4594.   [func]          dnssec-keygen no longer uses RSASHA1 by default;
                        the signing algorithm must be specified on
                        the command line with the "-a" option.  Signing
                        scripts that rely on the existing default behavior
                        will break; use "dnssec-keygen -a RSASHA1" to
                        repair them. (The goal of this change is to make
                        it easier to find scripts using RSASHA1 so they 
                        can be changed in the event of that algorithm 
                        being deprecated in the future.) [RT #44755]

9.12.0

This necessitated changing a number of system tests that used dnssec-keygen
with the default algorithm, so I'm putting this ticket in the qa queue to
make sure those changes were all correct. There were no new tests added.