Increase minimum RSA keygen size to 1024 bits (#36895)

dd7d1df8 · Mukund Sivaraman · f5c39b07 · dd7d1df8 · dd7d1df8 · dd7d1df8
Commit dd7d1df8 authored Apr 21, 2017 by Mukund Sivaraman
60 changed files
--- a/CHANGES
+++ b/CHANGES
+4595.	[func]		dnssec-keygen will no longer generate RSA keys
+			less than 1024 bits in length. dnssec-keymgr
+			was similarly updated. [RT #36895]
+
 4594.	[func]		"dnstap-read -x" prints a hex dump of the wire
 			format of each logged DNS message. [RT #44816]


--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -89,10 +89,10 @@ usage(void) {
 			       "NSEC3RSASHA1 if using -3)\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -b <key size in bits>:\n");
-	fprintf(stderr, "        RSAMD5:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        RSASHA1:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        RSASHA256:\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSAMD5:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA1:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA256:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA512:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
 	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
@@ -748,7 +748,7 @@ main(int argc, char **argv) {
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
 	case DNS_KEYALG_RSASHA256:
-		if (size != 0 && (size < 512 || size > MAX_RSA))
+		if (size != 0 && (size < 1024 || size > MAX_RSA))
 			fatal("RSA key size %d out of range", size);
 		break;
 	case DNS_KEYALG_RSASHA512:

--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -144,7 +144,7 @@
 	  <para>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
-	    between 512 and 2048 bits.  Diffie Hellman keys must be between
+	    between 1024 and 2048 bits.  Diffie Hellman keys must be between
 	    128 and 4096 bits.  DSA keys must be between 512 and 1024
 	    bits and an exact multiple of 64.  HMAC keys must be
 	    between 1 and 512 bits. Elliptic curve algorithms don't need

--- a/bin/python/isc/policy.py.in
+++ b/bin/python/isc/policy.py.in
@@ -131,11 +131,11 @@ class Policy:
    directory = None
    valid_key_sz_per_algo = {'DSA': [512, 1024],
                             'NSEC3DSA': [512, 1024],
-                             'RSAMD5': [512, 4096],
-                             'RSASHA1': [512, 4096],
+                             'RSAMD5': [1024, 4096],
+                             'RSASHA1': [1024, 4096],
                             'NSEC3RSASHA1': [512, 4096],
-                             'RSASHA256': [512, 4096],
-                             'RSASHA512': [512, 4096],
+                             'RSASHA256': [1024, 4096],
+                             'RSASHA512': [1024, 4096],
                             'ECCGOST': None,
                             'ECDSAP256SHA256': None,
                             'ECDSAP384SHA384': None}

--- a/bin/tests/system/autosign/setup.sh
+++ b/bin/tests/system/autosign/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..

 . ./clean.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 echo "I:generating keys and preparing zones"
 cd ns1 && $SHELL keygen.sh
--- a/bin/tests/system/dlv/setup.sh
+++ b/bin/tests/system/dlv/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 (cd ns1 && $SHELL -e sign.sh)
--- a/bin/tests/system/dlvauto/ns1/sign.sh
+++ b/bin/tests/system/dlvauto/ns1/sign.sh
@@ -13,7 +13,7 @@ zone=dlv.isc.org
 infile=dlv.isc.org.db.in
 zonefile=dlv.isc.org.db

-dlvkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+dlvkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 cat $infile $dlvkey.key > $zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null

@@ -21,7 +21,7 @@ zone=.
 infile=root.db.in
 zonefile=root.db

-rootkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+rootkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 cat $infile $rootkey.key > $zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null


--- a/bin/tests/system/dlvauto/setup.sh
+++ b/bin/tests/system/dlvauto/setup.sh
@@ -11,6 +11,6 @@ SYSTEMTESTTOP=..

 $SHELL clean.sh 

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 cd ns1 && $SHELL sign.sh
--- a/bin/tests/system/dlzexternal/setup.sh
+++ b/bin/tests/system/dlzexternal/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
--- a/bin/tests/system/dns64/setup.sh
+++ b/bin/tests/system/dns64/setup.sh
@@ -11,6 +11,6 @@ SYSTEMTESTTOP=..

 $SHELL clean.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 cd ns1 && $SHELL sign.sh
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -24,7 +24,7 @@ cp ../ns2/dsset-in-addr.arpa$TP .
 grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP
 cp ../ns6/dsset-optout-tld$TP .

-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`

 cat $infile $keyname.key > $zonefile


--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -98,7 +98,7 @@ privzone=private.secure.example.
 privinfile=private.secure.example.db.in
 privzonefile=private.secure.example.db

-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $privzone`

 cat $privinfile $privkeyname.key >$privzonefile

@@ -112,7 +112,7 @@ dlvinfile=dlv.db.in
 dlvzonefile=dlv.db
 dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP

-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $dlvzone`

 cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile


--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -13,9 +13,9 @@ zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db

-cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone`
-dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 1024 -n host cnameandkey.$zone`
+dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 1024 -n host dnameandkey.$zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`

 cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile

@@ -25,7 +25,7 @@ zone=bogus.example.
 infile=bogus.example.db.in
 zonefile=bogus.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -35,7 +35,7 @@ zone=dynamic.example.
 infile=dynamic.example.db.in
 zonefile=dynamic.example.db

-keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
 keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`

 cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -46,7 +46,7 @@ zone=keyless.example.
 infile=generic.example.db.in
 zonefile=keyless.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -66,7 +66,7 @@ zone=secure.nsec3.example.
 infile=secure.nsec3.example.db.in
 zonefile=secure.nsec3.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -79,7 +79,7 @@ zone=nsec3.nsec3.example.
 infile=nsec3.nsec3.example.db.in
 zonefile=nsec3.nsec3.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -92,7 +92,7 @@ zone=optout.nsec3.example.
 infile=optout.nsec3.example.db.in
 zonefile=optout.nsec3.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -105,7 +105,7 @@ zone=nsec3.example.
 infile=nsec3.example.db.in
 zonefile=nsec3.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -118,7 +118,7 @@ zone=secure.optout.example.
 infile=secure.optout.example.db.in
 zonefile=secure.optout.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -131,7 +131,7 @@ zone=nsec3.optout.example.
 infile=nsec3.optout.example.db.in
 zonefile=nsec3.optout.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -144,7 +144,7 @@ zone=optout.optout.example.
 infile=optout.optout.example.db.in
 zonefile=optout.optout.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -157,7 +157,7 @@ zone=optout.example.
 infile=optout.example.db.in
 zonefile=optout.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -170,7 +170,7 @@ zone=nsec3-unknown.example.
 infile=nsec3-unknown.example.db.in
 zonefile=nsec3-unknown.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -183,7 +183,7 @@ zone=optout-unknown.example.
 infile=optout-unknown.example.db.in
 zonefile=optout-unknown.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -197,7 +197,7 @@ zone=dnskey-unknown.example.
 infile=dnskey-unknown.example.db.in
 zonefile=dnskey-unknown.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -216,7 +216,7 @@ zone=dnskey-nsec3-unknown.example.
 infile=dnskey-nsec3-unknown.example.db.in
 zonefile=dnskey-nsec3-unknown.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -234,7 +234,7 @@ zone=multiple.example.
 infile=multiple.example.db.in
 zonefile=multiple.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -257,7 +257,7 @@ zone=rsasha256.example.
 infile=rsasha256.example.db.in
 zonefile=rsasha256.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile

@@ -362,7 +362,7 @@ zonefile=ttlpatch.example.db
 signedfile=ttlpatch.example.db.signed
 patchedfile=ttlpatch.example.db.patched

-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $keyname.key >$zonefile

 $SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1
@@ -377,7 +377,7 @@ infile=split-dnssec.example.db.in
 zonefile=split-dnssec.example.db
 signedfile=split-dnssec.example.db.signed

-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $keyname.key >$zonefile
 echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
 : > $signedfile
@@ -391,7 +391,7 @@ infile=split-smart.example.db.in
 zonefile=split-smart.example.db
 signedfile=split-smart.example.db.signed

-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cp $infile $zonefile
 echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
 : > $signedfile
@@ -495,7 +495,7 @@ zone=badds.example.
 infile=bogus.example.db.in
 zonefile=badds.example.db

-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile


--- a/bin/tests/system/dnssec/ns6/sign.sh
+++ b/bin/tests/system/dnssec/ns6/sign.sh
@@ -15,7 +15,7 @@ zone=optout-tld
 infile=optout-tld.db.in
 zonefile=optout-tld.db

-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`

 cat $infile $keyname.key >$zonefile


--- a/bin/tests/system/dnssec/ns7/sign.sh
+++ b/bin/tests/system/dnssec/ns7/sign.sh
@@ -15,8 +15,8 @@ zone=split-rrsig
 infile=split-rrsig.db.in
 zonefile=split-rrsig.db

-k1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
-k2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
+k1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+k2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`

 cat $infile $k1.key $k2.key >$zonefile


--- a/bin/tests/system/dnssec/setup.sh
+++ b/bin/tests/system/dnssec/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..

 $SHELL clean.sh 

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 cd ns1 && $SHELL sign.sh


--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -2938,16 +2938,23 @@ until test $alg = 256
 do
 	size=
 	case $alg in
-	1) size="-b 512";;
+	1) # RSA/MD5
+	   size="-b 1024";;
 	2) # Diffie Helman
 	   alg=`expr $alg + 1`
 	   continue;;
-	3) size="-b 512";;
-	5) size="-b 512";;
-	6) size="-b 512";;
-	7) size="-b 512";;
-	8) size="-b 512";;
-	10) size="-b 1024";;
+	3) # DSA/SHA1
+	   size="-b 512";;
+	5) # RSA/SHA-1
+	   size="-b 1024";;
+	6) # DSA-NSEC3-SHA1
+	   size="-b 512";;
+	7) # RSASHA1-NSEC3-SHA1
+	   size="-b 1024";;
+	8) # RSA/SHA-256
+	   size="-b 1024";;
+	10) # RSA/SHA-512
+	   size="-b 1024";;
 	157|160|161|162|163|164|165) # private - non standard
 	   alg=`expr $alg + 1`
 	   continue;;

--- a/bin/tests/system/dsdigest/setup.sh
+++ b/bin/tests/system/dsdigest/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 cd ns1 && $SHELL sign.sh
--- a/bin/tests/system/ecdsa/setup.sh
+++ b/bin/tests/system/ecdsa/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 cd ns1 && $SHELL sign.sh
--- a/bin/tests/system/filter-aaaa/setup.sh
+++ b/bin/tests/system/filter-aaaa/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..

 $SHELL clean.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 cp ns1/named1.conf ns1/named.conf
 cp ns2/named1.conf ns2/named.conf

--- a/bin/tests/system/gost/setup.sh
+++ b/bin/tests/system/gost/setup.sh
@@ -9,6 +9,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 cd ns1 && $SHELL sign.sh
--- a/bin/tests/system/inline/ns1/sign.sh
+++ b/bin/tests/system/inline/ns1/sign.sh
@@ -14,7 +14,7 @@ SYSTEMTESTTOP=../..
 zone=.
 rm -f K.+*+*.key
 rm -f K.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out 2>&1
 [ $? = 0 ] || cat signer.out

--- a/bin/tests/system/inline/ns3/sign.sh
+++ b/bin/tests/system/inline/ns3/sign.sh
@@ -12,35 +12,35 @@ SYSTEMTESTTOP=../..
 zone=bits
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

 zone=noixfr
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

 zone=master
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

 zone=dynamic
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

 zone=updated
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 $SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
@@ -50,7 +50,7 @@ cp master2.db.in updated.db
 zone=expired
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 $SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
@@ -58,7 +58,7 @@ $SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone}
 zone=retransfer
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

@@ -71,20 +71,20 @@ $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 zone=retransfer3
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

 for s in a c d h k l m q z
 do
 	zone=test-$s
-	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 done

 for s in b f i o p t v
 do
 	zone=test-$s
-	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 done


--- a/bin/tests/system/inline/setup.sh
+++ b/bin/tests/system/inline/setup.sh
@@ -9,7 +9,7 @@ SYSTEMTESTTOP=..

 $SHELL clean.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 cp ns1/root.db.in ns1/root.db
 rm -f ns1/root.db.signed

--- a/bin/tests/system/keepalive/setup.sh
+++ b/bin/tests/system/keepalive/setup.sh
@@ -11,4 +11,4 @@ SYSTEMTESTTOP=..

 $SHELL clean.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
--- a/bin/tests/system/legacy/build.sh
+++ b/bin/tests/system/legacy/build.sh
@@ -9,7 +9,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 $SHELL clean.sh


--- a/bin/tests/system/masterformat/setup.sh
+++ b/bin/tests/system/masterformat/setup.sh
@@ -7,7 +7,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 rm -f named-compilezone
 ln -s $CHECKZONE named-compilezone

--- a/bin/tests/system/metadata/setup.sh
+++ b/bin/tests/system/metadata/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..

 $SHELL ./clean.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 pzone=parent.nil
 czone=child.parent.nil

--- a/bin/tests/system/metadata/tests.sh
+++ b/bin/tests/system/metadata/tests.sh
@@ -28,7 +28,7 @@ rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key`
 standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key`
 zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key`

-$GENRANDOM 400 $RANDFILE
+$GENRANDOM 800 $RANDFILE

 echo "I:signing zones"
 $SIGNER -Sg -o $czone $cfile > /dev/null 2>&1

--- a/bin/tests/system/mkeys/setup.sh
+++ b/bin/tests/system/mkeys/setup.sh
@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..

 $SHELL clean.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 cp ns1/named1.conf ns1/named.conf


--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -9,7 +9,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE

 #
 # jnl and database files MUST be removed before we start

--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -160,7 +160,7 @@ grep ns6.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1

 ret=0
 echo "I:check SIG(0) key is accepted"
-key=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 512 -T KEY -n ENTITY xxx`
+key=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -T KEY -n ENTITY xxx`
 echo "" | $NSUPDATE -k ${key}.private > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo I:failed; status=1; }


--- a/bin/tests/system/padding/setup.sh
+++ b/bin/tests/system/padding/setup.sh
@@ -11,4 +11,4 @@ SYSTEMTESTTOP=..

 $SHELL clean.sh

-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
--- a/bin/tests/system/pending/ns2/sign.sh
+++ b/bin/tests/system/pending/ns2/sign.sh