rem: usr: Remove unnecessary options in dnssec-keygen and dnssec-keyfromlabel

The `dnssec-keygen` utility (and `dnssec-keyfromlabel`, which was derived from it) had several options dating to the time when keys in DNS were still experimental and not fully specified, and when `dnssec-keygen` had the additional function of generating TSIG keys, which are now generated by `tsig-keygen`. These options are no longer necessary in the modern DNSSEC environment, and have been removed. The removed options are: - `-t` (key type), which formerly set flags to disable confidentiality or authentication support in a key; these are no longer used. - `-n` (name type), which is now always set to "ZONE" for DNSKEY and "HOST" for KEY. - `-p` (protocol), which is now always set to 3 (DNSSEC); no other value has ever been defined. - `-s` (signatory field), which was never fully defined. - `-d` (digest bits), which is meaningful only for TSIG keys. Merge branch 'each-remove-keygen-options' into 'main' See merge request isc-projects/bind9!10262
2026-04-26 00:30:05 -04:00 · 2025-03-25 23:49:11 +00:00 · 2025-03-25 23:49:11 +00:00 · b0f8b443c9
commit b0f8b443c9
parent 079c3aecf5 529bdd1028
43 changed files with 263 additions and 472 deletions
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@ -73,13 +73,7 @@ usage(void) {
 	fprintf(stderr, "    -k: generate a TYPE=KEY key\n");
 	fprintf(stderr, "    -L ttl: default key TTL\n");
 	fprintf(stderr, "    -M <min>:<max>: allowed Key ID range\n");
-	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | "
-			"OTHER\n");
 	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
-	fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
-	fprintf(stderr, "    -t type: "
-			"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
-			"(default: AUTHCONF)\n");
 	fprintf(stderr, "    -y: permit keys that might collide\n");
 	fprintf(stderr, "    -v verbose level\n");
 	fprintf(stderr, "    -V: print version information\n");
@ -111,7 +105,6 @@ usage(void) {
 int
 main(int argc, char **argv) {
 	char *algname = NULL, *freeit = NULL;
-	char *nametype = NULL, *type = NULL;
 	const char *directory = NULL;
 	const char *predecessor = NULL;
 	dst_key_t *prevkey = NULL;
@ -125,7 +118,6 @@ main(int argc, char **argv) {
 	bool oldstyle = false;
 	isc_mem_t *mctx = NULL;
 	int ch;
-	int protocol = -1, signatory = 0;
 	isc_result_t ret;
 	isc_textregion_t r;
 	char filename[255];
@ -223,17 +215,13 @@ main(int argc, char **argv) {
 			break;
 		}
 		case 'n':
-			nametype = isc_commandline_argument;
+			fatal("The -n option has been deprecated.");
 			break;
 		case 'p':
-			protocol = strtol(isc_commandline_argument, &endp, 10);
-			if (*endp != '\0' || protocol < 0 || protocol > 255) {
-				fatal("-p must be followed by a number "
-				      "[0..255]");
-			}
+			fatal("The -p option has been deprecated.");
 			break;
 		case 't':
-			type = isc_commandline_argument;
+			fatal("The -t option has been deprecated.");
 			break;
 		case 'v':
 			verbose = strtol(isc_commandline_argument, &endp, 0);
@ -416,21 +404,6 @@ main(int argc, char **argv) {
 			}
 		}

-		if (type != NULL && (options & DST_TYPE_KEY) != 0) {
-			if (strcasecmp(type, "NOAUTH") == 0) {
-				flags |= DNS_KEYTYPE_NOAUTH;
-			} else if (strcasecmp(type, "NOCONF") == 0) {
-				flags |= DNS_KEYTYPE_NOCONF;
-			} else if (strcasecmp(type, "NOAUTHCONF") == 0) {
-				flags |= (DNS_KEYTYPE_NOAUTH |
-					  DNS_KEYTYPE_NOCONF);
-			} else if (strcasecmp(type, "AUTHCONF") == 0) {
-				/* nothing */
-			} else {
-				fatal("invalid type %s", type);
-			}
-		}
-
 		if (!oldstyle && prepub > 0) {
 			if (setpub && setact && (activate - prepub) < publish) {
 				fatal("Activation and publication dates "
@ -467,12 +440,6 @@ main(int argc, char **argv) {
 		if (algname != NULL) {
 			fatal("-S and -a cannot be used together");
 		}
-		if (nametype != NULL) {
-			fatal("-S and -n cannot be used together");
-		}
-		if (type != NULL) {
-			fatal("-S and -t cannot be used together");
-		}
 		if (setpub || unsetpub) {
 			fatal("-S and -P cannot be used together");
 		}
@ -554,53 +521,25 @@ main(int argc, char **argv) {
 		setpub = setact = true;
 	}

-	if (nametype == NULL) {
-		if ((options & DST_TYPE_KEY) != 0) { /* KEY */
-			fatal("no nametype specified");
-		}
-		flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
-	} else if (strcasecmp(nametype, "zone") == 0) {
-		flags |= DNS_KEYOWNER_ZONE;
-	} else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
-		if (strcasecmp(nametype, "host") == 0 ||
-		    strcasecmp(nametype, "entity") == 0)
-		{
-			flags |= DNS_KEYOWNER_ENTITY;
-		} else if (strcasecmp(nametype, "user") == 0) {
-			/* no owner flags */
-		} else {
-			fatal("invalid KEY nametype %s", nametype);
-		}
-	} else if (strcasecmp(nametype, "other") != 0) { /* DNSKEY */
-		fatal("invalid DNSKEY nametype %s", nametype);
-	}
-
 	rdclass = strtoclass(classname);

 	if (directory == NULL) {
 		directory = ".";
 	}

-	if ((options & DST_TYPE_KEY) != 0) { /* KEY */
-		flags |= signatory;
-	} else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
+	if ((options & DST_TYPE_KEY) == 0) {
+		flags |= DNS_KEYOWNER_ZONE; /* DNSKEY: name type ZONE */
 		flags |= kskflag;
 		flags |= revflag;
-	}
-
-	if (protocol == -1) {
-		protocol = DNS_KEYPROTO_DNSSEC;
-	} else if ((options & DST_TYPE_KEY) == 0 &&
-		   protocol != DNS_KEYPROTO_DNSSEC)
-	{
-		fatal("invalid DNSKEY protocol: %d", protocol);
+	} else {
+		flags |= DNS_KEYOWNER_ENTITY; /* KEY: name type HOST */
 	}

 	isc_buffer_init(&buf, filename, sizeof(filename) - 1);

 	/* associate the key */
-	ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, label,
-				NULL, mctx, &key);
+	ret = dst_key_fromlabel(name, alg, flags, DNS_KEYPROTO_DNSSEC, rdclass,
+				label, NULL, mctx, &key);

 	if (ret != ISC_R_SUCCESS) {
 		char namestr[DNS_NAME_FORMATSIZE];
--- a/bin/dnssec/dnssec-keyfromlabel.rst
+++ b/bin/dnssec/dnssec-keyfromlabel.rst
@ -21,7 +21,7 @@ dnssec-keyfromlabel - DNSSEC key generation tool
 Synopsis
 ~~~~~~~~

-:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
+:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-v** level] [**-V**] [**-y**] {name}

 Description
 ~~~~~~~~~~~
@ -70,14 +70,6 @@ Options
   When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
   an arbitrary string that identifies a particular key.

-.. option:: -n nametype
-
-   This option specifies the owner type of the key. The value of ``nametype`` must
-   either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
-   (for a key associated with a host (KEY)), USER (for a key associated
-   with a user (KEY)), or OTHER (DNSKEY). These values are
-   case-insensitive.
-
 .. option:: -C

   This option enables compatibility mode, which generates an old-style key, without any metadata.
@ -135,12 +127,6 @@ Options
   values for ``tag_min`` and ``tag_max`` are [0..65535].  The
   default allows all key tag values to be accepted.

-.. option:: -p protocol
-
-   This option sets the protocol value for the key. The protocol is a number between
-   0 and 255. The default is 3 (DNSSEC). Other possible values for this
-   argument are listed in :rfc:`2535` and its successors.
-
 .. option:: -S key

   This option generates a key as an explicit successor to an existing key. The name,
@ -150,13 +136,6 @@ Options
   set to the activation date minus the prepublication interval, which
   defaults to 30 days.

-.. option:: -t type
-
-   This option indicates the type of the key. ``type`` must be one of AUTHCONF,
-   NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
-   to the ability to authenticate data, and CONF to the ability to encrypt
-   data.
-
 .. option:: -v level

   This option sets the debugging level.
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@ -82,16 +82,11 @@ struct keygen_ctx {
 	const char *directory;
 	dns_keystore_t *keystore;
 	char *algname;
-	char *nametype;
-	char *type;
-	int protocol;
 	int size;
 	uint16_t tag_min;
 	uint16_t tag_max;
-	int signatory;
 	dns_rdataclass_t rdclass;
 	int options;
-	int dbits;
 	dns_ttl_t ttl;
 	bool wantzsk;
 	bool wantksk;
@ -168,23 +163,14 @@ usage(void) {
 	fprintf(stderr, "        ED448:\tignored\n");
 	fprintf(stderr, "        (key size defaults are set according to\n"
 			"        algorithm and usage (ZSK or KSK)\n");
-	fprintf(stderr, "    -n <nametype>: ZONE | HOST | ENTITY | "
-			"USER | OTHER\n");
-	fprintf(stderr, "        (DNSKEY generation defaults to ZONE)\n");
 	fprintf(stderr, "    -c <class>: (default: IN)\n");
 	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
 	fprintf(stderr, "    -f <keyflag>: ZSK | KSK | REVOKE\n");
 	fprintf(stderr, "    -F: FIPS mode\n");
 	fprintf(stderr, "    -L <ttl>: default key TTL\n");
 	fprintf(stderr, "    -M <min>:<max>: allowed Key ID range\n");
-	fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
-	fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
-			"records with (default: 0)\n");
 	fprintf(stderr, "    -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
 			"use KEY for SIG(0))\n");
-	fprintf(stderr, "    -t <type>: "
-			"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
-			"(default: AUTHCONF)\n");
 	fprintf(stderr, "    -h: print usage and exit\n");
 	fprintf(stderr, "    -m <memory debugging mode>:\n");
 	fprintf(stderr, "       usage | trace | record\n");
@ -314,24 +300,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			}
 		}

-		if (ctx->type != NULL && (ctx->options & DST_TYPE_KEY) != 0) {
-			if (strcasecmp(ctx->type, "NOAUTH") == 0) {
-				flags |= DNS_KEYTYPE_NOAUTH;
-			} else if (strcasecmp(ctx->type, "NOCONF") == 0) {
-				flags |= DNS_KEYTYPE_NOCONF;
-			} else if (strcasecmp(ctx->type, "NOAUTHCONF") == 0) {
-				flags |= (DNS_KEYTYPE_NOAUTH |
-					  DNS_KEYTYPE_NOCONF);
-				if (ctx->size < 0) {
-					ctx->size = 0;
-				}
-			} else if (strcasecmp(ctx->type, "AUTHCONF") == 0) {
-				/* nothing */
-			} else {
-				fatal("invalid type %s", ctx->type);
-			}
-		}
-
 		if (ctx->size < 0) {
 			switch (ctx->alg) {
 			case DST_ALG_RSASHA1:
@ -403,12 +371,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 		if (ctx->size >= 0) {
 			fatal("-S and -b cannot be used together");
 		}
-		if (ctx->nametype != NULL) {
-			fatal("-S and -n cannot be used together");
-		}
-		if (ctx->type != NULL) {
-			fatal("-S and -t cannot be used together");
-		}
 		if (ctx->setpub || ctx->unsetpub) {
 			fatal("-S and -P cannot be used together");
 		}
@ -522,34 +484,17 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 		break;
 	}

-	if (ctx->nametype == NULL) {
-		if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
-			fatal("no nametype specified");
-		}
-		flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
-	} else if (strcasecmp(ctx->nametype, "zone") == 0) {
-		flags |= DNS_KEYOWNER_ZONE;
-	} else if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
-		if (strcasecmp(ctx->nametype, "host") == 0 ||
-		    strcasecmp(ctx->nametype, "entity") == 0)
-		{
-			flags |= DNS_KEYOWNER_ENTITY;
-		} else if (strcasecmp(ctx->nametype, "user") == 0) {
-			/* no owner flags */
-		} else {
-			fatal("invalid KEY nametype %s", ctx->nametype);
-		}
-	} else if (strcasecmp(ctx->nametype, "other") != 0) { /* DNSKEY */
-		fatal("invalid DNSKEY nametype %s", ctx->nametype);
+	if ((ctx->options & DST_TYPE_KEY) == 0) {
+		flags |= DNS_KEYOWNER_ZONE; /* DNSKEY: name type ZONE */
+	} else {
+		flags |= DNS_KEYOWNER_ENTITY; /* KEY: name type HOST */
 	}

 	if (ctx->directory == NULL) {
 		ctx->directory = ".";
 	}

-	if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
-		flags |= ctx->signatory;
-	} else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
+	if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
 		if (ctx->ksk || ctx->wantksk) {
 			flags |= DNS_KEYFLAG_KSK;
 		}
@ -558,20 +503,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 		}
 	}

-	if (ctx->protocol == -1) {
-		ctx->protocol = DNS_KEYPROTO_DNSSEC;
-	} else if ((ctx->options & DST_TYPE_KEY) == 0 &&
-		   ctx->protocol != DNS_KEYPROTO_DNSSEC)
-	{
-		fatal("invalid DNSKEY protocol: %d", ctx->protocol);
-	}
-
-	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
-		if (ctx->size > 0) {
-			fatal("specified null key with non-zero size");
-		}
-	}
-
 	switch (ctx->alg) {
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
@ -609,12 +540,12 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 				mctx, ctx->alg, ctx->size, flags, &key);
 		} else if (!ctx->quiet && show_progress) {
 			ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
-					       flags, ctx->protocol,
+					       flags, DNS_KEYPROTO_DNSSEC,
 					       ctx->rdclass, NULL, mctx, &key,
 					       &progress);
 		} else {
 			ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
-					       flags, ctx->protocol,
+					       flags, DNS_KEYPROTO_DNSSEC,
 					       ctx->rdclass, NULL, mctx, &key,
 					       NULL);
 		}
@ -631,8 +562,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			      algstr, isc_result_totext(ret));
 		}

-		dst_key_setbits(key, ctx->dbits);
-
 		/*
 		 * Set key timing metadata (unless using -C)
 		 *
@ -845,7 +774,6 @@ main(int argc, char **argv) {
 	keygen_ctx_t ctx = {
 		.options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC,
 		.prepub = -1,
-		.protocol = -1,
 		.size = -1,
 		.now = isc_stdtime_now(),
 	};
@ -907,10 +835,7 @@ main(int argc, char **argv) {
 			classname = isc_commandline_argument;
 			break;
 		case 'd':
-			ctx.dbits = strtol(isc_commandline_argument, &endp, 10);
-			if (*endp != '\0' || ctx.dbits < 0) {
-				fatal("-d requires a non-negative number");
-			}
+			fatal("The -d option has been deprecated.");
 			break;
 		case 'E':
 			fatal("%s", isc_result_totext(DST_R_NOENGINE));
@ -947,7 +872,7 @@ main(int argc, char **argv) {
 			ctx.configfile = isc_commandline_argument;
 			break;
 		case 'n':
-			ctx.nametype = isc_commandline_argument;
+			fatal("The -n option has been deprecated.");
 			break;
 		case 'M': {
 			unsigned long ul;
@ -967,14 +892,7 @@ main(int argc, char **argv) {
 		case 'm':
 			break;
 		case 'p':
-			ctx.protocol = strtol(isc_commandline_argument, &endp,
-					      10);
-			if (*endp != '\0' || ctx.protocol < 0 ||
-			    ctx.protocol > 255)
-			{
-				fatal("-p must be followed by a number "
-				      "[0..255]");
-			}
+			fatal("The -p option has been deprecated.");
 			break;
 		case 'q':
 			ctx.quiet = true;
@ -984,21 +902,13 @@ main(int argc, char **argv) {
 			      "System random data is always used.\n");
 			break;
 		case 's':
-			ctx.signatory = strtol(isc_commandline_argument, &endp,
-					       10);
-			if (*endp != '\0' || ctx.signatory < 0 ||
-			    ctx.signatory > 15)
-			{
-				fatal("-s must be followed by a number "
-				      "[0..15]");
-			}
+			fatal("The -s option has been deprecated.");
 			break;
 		case 'T':
 			if (strcasecmp(isc_commandline_argument, "KEY") == 0) {
 				ctx.options |= DST_TYPE_KEY;
 			} else if (strcasecmp(isc_commandline_argument,
-					      "DNSKE"
-					      "Y") == 0)
+					      "DNSKEY") == 0)
 			{
 				/* default behavior */
 			} else {
@ -1007,7 +917,7 @@ main(int argc, char **argv) {
 			}
 			break;
 		case 't':
-			ctx.type = isc_commandline_argument;
+			fatal("The -t option has been deprecated.");
 			break;
 		case 'v':
 			endp = NULL;
@ -1169,9 +1079,6 @@ main(int argc, char **argv) {
 	}

 	if (ctx.policy != NULL) {
-		if (ctx.nametype != NULL) {
-			fatal("-k and -n cannot be used together");
-		}
 		if (ctx.predecessor != NULL) {
 			fatal("-k and -S cannot be used together");
 		}
@ -1190,7 +1097,7 @@ main(int argc, char **argv) {
 		if (ctx.wantrev) {
 			fatal("-k and -fR cannot be used together");
 		}
-		if (ctx.options & DST_TYPE_KEY) {
+		if ((ctx.options & DST_TYPE_KEY) != 0) {
 			fatal("-k and -T KEY cannot be used together");
 		}
 		if (ctx.use_nsec3) {
--- a/bin/dnssec/dnssec-keygen.rst
+++ b/bin/dnssec/dnssec-keygen.rst
@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool
 Synopsis
 ~~~~~~~~

-:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
+:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-V**] [**-v** level] {name}

 Description
 ~~~~~~~~~~~
@ -87,13 +87,6 @@ Options
   This option indicates that the DNS record containing the key should have the
   specified class. If not specified, class IN is used.

-.. option:: -d bits
-
-   This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and
-   RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128
-   and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
-   ECDSAP384SHA384, ED25519, and ED448.
-
 .. option:: -f flag

   This option sets the specified flag in the flag field of the KEY/DNSKEY record.
@ -163,21 +156,6 @@ Options
   key tag values to be produced.  This option is ignored when ``-k policy``
   is specified.

-.. option:: -n nametype
-
-   This option specifies the owner type of the key. The value of ``nametype`` must
-   either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
-   (for a key associated with a host (KEY)), USER (for a key associated
-   with a user (KEY)), or OTHER (DNSKEY). These values are
-   case-insensitive. The default is ZONE for DNSKEY generation.
-
-.. option:: -p protocol
-
-   This option sets the protocol value for the generated key, for use with
-   :option:`-T KEY <-T>`. The protocol is a number between 0 and 255. The default
-   is 3 (DNSSEC). Other possible values for this argument are listed in
-   :rfc:`2535` and its successors.
-
 .. option:: -q

   This option sets quiet mode, which suppresses unnecessary output, including progress
@ -198,11 +176,6 @@ Options
   set to the activation date minus the prepublication interval,
   which defaults to 30 days.

-.. option:: -s strength
-
-   This option specifies the strength value of the key. The strength is a number
-   between 0 and 15, and currently has no defined purpose in DNSSEC.
-
 .. option:: -T rrtype

   This option specifies the resource record type to use for the key. ``rrtype``
@ -210,13 +183,6 @@ Options
   DNSSEC algorithm, but it can be overridden to KEY for use with
   SIG(0).

-.. option:: -t type
-
-   This option indicates the type of the key for use with :option:`-T KEY <-T>`. ``type``
-   must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
-   is AUTHCONF. AUTH refers to the ability to authenticate data, and
-   CONF to the ability to encrypt data.
-
 .. option:: -V

   This option prints version information.
--- a/bin/tests/system/checkds/ns1/setup.sh
+++ b/bin/tests/system/checkds/ns1/setup.sh
@ -22,8 +22,8 @@ zonefile=root.db

 echo_i "ns1/setup.sh"

-ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
--- a/bin/tests/system/digdelv/ns1/sign.sh
+++ b/bin/tests/system/digdelv/ns1/sign.sh
@ -20,7 +20,7 @@ set -e

 cp "../ns2/dsset-example." .

-ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone .)
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" .)

 cp root.db.in root.db

--- a/bin/tests/system/digdelv/ns2/sign.sh
+++ b/bin/tests/system/digdelv/ns2/sign.sh
@ -16,7 +16,7 @@

 set -e

-ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.)
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" example.)

 cp example.db.in example.db

@ -28,5 +28,5 @@ grep -Ev '^;' <"$ksk.key" | cut -f 7- -d ' ' >keydata
 keyfile_to_initial_keys "$ksk" >../ns3/anchor.dnskey
 keyfile_to_initial_ds "$ksk" >../ns3/anchor.ds

-ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.tld.)
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" example.tld.)
 "$SIGNER" -Sz -f example.tld.db -o example.tld example.db.in >/dev/null 2>&1
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@ -38,8 +38,8 @@ cp "../ns2/dsset-inconsistent." .
 grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll."
 cp "../ns6/dsset-optout-tld." .

-ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"

--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@ -34,8 +34,8 @@ zone=managed.
 infile=key.db.in
 zonefile=managed.db

-keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
-keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
+keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone")

 cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"

@ -45,8 +45,8 @@ zone=trusted.
 infile=key.db.in
 zonefile=trusted.db

-keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
-keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
+keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone")

 cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"

@ -70,8 +70,8 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \
 done

 # Sign the "example." zone.
-keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
-keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
+keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone")

 cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"

@ -132,8 +132,8 @@ zone=in-addr.arpa.
 infile=in-addr.arpa.db.in
 zonefile=in-addr.arpa.db

-keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
@ -144,8 +144,8 @@ zone=badparam.
 infile=badparam.db.in
 zonefile=badparam.db

-keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"

@ -159,8 +159,8 @@ zone=single-nsec3.
 infile=single-nsec3.db.in
 zonefile=single-nsec3.db

-keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"

@ -175,10 +175,10 @@ zone=algroll.
 infile=algroll.db.in
 zonefile=algroll.db

-keyold1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
-keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
-keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyold1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -f KSK "$zone")
+keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone")
+keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile"

@ -203,16 +203,16 @@ while [ $i -le 300 ]; do
  echo "host$i 10 IN NS ns.elsewhere"
  i=$((i + 1))
 done >>"$zonefile"
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$key1.key" "$key2.key" >>"$zonefile"
 "$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1

 zone=cds.secure
 infile=cds.secure.db.in
 zonefile=cds.secure.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 "$DSFROMKEY" -C "$key1.key" >"$key1.cds"
 cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
@ -220,9 +220,9 @@ cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
 zone=cds-x.secure
 infile=cds.secure.db.in
 zonefile=cds-x.secure.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 "$DSFROMKEY" -C "$key2.key" >"$key2.cds"
 cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile"
 "$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
@ -230,8 +230,8 @@ cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile"
 zone=cds-update.secure
 infile=cds-update.secure.db.in
 zonefile=cds-update.secure.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
 keyfile_to_key_id "$key1" >cds-update.secure.id
@ -239,16 +239,16 @@ keyfile_to_key_id "$key1" >cds-update.secure.id
 zone=cds-auto.secure
 infile=cds-auto.secure.db.in
 zonefile=cds-auto.secure.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 $SETTIME -P sync now "$key1" >/dev/null
 cat "$infile" >"$zonefile.signed"

 zone=cdnskey.secure
 infile=cdnskey.secure.db.in
 zonefile=cdnskey.secure.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds"
 cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
@ -256,9 +256,9 @@ cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile"
 zone=cdnskey-x.secure
 infile=cdnskey.secure.db.in
 zonefile=cdnskey-x.secure.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds"
 cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile"
 "$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
@ -266,8 +266,8 @@ cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile"
 zone=cdnskey-update.secure
 infile=cdnskey-update.secure.db.in
 zonefile=cdnskey-update.secure.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
 keyfile_to_key_id "$key1" >cdnskey-update.secure.id
@ -275,16 +275,16 @@ keyfile_to_key_id "$key1" >cdnskey-update.secure.id
 zone=cdnskey-auto.secure
 infile=cdnskey-auto.secure.db.in
 zonefile=cdnskey-auto.secure.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 $SETTIME -P sync now "$key1" >/dev/null
 cat "$infile" >"$zonefile.signed"

 zone=updatecheck-kskonly.secure
 infile=template.secure.db.in
 zonefile=${zone}.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 # Save key id's for checking active key usage
 keyfile_to_key_id "$key1" >$zone.ksk.id
 keyfile_to_key_id "$key2" >$zone.zsk.id
@ -300,8 +300,8 @@ mv $zonefile "$zonefile.signed"
 zone=hours-vs-days
 infile=hours-vs-days.db.in
 zonefile=hours-vs-days.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 $SETTIME -P sync now "$key1" >/dev/null
 cat "$infile" >"$zonefile.signed"

@ -311,8 +311,8 @@ cat "$infile" >"$zonefile.signed"
 zone=too-many-iterations
 infile=too-many-iterations.db.in
 zonefile=too-many-iterations.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
 "$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1

@ -322,10 +322,10 @@ cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
 zone=lazy-ksk
 infile=lazy-ksk.db.in
 zonefile=lazy-ksk.db
-ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-ksk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+ksk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$ksk1.key" "$ksk2.key" "$ksk3.key" "$zsk.key" >"$zonefile"
 $DSFROMKEY "$ksk1.key" >"dsset-$zone."
 $DSFROMKEY "$ksk2.key" >>"dsset-$zone."
@ -364,8 +364,8 @@ rm "$rm2.private"
 zone=peer.peer-ns-spoof
 infile=peer.peer-ns-spoof.db.in
 zonefile=peer.peer-ns-spoof.db
-ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
 "$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
@ -383,8 +383,8 @@ cp "$zonefile.stripped" "$zonefile.signed"
 zone=peer-ns-spoof
 infile=peer-ns-spoof.db.in
 zonefile=peer-ns-spoof.db
-ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1

@ -394,8 +394,8 @@ cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 zone=dnskey-rrsigs-stripped
 infile=dnskey-rrsigs-stripped.db.in
 zonefile=dnskey-rrsigs-stripped.db
-ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
 "$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
@ -411,8 +411,8 @@ cp "$zonefile.stripped" "$zonefile.signed"
 zone=child.ds-rrsigs-stripped
 infile=child.ds-rrsigs-stripped.db.in
 zonefile=child.ds-rrsigs-stripped.db
-ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1

@ -422,8 +422,8 @@ cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 zone=ds-rrsigs-stripped
 infile=ds-rrsigs-stripped.db.in
 zonefile=ds-rrsigs-stripped.db
-ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
 "$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
@ -439,7 +439,7 @@ cp "$zonefile.stripped" "$zonefile.signed"
 zone=inconsistent
 infile=inconsistent.db.in
 zonefile=inconsistent.db
-key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
 "$SIGNER" -3 - -g -o "$zone" "$zonefile" >/dev/null 2>&1
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@ -24,7 +24,7 @@ for tld in managed trusted; do
  zone=secure.${tld}
  zonefile=${zone}.db

-  keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+  keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
  cat "$infile" "$keyname1.key" >"$zonefile"
  "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null

@ -32,7 +32,7 @@ for tld in managed trusted; do
  zone=disabled.${tld}
  zonefile=${zone}.db

-  keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
+  keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" "$zone")
  cat "$infile" "$keyname2.key" >"$zonefile"
  "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null

@ -40,7 +40,7 @@ for tld in managed trusted; do
  zone=enabled.${tld}
  zonefile=${zone}.db

-  keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
+  keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" "$zone")
  cat "$infile" "$keyname3.key" >"$zonefile"
  "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null

@ -48,7 +48,7 @@ for tld in managed trusted; do
  zone=unsupported.${tld}
  zonefile=${zone}.db

-  keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+  keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
  cat "$infile" "$keyname4.key" >"$zonefile"
  "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
  awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
@ -61,7 +61,7 @@ for tld in managed trusted; do
  zone=revoked.${tld}
  zonefile=${zone}.db

-  keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+  keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
  cat "$infile" "$keyname5.key" >"$zonefile"
  "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null

@ -81,9 +81,9 @@ zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db

-cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
-dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cnameandkey.$zone")
+dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "dnameandkey.$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"

@ -95,7 +95,7 @@ zone=bogus.example.
 infile=bogus.example.db.in
 zonefile=bogus.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -105,8 +105,8 @@ zone=dynamic.example.
 infile=dynamic.example.db.in
 zonefile=dynamic.example.db

-keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")

 cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"

@ -116,7 +116,7 @@ zone=keyless.example.
 infile=generic.example.db.in
 zonefile=keyless.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -137,7 +137,7 @@ zone=secure.nsec3.example.
 infile=secure.nsec3.example.db.in
 zonefile=secure.nsec3.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -150,7 +150,7 @@ zone=nsec3.nsec3.example.
 infile=nsec3.nsec3.example.db.in
 zonefile=nsec3.nsec3.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -163,7 +163,7 @@ zone=optout.nsec3.example.
 infile=optout.nsec3.example.db.in
 zonefile=optout.nsec3.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -176,7 +176,7 @@ zone=nsec3.example.
 infile=nsec3.example.db.in
 zonefile=nsec3.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -189,7 +189,7 @@ zone=secure.optout.example.
 infile=secure.optout.example.db.in
 zonefile=secure.optout.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -202,7 +202,7 @@ zone=nsec3.optout.example.
 infile=nsec3.optout.example.db.in
 zonefile=nsec3.optout.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -215,7 +215,7 @@ zone=optout.optout.example.
 infile=optout.optout.example.db.in
 zonefile=optout.optout.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -228,7 +228,7 @@ zone=optout.example.
 infile=optout.example.db.in
 zonefile=optout.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -241,7 +241,7 @@ zone=nsec3-unknown.example.
 infile=nsec3-unknown.example.db.in
 zonefile=nsec3-unknown.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -254,7 +254,7 @@ zone=optout-unknown.example.
 infile=optout-unknown.example.db.in
 zonefile=optout-unknown.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -268,7 +268,7 @@ zone=dnskey-unknown.example
 infile=dnskey-unknown.example.db.in
 zonefile=dnskey-unknown.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -287,7 +287,7 @@ zone=dnskey-unsupported.example
 infile=dnskey-unsupported.example.db.in
 zonefile=dnskey-unsupported.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -306,10 +306,10 @@ zone=digest-alg-unsupported.example.
 infile=digest-alg-unsupported.example.db.in
 zonefile=digest-alg-unsupported.example.db

-cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
-dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-keyname2=$("$KEYGEN" -q -a ECDSAP384SHA384 -b "$DEFAULT_BITS" -n zone "$zone")
+cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cnameandkey.$zone")
+dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "dnameandkey.$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+keyname2=$("$KEYGEN" -q -a ECDSAP384SHA384 -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" "$keyname2.key" >"$zonefile"

@ -330,9 +330,9 @@ zone=ds-unsupported.example.
 infile=ds-unsupported.example.db.in
 zonefile=ds-unsupported.example.db

-cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
-dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cnameandkey.$zone")
+dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "dnameandkey.$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"

@ -348,8 +348,8 @@ zone=dnskey-unsupported-2.example
 infile=dnskey-unsupported-2.example.db.in
 zonefile=dnskey-unsupported-2.example.db

-ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile"

@ -363,7 +363,7 @@ zone=dnskey-nsec3-unknown.example
 infile=dnskey-nsec3-unknown.example.db.in
 zonefile=dnskey-nsec3-unknown.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -381,7 +381,7 @@ zone=multiple.example.
 infile=multiple.example.db.in
 zonefile=multiple.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -405,7 +405,7 @@ zone=rsasha256.example.
 infile=rsasha256.example.db.in
 zonefile=rsasha256.example.db

-keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone")
+keyname=$("$KEYGEN" -q -a RSASHA256 "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -418,7 +418,7 @@ zone=rsasha512.example.
 infile=rsasha512.example.db.in
 zonefile=rsasha512.example.db

-keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone")
+keyname=$("$KEYGEN" -q -a RSASHA512 "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -497,7 +497,7 @@ cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
 zone=secure.below-cname.example.
 infile=secure.below-cname.example.db.in
 zonefile=secure.below-cname.example.db
-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$keyname.key" >"$zonefile"
 "$SIGNER" -P -o "$zone" "$zonefile" >/dev/null

@ -510,7 +510,7 @@ zonefile=ttlpatch.example.db
 signedfile=ttlpatch.example.db.signed
 patchedfile=ttlpatch.example.db.patched

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$keyname.key" >"$zonefile"

 "$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" >/dev/null
@ -525,7 +525,7 @@ infile=split-dnssec.example.db.in
 zonefile=split-dnssec.example.db
 signedfile=split-dnssec.example.db.signed

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$keyname.key" >"$zonefile"
 echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
 : >"$signedfile"
@ -539,7 +539,7 @@ infile=split-smart.example.db.in
 zonefile=split-smart.example.db
 signedfile=split-smart.example.db.signed

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cp "$infile" "$zonefile"
 # shellcheck disable=SC2016
 echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
@ -613,7 +613,7 @@ zone=badds.example.
 infile=bogus.example.db.in
 zonefile=badds.example.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

@ -694,7 +694,7 @@ zonefile=occluded.example.db
 kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
 zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
 dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -n HOST -T KEY "delegation.$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -T KEY "delegation.$zone")
 $DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}."
 cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
  "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
@ -723,7 +723,7 @@ awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \
 zone=target.peer-ns-spoof
 infile=target.peer-ns-spoof.db.in
 zonefile=target.peer-ns-spoof.db
-ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
--- a/bin/tests/system/dnssec/ns5/sign.sh
+++ b/bin/tests/system/dnssec/ns5/sign.sh
@ -34,6 +34,6 @@ keyfile_to_initial_ds "$keyname" >revoked.conf
 "$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone >/dev/null
 "$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" >/dev/null 2>&1

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" ".")

 keyfile_to_static_ds "$keyname" >trusted.conf
--- a/bin/tests/system/dnssec/ns6/sign.sh
+++ b/bin/tests/system/dnssec/ns6/sign.sh
@ -22,7 +22,7 @@ zone=optout-tld
 infile=optout-tld.db.in
 zonefile=optout-tld.db

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname.key" >"$zonefile"

--- a/bin/tests/system/dnssec/ns7/sign.sh
+++ b/bin/tests/system/dnssec/ns7/sign.sh
@ -22,8 +22,8 @@ zone=split-rrsig
 infile=split-rrsig.db.in
 zonefile=split-rrsig.db

-k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$k1.key" "$k2.key" >"$zonefile"

--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -1633,9 +1633,9 @@ echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)"
 ret=0
 zone=prepub
 # Generate keys.
-ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM -n zone "$zone")
-zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone")
-zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone")
+ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM "$zone")
+zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone")
+zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone")
 zskid1=$(keyfile_to_key_id "$zsk1")
 zskid2=$(keyfile_to_key_id "$zsk2")
 (
@ -1714,7 +1714,7 @@ echo_i "checking that a DS record cannot be generated for a key using an unsuppo
 ret=0
 zone=example
 # Fake an unsupported algorithm key
-unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp
 mv ${unsupportedkey}.tmp ${unsupportedkey}.key
 # If dnssec-dsfromkey fails, the test script will exit immediately.  Prevent
@ -1742,8 +1742,8 @@ status=$((status + ret))
 echo_i "checking that we can sign a zone with out-of-zone records ($n)"
 ret=0
 zone=example
-key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
-key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
 (
  cd signer || exit 1
  cat example.db.in "$key1.key" "$key2.key" >example.db
@ -1756,8 +1756,8 @@ status=$((status + ret))
 echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)"
 ret=0
 zone=example
-key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
-key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
 (
  cd signer || exit 1
  cat example.db.in "$key1.key" "$key2.key" >example.db
@ -1781,8 +1781,8 @@ status=$((status + ret))
 echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)"
 ret=0
 zone=example
-key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
-key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
 (
  cd signer || exit 1
  cat example.db.in "$key1.key" "$key2.key" >example3.db
@ -1807,8 +1807,8 @@ status=$((status + ret))
 echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)"
 ret=0
 zone=example
-key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
-key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
 (
  cd signer || exit 1
  cat example.db.in "$key1.key" "$key2.key" >example.db
@ -1824,10 +1824,10 @@ status=$((status + ret))
 echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)"
 ret=0
 zone=example
-key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
-key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
+key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
 keyid2=$(keyfile_to_key_id "$key2")
-key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
+key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
 keyid3=$(keyfile_to_key_id "$key3")
 (
  cd signer || exit 1
@ -3491,13 +3491,13 @@ until test $alg -eq 256; do
      continue
      ;;
    1 | 5 | 7 | 8 | 10) # RSA algorithms
-      key1=$($KEYGEN -a "$alg" -b "2048" -n zone "$zone" 2>"keygen-$alg.err" || true)
+      key1=$($KEYGEN -a "$alg" -b "2048" "$zone" 2>"keygen-$alg.err" || true)
      ;;
    15 | 16)
-      key1=$($KEYGEN -a "$alg" -n zone "$zone" 2>"keygen-$alg.err" || true)
+      key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true)
      ;;
    *)
-      key1=$($KEYGEN -a "$alg" -n zone "$zone" 2>"keygen-$alg.err" || true)
+      key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true)
      ;;
  esac
  if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then
@ -4264,7 +4264,7 @@ test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

 # Roll the ZSK.
-zsk2=$("$KEYGEN" -q -P none -A none -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
+zsk2=$("$KEYGEN" -q -P none -A none -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 "$zone")
 keyfile_to_key_id "$zsk2" >ns2/$zone.zsk.id2
 ZSK_ID2=$(cat ns2/$zone.zsk.id2)
 ret=0
@ -4360,7 +4360,7 @@ mv ns2/$KSK.key.bak ns2/$KSK.key
 mv ns2/$KSK.private.bak ns2/$KSK.private

 # Roll the ZSK again.
-zsk3=$("$KEYGEN" -q -P none -A none -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
+zsk3=$("$KEYGEN" -q -P none -A none -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 "$zone")
 ret=0
 keyfile_to_key_id "$zsk3" >ns2/$zone.zsk.id3
 ZSK_ID3=$(cat ns2/$zone.zsk.id3)
@ -4616,8 +4616,8 @@ status=$((status + ret))
 echo_i "check that dnssec-keygen honours key tag ranges ($n)"
 ret=0
 zone=settagrange
-ksk=$("$KEYGEN" -f KSK -q -a $DEFAULT_ALGORITHM -n zone -M 0:32767 "$zone")
-zsk=$("$KEYGEN" -q -a $DEFAULT_ALGORITHM -n zone -M 32768:65535 "$zone")
+ksk=$("$KEYGEN" -f KSK -q -a $DEFAULT_ALGORITHM -M 0:32767 "$zone")
+zsk=$("$KEYGEN" -q -a $DEFAULT_ALGORITHM -M 32768:65535 "$zone")
 kid=$(keyfile_to_key_id "$ksk")
 zid=$(keyfile_to_key_id "$zsk")
 [ $kid -ge 0 -a $kid -le 32767 ] || ret=1
--- a/bin/tests/system/dsdigest/ns1/sign.sh
+++ b/bin/tests/system/dsdigest/ns1/sign.sh
@ -22,8 +22,8 @@ zonefile=root.db
 cp ../ns2/dsset-good. .
 cp ../ns2/dsset-bad. .

-key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)

 cat $infile $key1.key $key2.key >$zonefile

--- a/bin/tests/system/dsdigest/ns2/sign.sh
+++ b/bin/tests/system/dsdigest/ns2/sign.sh
@ -20,10 +20,10 @@ zone2=bad
 infile2=bad.db.in
 zonefile2=bad.db

-keyname11=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone1)
-keyname12=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone1)
-keyname21=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone2)
-keyname22=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone2)
+keyname11=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone1)
+keyname12=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone1)
+keyname21=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone2)
+keyname22=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone2)

 cat $infile1 $keyname11.key $keyname12.key >$zonefile1
 cat $infile2 $keyname21.key $keyname22.key >$zonefile2
--- a/bin/tests/system/ecdsa/ns1/sign.sh
+++ b/bin/tests/system/ecdsa/ns1/sign.sh
@ -24,15 +24,15 @@ echo_i "ns1/sign.sh"
 cp $infile $zonefile

 if [ $ECDSAP256SHA256_SUPPORTED = 1 ]; then
-  zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
-  ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
+  zsk256=$($KEYGEN -q -a ECDSA256 "$zone")
+  ksk256=$($KEYGEN -q -a ECDSA256 -f KSK "$zone")
  cat "$ksk256.key" "$zsk256.key" >>"$zonefile"
  $DSFROMKEY -a sha-256 "$ksk256.key" >>dsset-256
 fi

 if [ $ECDSAP384SHA384_SUPPORTED = 1 ]; then
-  zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
-  ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
+  zsk384=$($KEYGEN -q -a ECDSA384 "$zone")
+  ksk384=$($KEYGEN -q -a ECDSA384 -f KSK "$zone")
  cat "$ksk384.key" "$zsk384.key" >>"$zonefile"
  $DSFROMKEY -a sha-256 "$ksk384.key" >>dsset-256
 fi
--- a/bin/tests/system/eddsa/ns1/sign.sh
+++ b/bin/tests/system/eddsa/ns1/sign.sh
@ -24,15 +24,15 @@ echo_i "ns1/sign.sh"
 cp $infile $zonefile

 if [ $ED25519_SUPPORTED = 1 ]; then
-  zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
-  ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
+  zsk25519=$($KEYGEN -q -a ED25519 "$zone")
+  ksk25519=$($KEYGEN -q -a ED25519 -f KSK "$zone")
  cat "$ksk25519.key" "$zsk25519.key" >>"$zonefile"
  $DSFROMKEY -a sha-256 "$ksk25519.key" >>dsset-256
 fi

 if [ $ED448_SUPPORTED = 1 ]; then
-  zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
-  ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
+  zsk448=$($KEYGEN -q -a ED448 "$zone")
+  ksk448=$($KEYGEN -q -a ED448 -f KSK "$zone")
  cat "$ksk448.key" "$zsk448.key" >>"$zonefile"
  $DSFROMKEY -a sha-256 "$ksk448.key" >>dsset-256
 fi
--- a/bin/tests/system/forward/ns1/sign.sh
+++ b/bin/tests/system/forward/ns1/sign.sh
@ -22,8 +22,8 @@ zonefile=root.db

 echo_i "ns1/sign.sh"

-ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"

--- a/bin/tests/system/glue/ns1/sign.sh
+++ b/bin/tests/system/glue/ns1/sign.sh
@ -21,7 +21,7 @@ zonefile=tc-test-signed.db
 # been carefully chosen to ensure that the signed referral response checked in
 # the test will be around 512 bytes in size with glue records excluded.  Please
 # keep this in mind when updating signing algorithms used in system tests.
-keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 $zone)
 cat "$infile" "$keyname.key" >"$zonefile"

 $SIGNER -P -o $zone $zonefile >/dev/null
--- a/bin/tests/system/inline/ns1/sign.sh
+++ b/bin/tests/system/inline/ns1/sign.sh
@ -16,8 +16,8 @@
 zone=.
 rm -f K.+*+*.key
 rm -f K.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 $SIGNER -S -x -T 1200 -o ${zone} root.db >signer.out
 [ $? = 0 ] || cat signer.out

--- a/bin/tests/system/inline/ns3/sign.sh
+++ b/bin/tests/system/inline/ns3/sign.sh
@ -14,43 +14,43 @@
 . ../../conf.sh

 # Fake an unsupported key
-unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone unsupported)
+unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" unsupported)
 awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp
 mv ${unsupportedkey}.tmp ${unsupportedkey}.key

 zone=bits
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >>../ns1/root.db

 zone=noixfr
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >>../ns1/root.db

 zone=primary
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >>../ns1/root.db

 zone=dynamic
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >>../ns1/root.db

 zone=updated
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -L 3600 -n zone $zone)
-ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -L 3600 -n zone -f KSK $zone)
+zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -L 3600 $zone)
+ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -L 3600 -f KSK $zone)
 $SETTIME -s -g OMNIPRESENT -k RUMOURED now -z RUMOURED now "$zsk" >settime.out.updated.1 2>&1
 $SETTIME -s -g OMNIPRESENT -k RUMOURED now -r RUMOURED now -d HIDDEN now "$ksk" >settime.out.updated.2 2>&1
 $DSFROMKEY -T 1200 $ksk >>../ns1/root.db
@ -61,53 +61,53 @@ cp primary2.db.in updated.db
 zone=expired
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >>../ns1/root.db
 $SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null

 zone=retransfer
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >>../ns1/root.db

 zone=nsec3
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >>../ns1/root.db

 zone=delayedkeys
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 # Keys for the "delayedkeys" zone should not be initially accessible.
 mv K${zone}.+*+*.* ../

 zone=removedkeys-primary
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)

 zone=removedkeys-secondary
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)

 for s in a c d h k l m q z; do
  zone=test-$s
-  keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+  keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
 done

 for s in b f i o p t v; do
  zone=test-$s
-  keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-  keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+  keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+  keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 done

 zone=externalkey
@ -116,10 +116,10 @@ rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private

 for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM}; do
-  k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone)
-  k2=$($KEYGEN -q -a $alg -n zone $zone)
-  k3=$($KEYGEN -q -a $alg -n zone $zone)
-  k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone)
+  k1=$($KEYGEN -q -a $alg -f KSK $zone)
+  k2=$($KEYGEN -q -a $alg $zone)
+  k3=$($KEYGEN -q -a $alg $zone)
+  k4=$($KEYGEN -q -a $alg -f KSK $zone)
  $DSFROMKEY -T 1200 $k4 >>../ns1/root.db

  cat $k1.key $k2.key >>$zonefile
--- a/bin/tests/system/inline/ns7/sign.sh
+++ b/bin/tests/system/inline/ns7/sign.sh
@ -19,6 +19,6 @@
 zone=nsec3-loop
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a RSASHA256 -b 4096 -n zone $zone)
-keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
-keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a RSASHA256 -b 4096 $zone)
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 $zone)
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -f KSK $zone)
--- a/bin/tests/system/inline/ns8/sign.sh
+++ b/bin/tests/system/inline/ns8/sign.sh
@ -19,8 +19,8 @@ for zone in example01.com example02.com example03.com example04.com \
  example13.com example14.com example15.com example16.com; do
  rm -f K${zone}.+*+*.key
  rm -f K${zone}.+*+*.private
-  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
-  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone)
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone)
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -f KSK $zone)
  cp example.com.db.in ${zone}.db
  $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null 2>&1
 done
@ -28,7 +28,7 @@ done
 for zone in example unsigned-serial-test; do
  rm -f K${zone}.+*+*.key
  rm -f K${zone}.+*+*.private
-  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
-  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone)
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone)
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -f KSK $zone)
  cp example.db.in ${zone}.db
 done
--- a/bin/tests/system/legacy/ns6/sign.sh
+++ b/bin/tests/system/legacy/ns6/sign.sh
@ -20,8 +20,8 @@ infile=edns512.db.in
 zonefile=edns512.db
 outfile=edns512.db.signed

-keyname1=$($KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null)
-keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null)
+keyname1=$($KEYGEN -a RSASHA512 -b 4096 $zone 2>/dev/null)
+keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 $zone 2>/dev/null)

 cat $infile $keyname1.key $keyname2.key >$zonefile

--- a/bin/tests/system/legacy/ns7/sign.sh
+++ b/bin/tests/system/legacy/ns7/sign.sh
@ -20,8 +20,8 @@ infile=edns512-notcp.db.in
 zonefile=edns512-notcp.db
 outfile=edns512-notcp.db.signed

-keyname1=$($KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null)
-keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null)
+keyname1=$($KEYGEN -a RSASHA512 -b 4096 $zone 2>/dev/null)
+keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 $zone 2>/dev/null)

 cat $infile $keyname1.key $keyname2.key >$zonefile

--- a/bin/tests/system/nsupdate/ns3/sign.sh
+++ b/bin/tests/system/nsupdate/ns3/sign.sh
@ -17,8 +17,8 @@ zone=nsec3param.test.
 infile=nsec3param.test.db.in
 zonefile=nsec3param.test.db

-keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
-keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)

 cat $infile $keyname1.key $keyname2.key >$zonefile

@ -28,8 +28,8 @@ zone=dnskey.test.
 infile=dnskey.test.db.in
 zonefile=dnskey.test.db

-keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
-keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)

 cat $infile $keyname1.key $keyname2.key >$zonefile

--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@ -445,7 +445,7 @@ grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 || re

 ret=0
 echo_i "check SIG(0) key is accepted"
-key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -T KEY -n ENTITY xxx)
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -T KEY xxx)
 echo "" | $NSUPDATE -k ${key}.private >/dev/null 2>&1 || ret=1
 [ $ret = 0 ] || {
  echo_i "failed"
--- a/bin/tests/system/pending/ns1/sign.sh
+++ b/bin/tests/system/pending/ns1/sign.sh
@ -22,8 +22,8 @@ zonefile=root.db
 cp ../ns2/dsset-example. .
 cp ../ns2/dsset-example.com. .

-keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone)
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 cat $infile $keyname1.key $keyname2.key >$zonefile

 $SIGNER -g -o $zone $zonefile >/dev/null
--- a/bin/tests/system/pending/ns2/sign.sh
+++ b/bin/tests/system/pending/ns2/sign.sh
@ -18,8 +18,8 @@ for domain in example example.com; do
  infile=${domain}.db.in
  zonefile=${domain}.db

-  keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-  keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone)
+  keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+  keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)

  cat $infile $keyname1.key $keyname2.key >$zonefile

--- a/bin/tests/system/rootkeysentinel/ns1/sign.sh
+++ b/bin/tests/system/rootkeysentinel/ns1/sign.sh
@ -17,7 +17,7 @@ zone=.
 infile=root.db.in
 zonefile=root.db

-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
 keyid=$(expr ${keyname} : 'K.+[0-9][0-9][0-9]+\(.*\)')

 (cd ../ns2 && $SHELL sign.sh ${keyid:-00000})
--- a/bin/tests/system/rootkeysentinel/ns2/sign.sh
+++ b/bin/tests/system/rootkeysentinel/ns2/sign.sh
@ -22,8 +22,8 @@ zone=example.
 infile=example.db.in
 zonefile=example.db

-keyname1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
-keyname2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
+keyname1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone)
+keyname2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone)

 cat $infile $keyname1.key $keyname2.key >$zonefile
 echo root-key-sentinel-is-ta-$oldid A 10.53.0.1 >>$zonefile
--- a/bin/tests/system/rsabigexponent/ns1/sign.sh
+++ b/bin/tests/system/rsabigexponent/ns1/sign.sh
@ -19,7 +19,7 @@ zonefile=root.db

 cp ../ns2/dsset-example.in dsset-example.

-keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 $zone)

 cat $infile $keyname.key >$zonefile

--- a/bin/tests/system/sfcache/ns1/sign.sh
+++ b/bin/tests/system/sfcache/ns1/sign.sh
@ -24,7 +24,7 @@ zonefile=root.db

 cp "../ns2/dsset-example." .

-keyname=$($KEYGEN -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone $zone)
+keyname=$($KEYGEN -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" $zone)

 cat "$infile" "$keyname.key" >"$zonefile"

--- a/bin/tests/system/sfcache/ns2/sign.sh
+++ b/bin/tests/system/sfcache/ns2/sign.sh
@ -20,8 +20,8 @@ zone=example.
 infile=example.db.in
 zonefile=example.db

-keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")

 cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"

--- a/bin/tests/system/sfcache/ns5/sign.sh
+++ b/bin/tests/system/sfcache/ns5/sign.sh
@ -16,6 +16,6 @@

 set -e

-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" ".")

 keyfile_to_static_ds "$keyname" >trusted.conf
--- a/bin/tests/system/staticstub/ns3/sign.sh
+++ b/bin/tests/system/staticstub/ns3/sign.sh
@ -21,8 +21,8 @@ zonefile=example.db

 cp ../ns4/dsset-sub.example. .

-keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone)
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 cat $infile $keyname1.key $keyname2.key >$zonefile

 $SIGNER -g -o $zone $zonefile >/dev/null
@ -33,8 +33,8 @@ keyfile_to_static_ds $keyname2 >trusted.conf
 zone=undelegated
 infile=undelegated.db.in
 zonefile=undelegated.db
-keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone)
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)
 cat $infile $keyname1.key $keyname2.key >$zonefile

 $SIGNER -g -o $zone $zonefile >/dev/null
--- a/bin/tests/system/staticstub/ns4/sign.sh
+++ b/bin/tests/system/staticstub/ns4/sign.sh
@ -17,8 +17,8 @@ zone=sub.example
 infile=${zone}.db.in
 zonefile=${zone}.db

-keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone)
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK $zone)

 cat $infile $keyname1.key $keyname2.key >$zonefile

--- a/bin/tests/system/synthfromdnssec/ns1/sign.sh
+++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh
@ -18,7 +18,7 @@ zone=example
 infile=example.db.in
 zonefile=example.db

-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
 cat "$infile" "$keyname.key" >"$zonefile"
 echo insecure NS ns1.insecure >>"$zonefile"
 echo ns1.insecure A 10.53.0.1 >>"$zonefile"
@ -29,7 +29,7 @@ zone=insecure.example
 infile=example.db.in
 zonefile=insecure.example.db

-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
 cat "$infile" "$keyname.key" >"$zonefile"

 $SIGNER -P -o $zone $zonefile >/dev/null
@ -38,7 +38,7 @@ zone=dnamed
 infile=dnamed.db.in
 zonefile=dnamed.db

-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
 cat "$infile" "$keyname.key" >"$zonefile"

 $SIGNER -P -o $zone $zonefile >/dev/null
@ -47,7 +47,7 @@ zone=minimal
 infile=minimal.db.in
 zonefile=minimal.db

-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
 cat "$infile" "$keyname.key" >"$zonefile"

 # do not regenerate NSEC chain as there in a minimal NSEC record present
@ -57,7 +57,7 @@ zone=soa-without-dnskey
 infile=soa-without-dnskey.db.in
 zonefile=soa-without-dnskey.db

-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
 cat "$infile" "$keyname.key" >"$zonefile"

 # do not regenerate NSEC chain as there in a minimal NSEC record present
@ -67,7 +67,7 @@ zone=.
 infile=root.db.in
 zonefile=root.db

-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
 cat "$infile" "$keyname.key" >"$zonefile"

 $SIGNER -P -g -o $zone $zonefile >/dev/null
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@ -245,7 +245,7 @@ fi

 echo_i "check that dnssec-keygen won't generate TSIG keys"
 ret=0
-$KEYGEN -a hmac-sha256 -b 128 -n host example.net >keygen.out3 2>&1 && ret=1
+$KEYGEN -a hmac-sha256 -b 128 example.net >keygen.out3 2>&1 && ret=1
 grep "unknown algorithm" keygen.out3 >/dev/null || ret=1

 echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
--- a/bin/tests/system/tsiggss/setup.sh
+++ b/bin/tests/system/tsiggss/setup.sh
@ -15,5 +15,5 @@

 copy_setports ns1/named.conf.in ns1/named.conf

-key=$($KEYGEN -Cq -K ns1 -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n HOST -T KEY key.example.nil.)
+key=$($KEYGEN -Cq -K ns1 -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -T KEY key.example.nil.)
 cat ns1/example.nil.db.in ns1/${key}.key >ns1/example.nil.db
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@ -35,7 +35,7 @@ fi
 #
 # SIG(0) requires cryptographic support which may not be configured.
 #
-keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -T KEY sig0.example2 2>keyname.err)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -T KEY sig0.example2 2>keyname.err)
 if test -n "$keyname"; then
  cat ns1/example1.db $keyname.key >ns1/example2.db
  echo $keyname >keyname
@ -46,7 +46,7 @@ cat_i <keyname.err

 cat ns1/example1.db >ns1/example2-toomanykeys.db
 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17; do
-  keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -T KEY sig0.example2-toomanykeys 2>/dev/null)
+  keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -T KEY sig0.example2-toomanykeys 2>/dev/null)
  if test -n "$keyname"; then
    cat $keyname.key >>ns1/example2-toomanykeys.db
    echo $keyname >keyname$i
--- a/bin/tests/system/wildcard/ns1/sign.sh
+++ b/bin/tests/system/wildcard/ns1/sign.sh
@ -26,8 +26,8 @@ zonefile=nsec.db
 outfile=nsec.db.signed
 dssets="$dssets dsset-${zone}."

-keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null)
-keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null)
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null)

 cat $infile $keyname1.key $keyname2.key >$zonefile

@ -39,8 +39,8 @@ infile=private.nsec.db.in
 zonefile=private.nsec.db
 outfile=private.nsec.db.signed

-keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null)
-keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null)
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null)

 cat $infile $keyname1.key $keyname2.key >$zonefile

@ -55,8 +55,8 @@ zonefile=nsec3.db
 outfile=nsec3.db.signed
 dssets="$dssets dsset-${zone}."

-keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null)
-keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null)
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null)

 cat $infile $keyname1.key $keyname2.key >$zonefile

@ -68,8 +68,8 @@ infile=private.nsec3.db.in
 zonefile=private.nsec3.db
 outfile=private.nsec3.db.signed

-keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null)
-keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null)
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null)

 cat $infile $keyname1.key $keyname2.key >$zonefile

@ -83,8 +83,8 @@ infile=root.db.in
 zonefile=root.db
 outfile=root.db.signed

-keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null)
-keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null)
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null)

 cat $infile $keyname1.key $keyname2.key $dssets >$zonefile