus.example.db.in
 zonefile=bogus.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -35,7 +35,7 @@ zone=dynamic.example.
 infile=dynamic.example.db.in
 zonefile=dynamic.example.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -46,7 +46,7 @@ zone=keyless.example.
 infile=generic.example.db.in
 zonefile=keyless.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -66,7 +66,7 @@ zone=secure.nsec3.example.
 infile=secure.nsec3.example.db.in
 zonefile=secure.nsec3.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -79,7 +79,7 @@ zone=nsec3.nsec3.example.
 infile=nsec3.nsec3.example.db.in
 zonefile=nsec3.nsec3.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -92,7 +92,7 @@ zone=optout.nsec3.example.
 infile=optout.nsec3.example.db.in
 zonefile=optout.nsec3.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -105,7 +105,7 @@ zone=nsec3.example.
 infile=nsec3.example.db.in
 zonefile=nsec3.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -118,7 +118,7 @@ zone=secure.optout.example.
 infile=secure.optout.example.db.in
 zonefile=secure.optout.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -131,7 +131,7 @@ zone=nsec3.optout.example.
 infile=nsec3.optout.example.db.in
 zonefile=nsec3.optout.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -144,7 +144,7 @@ zone=optout.optout.example.
 infile=optout.optout.example.db.in
 zonefile=optout.optout.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -157,7 +157,7 @@ zone=optout.example.
 infile=optout.example.db.in
 zonefile=optout.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -170,7 +170,7 @@ zone=nsec3-unknown.example.
 infile=nsec3-unknown.example.db.in
 zonefile=nsec3-unknown.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -183,7 +183,7 @@ zone=optout-unknown.example.
 infile=optout-unknown.example.db.in
 zonefile=optout-unknown.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -197,7 +197,7 @@ zone=dnskey-unknown.example.
 infile=dnskey-unknown.example.db.in
 zonefile=dnskey-unknown.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -216,7 +216,7 @@ zone=dnskey-nsec3-unknown.example.
 infile=dnskey-nsec3-unknown.example.db.in
 zonefile=dnskey-nsec3-unknown.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -234,7 +234,7 @@ zone=multiple.example.
 infile=multiple.example.db.in
 zonefile=multiple.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -257,7 +257,7 @@ zone=rsasha256.example.
 infile=rsasha256.example.db.in
 zonefile=rsasha256.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -362,7 +362,7 @@ zonefile=ttlpatch.example.db
 signedfile=ttlpatch.example.db.signed
 patchedfile=ttlpatch.example.db.patched
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $keyname.key >$zonefile
 
 $SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1
@@ -377,7 +377,7 @@ infile=split-dnssec.example.db.in
 zonefile=split-dnssec.example.db
 signedfile=split-dnssec.example.db.signed
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $keyname.key >$zonefile
 echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
 : > $signedfile
@@ -391,7 +391,7 @@ infile=split-smart.example.db.in
 zonefile=split-smart.example.db
 signedfile=split-smart.example.db.signed
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cp $infile $zonefile
 echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
 : > $signedfile
@@ -495,7 +495,7 @@ zone=badds.example.
 infile=bogus.example.db.in
 zonefile=badds.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh
index 94a5de24d48..db34b0535b8 100644
--- a/bin/tests/system/dnssec/ns6/sign.sh
+++ b/bin/tests/system/dnssec/ns6/sign.sh
@@ -15,7 +15,7 @@ zone=optout-tld
 infile=optout-tld.db.in
 zonefile=optout-tld.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh
index 2c851df37a5..5eda54cb62f 100644
--- a/bin/tests/system/dnssec/ns7/sign.sh
+++ b/bin/tests/system/dnssec/ns7/sign.sh
@@ -15,8 +15,8 @@ zone=split-rrsig
 infile=split-rrsig.db.in
 zonefile=split-rrsig.db
 
-k1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
-k2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
+k1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+k2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
 
 cat $infile $k1.key $k2.key >$zonefile
 
diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh
index 6b28cbf5c01..78bfd01e180 100644
--- a/bin/tests/system/dnssec/setup.sh
+++ b/bin/tests/system/dnssec/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh 
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns1 && $SHELL sign.sh
 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index ab28b8b72fd..040f67c50d0 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -2938,16 +2938,23 @@ until test $alg = 256
 do
 	size=
 	case $alg in
-	1) size="-b 512";;
+	1) # RSA/MD5
+	   size="-b 1024";;
 	2) # Diffie Helman
 	   alg=`expr $alg + 1`
 	   continue;;
-	3) size="-b 512";;
-	5) size="-b 512";;
-	6) size="-b 512";;
-	7) size="-b 512";;
-	8) size="-b 512";;
-	10) size="-b 1024";;
+	3) # DSA/SHA1
+	   size="-b 512";;
+	5) # RSA/SHA-1
+	   size="-b 1024";;
+	6) # DSA-NSEC3-SHA1
+	   size="-b 512";;
+	7) # RSASHA1-NSEC3-SHA1
+	   size="-b 1024";;
+	8) # RSA/SHA-256
+	   size="-b 1024";;
+	10) # RSA/SHA-512
+	   size="-b 1024";;
 	157|160|161|162|163|164|165) # private - non standard
 	   alg=`expr $alg + 1`
 	   continue;;
diff --git a/bin/tests/system/dsdigest/setup.sh b/bin/tests/system/dsdigest/setup.sh
index e5f0a4874ff..40b89f4fd96 100644
--- a/bin/tests/system/dsdigest/setup.sh
+++ b/bin/tests/system/dsdigest/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/ecdsa/setup.sh b/bin/tests/system/ecdsa/setup.sh
index e5f0a4874ff..40b89f4fd96 100644
--- a/bin/tests/system/ecdsa/setup.sh
+++ b/bin/tests/system/ecdsa/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/filter-aaaa/setup.sh b/bin/tests/system/filter-aaaa/setup.sh
index 476acba5d91..3302376ffa2 100644
--- a/bin/tests/system/filter-aaaa/setup.sh
+++ b/bin/tests/system/filter-aaaa/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cp ns1/named1.conf ns1/named.conf
 cp ns2/named1.conf ns2/named.conf
diff --git a/bin/tests/system/gost/setup.sh b/bin/tests/system/gost/setup.sh
index 07b8048f4d6..b5fddac571c 100644
--- a/bin/tests/system/gost/setup.sh
+++ b/bin/tests/system/gost/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh
index f71bff4856a..f380de6f8c0 100644
--- a/bin/tests/system/inline/ns1/sign.sh
+++ b/bin/tests/system/inline/ns1/sign.sh
@@ -14,7 +14,7 @@ SYSTEMTESTTOP=../..
 zone=.
 rm -f K.+*+*.key
 rm -f K.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out 2>&1
 [ $? = 0 ] || cat signer.out
diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh
index f2c3eace877..f49ccb74bf6 100755
--- a/bin/tests/system/inline/ns3/sign.sh
+++ b/bin/tests/system/inline/ns3/sign.sh
@@ -12,35 +12,35 @@ SYSTEMTESTTOP=../..
 zone=bits
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=noixfr
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=master
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=dynamic
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=updated
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 $SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
@@ -50,7 +50,7 @@ cp master2.db.in updated.db
 zone=expired
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 $SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
@@ -58,7 +58,7 @@ $SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone}
 zone=retransfer
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
@@ -71,20 +71,20 @@ $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 zone=retransfer3
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 for s in a c d h k l m q z
 do
 	zone=test-$s
-	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 done
 
 for s in b f i o p t v
 do
 	zone=test-$s
-	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 done
 
diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh
index c7f27d66211..a84477626a4 100644
--- a/bin/tests/system/inline/setup.sh
+++ b/bin/tests/system/inline/setup.sh
@@ -9,7 +9,7 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cp ns1/root.db.in ns1/root.db
 rm -f ns1/root.db.signed
diff --git a/bin/tests/system/keepalive/setup.sh b/bin/tests/system/keepalive/setup.sh
index 0f5c88e0375..25cb9a69791 100644
--- a/bin/tests/system/keepalive/setup.sh
+++ b/bin/tests/system/keepalive/setup.sh
@@ -11,4 +11,4 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
diff --git a/bin/tests/system/legacy/build.sh b/bin/tests/system/legacy/build.sh
index 60f793685a3..424ce7a717b 100644
--- a/bin/tests/system/legacy/build.sh
+++ b/bin/tests/system/legacy/build.sh
@@ -9,7 +9,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 $SHELL clean.sh
 
diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh
index adff5de9dfa..3abba7dd101 100755
--- a/bin/tests/system/masterformat/setup.sh
+++ b/bin/tests/system/masterformat/setup.sh
@@ -7,7 +7,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 rm -f named-compilezone
 ln -s $CHECKZONE named-compilezone
diff --git a/bin/tests/system/metadata/setup.sh b/bin/tests/system/metadata/setup.sh
index 988e39deec4..57858eddf72 100644
--- a/bin/tests/system/metadata/setup.sh
+++ b/bin/tests/system/metadata/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
 
 $SHELL ./clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 pzone=parent.nil
 czone=child.parent.nil
diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh
index e5b2109686f..6edbc96a819 100644
--- a/bin/tests/system/metadata/tests.sh
+++ b/bin/tests/system/metadata/tests.sh
@@ -28,7 +28,7 @@ rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key`
 standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key`
 zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key`
 
-$GENRANDOM 400 $RANDFILE
+$GENRANDOM 800 $RANDFILE
 
 echo "I:signing zones"
 $SIGNER -Sg -o $czone $cfile > /dev/null 2>&1
diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh
index 6ef53372ef7..2c571eb224e 100644
--- a/bin/tests/system/mkeys/setup.sh
+++ b/bin/tests/system/mkeys/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cp ns1/named1.conf ns1/named.conf
 
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 3ca59fcea1b..1a5551ed5b5 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -9,7 +9,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 #
 # jnl and database files MUST be removed before we start
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index c771bd8e4f4..0baea8a94c8 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -160,7 +160,7 @@ grep ns6.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
 
 ret=0
 echo "I:check SIG(0) key is accepted"
-key=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 512 -T KEY -n ENTITY xxx`
+key=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -T KEY -n ENTITY xxx`
 echo "" | $NSUPDATE -k ${key}.private > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo I:failed; status=1; }
 
diff --git a/bin/tests/system/padding/setup.sh b/bin/tests/system/padding/setup.sh
index 0f5c88e0375..25cb9a69791 100644
--- a/bin/tests/system/padding/setup.sh
+++ b/bin/tests/system/padding/setup.sh
@@ -11,4 +11,4 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh
index dc41cfa2154..9663428603f 100644
--- a/bin/tests/system/pending/ns2/sign.sh
+++ b/bin/tests/system/pending/ns2/sign.sh
@@ -16,7 +16,7 @@ for domain in example example.com; do
 	infile=${domain}.db.in
 	zonefile=${domain}.db
 
-	keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+	keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 	keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
 
 	cat $infile $keyname1.key $keyname2.key > $zonefile
diff --git a/bin/tests/system/pending/setup.sh b/bin/tests/system/pending/setup.sh
index a3304cb2028..186ed94ea51 100644
--- a/bin/tests/system/pending/setup.sh
+++ b/bin/tests/system/pending/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns1 && $SHELL -e sign.sh
diff --git a/bin/tests/system/pipelined/setup.sh b/bin/tests/system/pipelined/setup.sh
index d541f0d110a..0f7d7423a91 100644
--- a/bin/tests/system/pipelined/setup.sh
+++ b/bin/tests/system/pipelined/setup.sh
@@ -11,4 +11,4 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
diff --git a/bin/tests/system/redirect/setup.sh b/bin/tests/system/redirect/setup.sh
index 5e70ea726f3..a0ae8a95755 100644
--- a/bin/tests/system/redirect/setup.sh
+++ b/bin/tests/system/redirect/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cp ns2/redirect.db.in ns2/redirect.db
 cp ns2/example.db.in ns2/example.db
diff --git a/bin/tests/system/resolver/setup.sh b/bin/tests/system/resolver/setup.sh
index 51537ba81e6..1e51b86d851 100644
--- a/bin/tests/system/resolver/setup.sh
+++ b/bin/tests/system/resolver/setup.sh
@@ -9,7 +9,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cp ns4/tld1.db ns4/tld.db
 cp ns6/to-be-removed.tld.db.in ns6/to-be-removed.tld.db
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
index 9f78481439c..6ea9f323c16 100644
--- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 $SHELL ../genzone.sh 2 >ns2/nil.db
 $SHELL ../genzone.sh 2 >ns2/other.db
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 6e9740cffa8..6c816d77f7c 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -569,8 +569,8 @@ fi
 n=`expr $n + 1`
 echo "I:check 'rndc \"\"' is handled ($n)"
 ret=0
-$RNDCCMD "" > rndc.out.test$n 2>&1 && ret=1
-grep "rndc: '' failed: failure" rndc.out.test$n > /dev/null
+$RNDCCMD "" > rndc.output.test$n 2>&1 && ret=1
+grep "rndc: '' failed: failure" rndc.output.test$n > /dev/null
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index e0e0e4a6a2f..12aeef1176b 100644
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -26,11 +26,11 @@ for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wild
 done
 
 # sign the root and a zone in ns2
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 # $1=directory, $2=domain name, $3=input zone file, $4=output file
 signzone () {
-    KEYNAME=`$KEYGEN -q -r $RANDFILE -b 512 -K $1 $2`
+    KEYNAME=`$KEYGEN -q -r $RANDFILE -b 1024 -K $1 $2`
     cat $1/$3 $1/$KEYNAME.key > $1/tmp
     $SIGNER -Pp -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
     sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trusted-keys {"\1" \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
diff --git a/bin/tests/system/rsabigexponent/prereq.sh b/bin/tests/system/rsabigexponent/prereq.sh
index 91780dc5a69..4a8c4407a91 100644
--- a/bin/tests/system/rsabigexponent/prereq.sh
+++ b/bin/tests/system/rsabigexponent/prereq.sh
@@ -9,7 +9,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 if $BIGKEY > /dev/null 2>&1
 then
diff --git a/bin/tests/system/rsabigexponent/setup.sh b/bin/tests/system/rsabigexponent/setup.sh
index ab6477456c9..4e47409fc57 100644
--- a/bin/tests/system/rsabigexponent/setup.sh
+++ b/bin/tests/system/rsabigexponent/setup.sh
@@ -11,6 +11,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns1 && $SHELL -e sign.sh
diff --git a/bin/tests/system/sfcache/ns1/sign.sh b/bin/tests/system/sfcache/ns1/sign.sh
index 647b30f09c0..9ab0754419e 100644
--- a/bin/tests/system/sfcache/ns1/sign.sh
+++ b/bin/tests/system/sfcache/ns1/sign.sh
@@ -17,7 +17,7 @@ zonefile=root.db
 
 cp ../ns2/dsset-example$TP .
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key > $zonefile
 
diff --git a/bin/tests/system/sfcache/prereq.sh b/bin/tests/system/sfcache/prereq.sh
index 18f6e96a69b..2fdd872b777 100644
--- a/bin/tests/system/sfcache/prereq.sh
+++ b/bin/tests/system/sfcache/prereq.sh
@@ -9,9 +9,9 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-$GENRANDOM 400 $RANDFILE
+$GENRANDOM 800 $RANDFILE
 
-if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r $RANDFILE foo > /dev/null 2>&1
+if $KEYGEN -q -a RSAMD5 -b 1024 -n zone -r $RANDFILE foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else
diff --git a/bin/tests/system/sfcache/setup.sh b/bin/tests/system/sfcache/setup.sh
index b5d5a7a7138..ea6366c6714 100644
--- a/bin/tests/system/sfcache/setup.sh
+++ b/bin/tests/system/sfcache/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns1 && $SHELL sign.sh
 
diff --git a/bin/tests/system/smartsign/setup.sh b/bin/tests/system/smartsign/setup.sh
index 3c64bf6c57e..3372c41c289 100644
--- a/bin/tests/system/smartsign/setup.sh
+++ b/bin/tests/system/smartsign/setup.sh
@@ -11,4 +11,4 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
diff --git a/bin/tests/system/staticstub/ns4/sign.sh b/bin/tests/system/staticstub/ns4/sign.sh
index 4dda6106973..e9a50b86cb1 100755
--- a/bin/tests/system/staticstub/ns4/sign.sh
+++ b/bin/tests/system/staticstub/ns4/sign.sh
@@ -15,7 +15,7 @@ zone=sub.example
 infile=${zone}.db.in
 zonefile=${zone}.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key > $zonefile
diff --git a/bin/tests/system/staticstub/setup.sh b/bin/tests/system/staticstub/setup.sh
index a3d09923a4d..1b3f4ad3d03 100755
--- a/bin/tests/system/staticstub/setup.sh
+++ b/bin/tests/system/staticstub/setup.sh
@@ -13,6 +13,6 @@ sed 's/SERVER_CONFIG_PLACEHOLDER/server-names { "ns.example.net"; };/' ns2/named
 
 sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type master; file "example.db.signed"; };/' ns3/named.conf.in > ns3/named.conf
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns3 && $SHELL -e sign.sh
diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh
index 07bded63758..46ebfe27749 100644
--- a/bin/tests/system/testcrypto.sh
+++ b/bin/tests/system/testcrypto.sh
@@ -9,12 +9,12 @@
 SYSTEMTESTTOP=${SYSTEMTESTTOP:=..}
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 prog=$0
 
 args="-r $RANDFILE"
-alg="-a RSAMD5 -b 512"
+alg="-a RSAMD5 -b 1024"
 quiet=0
 
 msg1="cryptography"
diff --git a/bin/tests/system/tkey/setup.sh b/bin/tests/system/tkey/setup.sh
index eec303725d3..8bf19cb946e 100644
--- a/bin/tests/system/tkey/setup.sh
+++ b/bin/tests/system/tkey/setup.sh
@@ -11,6 +11,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 cd ns1 && $SHELL setup.sh
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
index de6f0ab313e..9ea7292afd6 100644
--- a/bin/tests/system/tsig/setup.sh
+++ b/bin/tests/system/tsig/setup.sh
@@ -11,4 +11,4 @@ SYSTEMTESTTOP=..
 
 sh clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
index 58d61d996c5..c40da019f81 100644
--- a/bin/tests/system/tsiggss/setup.sh
+++ b/bin/tests/system/tsiggss/setup.sh
@@ -9,7 +9,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 rm -f ns1/*.jnl ns1/K*.key ns1/K*.private ns1/_default.tsigkeys
 
diff --git a/bin/tests/system/unknown/ns3/sign.sh b/bin/tests/system/unknown/ns3/sign.sh
index cb8cbac1494..f489b03b637 100644
--- a/bin/tests/system/unknown/ns3/sign.sh
+++ b/bin/tests/system/unknown/ns3/sign.sh
@@ -14,5 +14,5 @@ SYSTEMTESTTOP=../..
 zone=example
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
diff --git a/bin/tests/system/unknown/setup.sh b/bin/tests/system/unknown/setup.sh
index 4db528f0b9c..f236d0fb5fa 100644
--- a/bin/tests/system/unknown/setup.sh
+++ b/bin/tests/system/unknown/setup.sh
@@ -9,6 +9,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh 
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 (cd ns3; $SHELL -e sign.sh)
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
index f40a3e06ce1..05c356a1554 100644
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@@ -18,7 +18,7 @@ rm -f Ksig0.example2.*
 #
 # SIG(0) required cryptographic support which may not be configured.
 #
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE 
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 keyname=`$KEYGEN  -q -r $RANDFILE -n HOST -a RSASHA1 -b 1024 -T KEY sig0.example2 2>/dev/null | $D2U`
 if test -n "$keyname"
 then
diff --git a/bin/tests/system/verify/setup.sh b/bin/tests/system/verify/setup.sh
index 0a8a5963bad..4ef23d6d90e 100644
--- a/bin/tests/system/verify/setup.sh
+++ b/bin/tests/system/verify/setup.sh
@@ -11,6 +11,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh 
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 (cd zones && $SHELL genzones.sh)
diff --git a/bin/tests/system/views/setup.sh b/bin/tests/system/views/setup.sh
index a5250f90c8b..1e661f913be 100644
--- a/bin/tests/system/views/setup.sh
+++ b/bin/tests/system/views/setup.sh
@@ -19,7 +19,7 @@ rm -f ns2/internal/inline.db.signed.jnl
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 #
 # We remove k1 and k2 as KEYGEN is deterministic when given the
diff --git a/bin/tests/system/wildcard/setup.sh b/bin/tests/system/wildcard/setup.sh
index 80597c4df8c..425e1350350 100644
--- a/bin/tests/system/wildcard/setup.sh
+++ b/bin/tests/system/wildcard/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 (cd ns1 && $SHELL -e sign.sh)
diff --git a/bin/tests/system/zonechecks/setup.sh b/bin/tests/system/zonechecks/setup.sh
index 4b64918debb..77089938ff7 100644
--- a/bin/tests/system/zonechecks/setup.sh
+++ b/bin/tests/system/zonechecks/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 
 $SHELL ../genzone.sh 1 > ns1/master.db
 $SHELL ../genzone.sh 1 > ns1/duplicate.db