From 5f53003dae4d65dffab7d9c0f906242aa26ceabc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Thu, 9 Jun 2022 14:48:53 +0200
Subject: [PATCH] Clarify dnssec-keyfromlabel -a in man page

---
 bin/dnssec/dnssec-keyfromlabel.rst | 12 ++++--------
 doc/man/dnssec-keyfromlabel.1in    | 12 ++++--------
 2 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst
index 2b9cb488f7..098feb9ecb 100644
--- a/bin/dnssec/dnssec-keyfromlabel.rst
+++ b/bin/dnssec/dnssec-keyfromlabel.rst
@@ -45,20 +45,16 @@ Options
    be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
    ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
 
-   If no algorithm is specified, RSASHA1 is used by default
-   unless the :option:`-3` option is specified, in which case NSEC3RSASHA1
-   is used instead. (If :option:`-3` is used and an algorithm is
-   specified, that algorithm is checked for compatibility with
-   NSEC3.)
-
    These values are case-insensitive. In some cases, abbreviations are
    supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
    ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3`
    option, then NSEC3RSASHA1 is used instead.
 
-   Since BIND 9.12.0, this option is mandatory except when using the
+   This option is mandatory except when using the
    :option:`-S` option, which copies the algorithm from the predecessory key.
-   Previously, the default for newly generated keys was RSASHA1.
+
+   .. versionchanged:: 9.12.0
+      The default value RSASHA1 for newly generated keys was removed.
 
 .. option:: -3
 
diff --git a/doc/man/dnssec-keyfromlabel.1in b/doc/man/dnssec-keyfromlabel.1in
index 810a1ebe96..a59fa8cf4d 100644
--- a/doc/man/dnssec-keyfromlabel.1in
+++ b/doc/man/dnssec-keyfromlabel.1in
@@ -52,20 +52,16 @@ This option selects the cryptographic algorithm. The value of \fBalgorithm\fP mu
 be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
 ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
 .sp
-If no algorithm is specified, RSASHA1 is used by default
-unless the \fI\%\-3\fP option is specified, in which case NSEC3RSASHA1
-is used instead. (If \fI\%\-3\fP is used and an algorithm is
-specified, that algorithm is checked for compatibility with
-NSEC3.)
-.sp
 These values are case\-insensitive. In some cases, abbreviations are
 supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
 ECDSAP384SHA384. If RSASHA1 is specified along with the \fI\%\-3\fP
 option, then NSEC3RSASHA1 is used instead.
 .sp
-Since BIND 9.12.0, this option is mandatory except when using the
+This option is mandatory except when using the
 \fI\%\-S\fP option, which copies the algorithm from the predecessory key.
-Previously, the default for newly generated keys was RSASHA1.
+.sp
+Changed in version 9.12.0: The default value RSASHA1 for newly generated keys was removed.
+
 .UNINDENT
 .INDENT 0.0
 .TP