regen master

2025-09-02 07:35:26 +00:00 · 2015-01-11 01:05:05 +00:00
parent f0cbe180f0
commit 2f161339d2
31 changed files with 356 additions and 308 deletions
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -91,18 +91,18 @@
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2666992">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2667127">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2667001">Native PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2667137">Native PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612469">OpenSSL-based PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612533">OpenSSL-based PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639305">PKCS#11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639440">PKCS#11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639478">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639476">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639832">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639693">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639880">Running named with automatic zone re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639810">Running named with automatic zone re-signing</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639944">Configuring DLZ</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611749">Configuring DLZ</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611755">Sample DLZ Driver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612027">Sample DLZ Driver</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571523">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
@@ -1431,8 +1431,9 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
    been tested with Debian Linux, Solaris x86 and Windows Server 2003;
    the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
    cryptographic acceleration board, tested with Solaris x86.  In
-    addition, BIND can be used with SoftHSM, a software-based HSM
+    addition, BIND can be used with all current versions of SoftHSM,
-    simulator produced by the OpenDNSSEC project.
+    a software-based HSM simulator library produced by the OpenDNSSEC
    project.
  </p>
 <p>
    PKCS#11 makes use of a "provider library": a dynamically loadable
@@ -1452,7 +1453,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
  </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2666992"></a>Prerequisites</h3></div></div></div>
+<a name="id2667127"></a>Prerequisites</h3></div></div></div>
 <p>
      See the documentation provided by your HSM vendor for
      information about installing, initializing, testing and
@@ -1461,18 +1462,18 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2667001"></a>Native PKCS#11</h3></div></div></div>
+<a name="id2667137"></a>Native PKCS#11</h3></div></div></div>
 <p>
      Native PKCS#11 mode will only work with an HSM capable of carrying
      out <span class="emphasis"><em>every</em></span> cryptographic operation BIND 9 may
      need. The HSM's provider library must have a complete implementation
      of the PKCS#11 API, so that all these functions are accessible. As of
-      this writing, only the Thales nShield HSM and the latest development
+      this writing, only the Thales nShield HSM and SoftHSMv2 can be used
-      version of SoftHSM can be used in this fashion.  For other HSMs,
+      in this fashion.  For other HSMs, including the AEP Keyper, Sun SCA
-      including the AEP Keyper, Sun SCA 6000 and older versions of SoftHSM,
+      6000 and older versions of SoftHSM, use OpenSSL-based PKCS#11.
-      use OpenSSL-based PKCS#11. (Note: As more HSMs become capable of
+      (Note: Eventually, when more HSMs become capable of supporting
-      supporting native PKCS#11, it is expected that OpenSSL-based
+      native PKCS#11, it is expected that OpenSSL-based PKCS#11 will
-      PKCS#11 will eventually be deprecated.)
+      be deprecated.)
    </p>
 <p>
      To build BIND with native PKCS#11, configure as follows:
@@ -1492,10 +1493,47 @@ $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
      <span><strong class="command">dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
      the <span><strong class="command">pkcs11-*</strong></span> tools.)
    </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2612467"></a>Building SoftHSMv2</h4></div></div></div>
 <p>
 	SoftHSMv2, the latest development version of SoftHSM, is available
 	from
 	<a href="https://github.com/opendnssec/SoftHSMv2" target="_top">
 	  https://github.com/opendnssec/SoftHSMv2
 	</a>.
 	It is a software library developed by the OpenDNSSEC project
 	(<a href="http://www.opendnssec.org" target="_top">
 	  http://www.opendnssec.org
 	</a>)
 	which provides a PKCS#11 interface to a virtual HSM, implemented in
 	the form of a SQLite3 database on the local filesystem.  It provides
 	less security than a true HSM, but it allows you to experiment with
 	native PKCS#11 when an HSM is not available.  SoftHSMv2 can be
 	configured to use either OpenSSL or the Botan library to perform
 	cryptographic functions, but when using it for native PKCS#11 in
 	BIND, OpenSSL is required.
      </p>
 <p>
 	By default, the SoftHSMv2 configuration file is
 	<em class="replaceable"><code>prefix</code></em>/etc/softhsm2.conf (where
 	<em class="replaceable"><code>prefix</code></em> is configured at compile time).
 	This location can be overridden by the SOFTHSM2_CONF environment
 	variable.  The SoftHSMv2 cryptographic store must be installed and
 	initialized before using it with BIND.
      </p>
 <pre class="screen">
 $ <strong class="userinput"><code> cd SoftHSMv2 </code></strong>
 $ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
 $ <strong class="userinput"><code> make </code></strong>
 $ <strong class="userinput"><code> make install </code></strong>
 $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
      </pre>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2612469"></a>OpenSSL-based PKCS#11</h3></div></div></div>
+<a name="id2612533"></a>OpenSSL-based PKCS#11</h3></div></div></div>
 <p>
      OpenSSL-based PKCS#11 mode uses a modified version of the
      OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1512,23 +1550,23 @@ $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
    </p>
 <div class="itemizedlist"><ul type="disc">
 <li><p>
-          Use 'crypto-accelerator' with HSMs that have hardware
+	  Use 'crypto-accelerator' with HSMs that have hardware
-          cryptographic acceleration features, such as the SCA 6000
+	  cryptographic acceleration features, such as the SCA 6000
-          board. This causes OpenSSL to run all supported
+	  board. This causes OpenSSL to run all supported
-          cryptographic operations in the HSM.
+	  cryptographic operations in the HSM.
-        </p></li>
+	</p></li>
 <li><p>
-          Use 'sign-only' with HSMs that are designed to
+	  Use 'sign-only' with HSMs that are designed to
-          function primarily as secure key storage devices, but lack
+	  function primarily as secure key storage devices, but lack
-          hardware acceleration. These devices are highly secure, but
+	  hardware acceleration. These devices are highly secure, but
-          are not necessarily any faster at cryptography than the
+	  are not necessarily any faster at cryptography than the
-          system CPU &#8212; often, they are slower. It is therefore
+	  system CPU &#8212; often, they are slower. It is therefore
-          most efficient to use them only for those cryptographic
+	  most efficient to use them only for those cryptographic
-          functions that require access to the secured private key,
+	  functions that require access to the secured private key,
-          such as zone signing, and to use the system CPU for all
+	  such as zone signing, and to use the system CPU for all
-          other computationally-intensive operations. The AEP Keyper
+	  other computationally-intensive operations. The AEP Keyper
-          is an example of such a device.
+	  is an example of such a device.
-        </p></li>
+	</p></li>
 </ul></div>
 <p>
      The modified OpenSSL code is included in the BIND 9 release,
@@ -1540,8 +1578,8 @@ $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
    </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-      The latest OpenSSL versions as of this writing (January 2014)
+      The latest OpenSSL versions as of this writing (January 2015)
-      are 0.9.8y, 1.0.0l, and 1.0.1f.
+      are 0.9.8zc, 1.0.0o, and 1.0.1j.
      ISC will provide updated patches as new versions of OpenSSL
      are released. The version number in the following examples
      is expected to change.
@@ -1553,130 +1591,132 @@ $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
    </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2612574"></a>Patching OpenSSL</h4></div></div></div>
+<a name="id2612570"></a>Patching OpenSSL</h4></div></div></div>
 <pre class="screen">
-$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8y.tar.gz</a></code></strong>
+$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8zc.tar.gz</a></code></strong>
  </pre>
 <p>Extract the tarball:</p>
 <pre class="screen">
-$ <strong class="userinput"><code>tar zxf openssl-0.9.8y.tar.gz</code></strong>
+$ <strong class="userinput"><code>tar zxf openssl-0.9.8zc.tar.gz</code></strong>
 </pre>
 <p>Apply the patch from the BIND 9 release:</p>
 <pre class="screen">
-$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8y \
+$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8zc \
-              &lt; bind9/bin/pkcs11/openssl-0.9.8y-patch</code></strong>
+	      &lt; bind9/bin/pkcs11/openssl-0.9.8zc-patch</code></strong>
 </pre>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-        Note that the patch file may not be compatible with the
+	Note that the patch file may not be compatible with the
-        "patch" utility on all operating systems. You may need to
+	"patch" utility on all operating systems. You may need to
-        install GNU patch.
+	install GNU patch.
      </div>
 <p>
-        When building OpenSSL, place it in a non-standard
+	When building OpenSSL, place it in a non-standard
-        location so that it does not interfere with OpenSSL libraries
+	location so that it does not interfere with OpenSSL libraries
-        elsewhere on the system. In the following examples, we choose
+	elsewhere on the system. In the following examples, we choose
-        to install into "/opt/pkcs11/usr". We will use this location
+	to install into "/opt/pkcs11/usr". We will use this location
-        when we configure BIND 9.
+	when we configure BIND 9.
      </p>
 <p>
-        Later, when building BIND 9, the location of the custom-built
+	Later, when building BIND 9, the location of the custom-built
-        OpenSSL library will need to be specified via configure.
+	OpenSSL library will need to be specified via configure.
      </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2612701"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
+<a name="id2612629"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
 <p>
-        The AEP Keyper is a highly secure key storage device,
+	The AEP Keyper is a highly secure key storage device,
-        but does not provide hardware cryptographic acceleration. It
+	but does not provide hardware cryptographic acceleration. It
-        can carry out cryptographic operations, but it is probably
+	can carry out cryptographic operations, but it is probably
-        slower than your system's CPU. Therefore, we choose the
+	slower than your system's CPU. Therefore, we choose the
-        'sign-only' flavor when building OpenSSL.
+	'sign-only' flavor when building OpenSSL.
      </p>
 <p>
-        The Keyper-specific PKCS#11 provider library is
+	The Keyper-specific PKCS#11 provider library is
-        delivered with the Keyper software. In this example, we place
+	delivered with the Keyper software. In this example, we place
-        it /opt/pkcs11/usr/lib:
+	it /opt/pkcs11/usr/lib:
      </p>
 <pre class="screen">
 $ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
 </pre>
 <p>
-        This library is only available for Linux as a 32-bit
+	This library is only available for Linux as a 32-bit
-        binary. If we are compiling on a 64-bit Linux system, it is
+	binary. If we are compiling on a 64-bit Linux system, it is
-        necessary to force a 32-bit build, by specifying -m32 in the
+	necessary to force a 32-bit build, by specifying -m32 in the
-        build options.
+	build options.
      </p>
 <p>
-        Finally, the Keyper library requires threads, so we
+	Finally, the Keyper library requires threads, so we
-        must specify -pthread.
+	must specify -pthread.
      </p>
 <pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8y</code></strong>
+$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
 $ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
-            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+	    --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
-            --pk11-flavor=sign-only \
+	    --pk11-flavor=sign-only \
-            --prefix=/opt/pkcs11/usr</code></strong>
+	    --prefix=/opt/pkcs11/usr</code></strong>
 </pre>
 <p>
-        After configuring, run "<span><strong class="command">make</strong></span>"
+	After configuring, run "<span><strong class="command">make</strong></span>"
-        and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
+	and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
-        test</strong></span>" fails with "pthread_atfork() not found", you forgot to
+	test</strong></span>" fails with "pthread_atfork() not found", you forgot to
-        add the -pthread above.
+	add the -pthread above.
      </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2612772"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
+<a name="id2612766"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
 <p>
-        The SCA-6000 PKCS#11 provider is installed as a system
+	The SCA-6000 PKCS#11 provider is installed as a system
-        library, libpkcs11. It is a true crypto accelerator, up to 4
+	library, libpkcs11. It is a true crypto accelerator, up to 4
-        times faster than any CPU, so the flavor shall be
+	times faster than any CPU, so the flavor shall be
-        'crypto-accelerator'.
+	'crypto-accelerator'.
      </p>
 <p>
-        In this example, we are building on Solaris x86 on an
+	In this example, we are building on Solaris x86 on an
-        AMD64 system.
+	AMD64 system.
      </p>
 <pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8y</code></strong>
+$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
 $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
-            --pk11-libname=/usr/lib/64/libpkcs11.so \
+	    --pk11-libname=/usr/lib/64/libpkcs11.so \
-            --pk11-flavor=crypto-accelerator \
+	    --pk11-flavor=crypto-accelerator \
-            --prefix=/opt/pkcs11/usr</code></strong>
+	    --prefix=/opt/pkcs11/usr</code></strong>
 </pre>
 <p>
-        (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
+	(For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
      </p>
 <p>
-        After configuring, run 
+	After configuring, run 
-        <span><strong class="command">make</strong></span> and 
+	<span><strong class="command">make</strong></span> and 
-        <span><strong class="command">make test</strong></span>.
+	<span><strong class="command">make test</strong></span>.
      </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2612822"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
+<a name="id2612816"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
 <p>
-        SoftHSM is a software library provided by the OpenDNSSEC
+	SoftHSM (version 1) is a software library developed by the
-        project (http://www.opendnssec.org) which provides a PKCS#11
+	OpenDNSSEC project
-        interface to a virtual HSM, implemented in the form of encrypted
+	(<a href="http://www.opendnssec.org" target="_top">
-        data on the local filesystem.  SoftHSM can be configured to use
+	  http://www.opendnssec.org
-        either OpenSSL or the Botan library for encryption, and SQLite3
+	</a>)
-        for data storage.  Though less secure than a true HSM, it can
+	which provides a
-        provide more secure key storage than traditional key files,
+	PKCS#11 interface to a virtual HSM, implemented in the form of
-        and can allow you to experiment with PKCS#11 when an HSM is
+	a SQLite3 database on the local filesystem.  SoftHSM uses
-        not available.
+	the Botan library to perform cryptographic functions.  Though
 	less secure than a true HSM, it can allow you to experiment
 	with PKCS#11 when an HSM is not available.
      </p>
 <p>
-        The SoftHSM cryptographic store must be installed and
+	The SoftHSM cryptographic store must be installed and
-        initialized before using it with OpenSSL, and the SOFTHSM_CONF
+	initialized before using it with OpenSSL, and the SOFTHSM_CONF
-        environment variable must always point to the SoftHSM configuration
+	environment variable must always point to the SoftHSM configuration
-        file:
+	file:
      </p>
 <pre class="screen">
-$ <strong class="userinput"><code> cd softhsm-1.3.0 </code></strong>
+$ <strong class="userinput"><code> cd softhsm-1.3.7 </code></strong>
 $ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
 $ <strong class="userinput"><code> make </code></strong>
 $ <strong class="userinput"><code> make install </code></strong>
@@ -1685,21 +1725,21 @@ $ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" &gt; $SOFTHSM
 $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
 </pre>
 <p>
-        SoftHSM can perform all cryptographic operations, but
+	SoftHSM can perform all cryptographic operations, but
-        since it only uses your system CPU, there is no advantage to using
+	since it only uses your system CPU, there is no advantage to using
-        it for anything but signing.  Therefore, we choose the 'sign-only'
+	it for anything but signing.  Therefore, we choose the 'sign-only'
-        flavor when building OpenSSL.
+	flavor when building OpenSSL.
      </p>
 <pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8y</code></strong>
+$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
 $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
-            --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
+	    --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
-            --pk11-flavor=sign-only \
+	    --pk11-flavor=sign-only \
-            --prefix=/opt/pkcs11/usr</code></strong>
+	    --prefix=/opt/pkcs11/usr</code></strong>
 </pre>
 <p>
-        After configuring, run "<span><strong class="command">make</strong></span>"
+	After configuring, run "<span><strong class="command">make</strong></span>"
-        and "<span><strong class="command">make test</strong></span>".
+	and "<span><strong class="command">make test</strong></span>".
      </p>
 </div>
 <p>
@@ -1710,11 +1750,11 @@ $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
      selected:
    </p>
 <pre class="screen">
-        (pkcs11) PKCS #11 engine support (sign only)
+	(pkcs11) PKCS #11 engine support (sign only)
 </pre>
 <p>Or:</p>
 <pre class="screen">
-        (pkcs11) PKCS #11 engine support (crypto accelerator)
+	(pkcs11) PKCS #11 engine support (crypto accelerator)
 </pre>
 <p>
      Next, run
@@ -1730,54 +1770,54 @@ $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
    </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2612973"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
+<a name="id2639254"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
 <p>
-        To link with the PKCS#11 provider, threads must be
+	To link with the PKCS#11 provider, threads must be
-        enabled in the BIND 9 build.
+	enabled in the BIND 9 build.
      </p>
 <p>
-        The PKCS#11 library for the AEP Keyper is currently
+	The PKCS#11 library for the AEP Keyper is currently
-        only available as a 32-bit binary. If we are building on a
+	only available as a 32-bit binary. If we are building on a
-        64-bit host, we must force a 32-bit build by adding "-m32" to
+	64-bit host, we must force a 32-bit build by adding "-m32" to
-        the CC options on the "configure" command line.
+	the CC options on the "configure" command line.
      </p>
 <pre class="screen">
 $ <strong class="userinput"><code>cd ../bind9</code></strong>
 $ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
-           --with-openssl=/opt/pkcs11/usr \
+	   --with-openssl=/opt/pkcs11/usr \
-           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
+	   --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
 </pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2639220"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
+<a name="id2639354"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
 <p>
-        To link with the PKCS#11 provider, threads must be
+	To link with the PKCS#11 provider, threads must be
-        enabled in the BIND 9 build.
+	enabled in the BIND 9 build.
      </p>
 <pre class="screen">
 $ <strong class="userinput"><code>cd ../bind9</code></strong>
 $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \
-            --with-openssl=/opt/pkcs11/usr \
+	    --with-openssl=/opt/pkcs11/usr \
-            --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
+	    --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
 </pre>
 <p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
 <p>
-        If configure complains about OpenSSL not working, you
+	If configure complains about OpenSSL not working, you
-        may have a 32/64-bit architecture mismatch. Or, you may have
+	may have a 32/64-bit architecture mismatch. Or, you may have
-        incorrectly specified the path to OpenSSL (it should be the
+	incorrectly specified the path to OpenSSL (it should be the
-        same as the --prefix argument to the OpenSSL
+	same as the --prefix argument to the OpenSSL
-        Configure).
+	Configure).
      </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2639256"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
+<a name="id2639390"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
 <pre class="screen">
 $ <strong class="userinput"><code>cd ../bind9</code></strong>
 $ <strong class="userinput"><code>./configure --enable-threads \
-           --with-openssl=/opt/pkcs11/usr \
+	   --with-openssl=/opt/pkcs11/usr \
-           --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</code></strong>
+	   --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</code></strong>
 </pre>
 </div>
 <p>
@@ -1793,7 +1833,7 @@ $ <strong class="userinput"><code>./configure --enable-threads \
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2639305"></a>PKCS#11 Tools</h3></div></div></div>
+<a name="id2639440"></a>PKCS#11 Tools</h3></div></div></div>
 <p>
      BIND 9 includes a minimal set of tools to operate the
      HSM, including 
@@ -1816,7 +1856,7 @@ $ <strong class="userinput"><code>./configure --enable-threads \
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2639478"></a>Using the HSM</h3></div></div></div>
+<a name="id2639476"></a>Using the HSM</h3></div></div></div>
 <p>
      For OpenSSL-based PKCS#11, we must first set up the runtime
      environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1937,7 +1977,7 @@ example.net.signed
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2639832"></a>Specifying the engine on the command line</h3></div></div></div>
+<a name="id2639693"></a>Specifying the engine on the command line</h3></div></div></div>
 <p>
      When using OpenSSL-based PKCS#11, the "engine" to be used by
      OpenSSL can be specified in <span><strong class="command">named</strong></span> and all of
@@ -1969,7 +2009,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2639880"></a>Running named with automatic zone re-signing</h3></div></div></div>
+<a name="id2639810"></a>Running named with automatic zone re-signing</h3></div></div></div>
 <p>
      If you want <span><strong class="command">named</strong></span> to dynamically re-sign zones
      using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -1985,13 +2025,13 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
    </p>
 <p>Sample openssl.cnf:</p>
 <pre class="programlisting">
-        openssl_conf = openssl_def
+	openssl_conf = openssl_def
-        [ openssl_def ]
+	[ openssl_def ]
-        engines = engine_section
+	engines = engine_section
-        [ engine_section ]
+	[ engine_section ]
-        pkcs11 = pkcs11_section
+	pkcs11 = pkcs11_section
-        [ pkcs11_section ]
+	[ pkcs11_section ]
-        PIN = <em class="replaceable"><code>&lt;PLACE PIN HERE&gt;</code></em>
+	PIN = <em class="replaceable"><code>&lt;PLACE PIN HERE&gt;</code></em>
 </pre>
 <p>
      This will also allow the dnssec-* tools to access the HSM
@@ -2002,16 +2042,16 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
 <p>
      In native PKCS#11 mode, the PIN can be provided in a file specified
      as an attribute of the key's label.  For example, if a key had the label
-      <strong class="userinput"><code>pkcs11:object=local-zsk;pin-source=/etc/hsmpin"</code></strong>,
+      <strong class="userinput"><code>pkcs11:object=local-zsk;pin-source=/etc/hsmpin</code></strong>,
      then the PIN would be read from the file
      <code class="filename">/etc/hsmpin</code>.
    </p>
 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
 <p>
-        Placing the HSM's PIN in a text file in this manner may reduce the
+	Placing the HSM's PIN in a text file in this manner may reduce the
-        security advantage of using an HSM. Be sure this is what you want to
+	security advantage of using an HSM. Be sure this is what you want to
-        do before configuring the system in this way.
+	do before configuring the system in this way.
      </p>
 </div>
 </div>
@@ -2056,7 +2096,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
  </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2639944"></a>Configuring DLZ</h3></div></div></div>
+<a name="id2611749"></a>Configuring DLZ</h3></div></div></div>
 <p>
      A DLZ database is configured with a <span><strong class="command">dlz</strong></span>
      statement in <code class="filename">named.conf</code>:
@@ -2105,7 +2145,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2611755"></a>Sample DLZ Driver</h3></div></div></div>
+<a name="id2612027"></a>Sample DLZ Driver</h3></div></div></div>
 <p>
      For guidance in implementation of DLZ modules, the directory
      <code class="filename">contrib/dlz/example</code> contains a basic
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -420,6 +420,10 @@
 	  initial packet sizes used in BIND 9.10 and higher when
 	  contacting authoritative servers for the first time.
        </p></li>
 <li><p>
 	  Built-in "empty" zones did not correctly inherit the
 	  "allow-transfer" ACL from the options or view. [RT #38310]
        </p></li>
 </ul></div>
 </div>
 <div class="sect2" lang="en">
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -135,18 +135,18 @@
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2666992">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2667127">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2667001">Native PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2667137">Native PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612469">OpenSSL-based PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612533">OpenSSL-based PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639305">PKCS#11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639440">PKCS#11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639478">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639476">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639832">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639693">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639880">Running named with automatic zone re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639810">Running named with automatic zone re-signing</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639944">Configuring DLZ</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611749">Configuring DLZ</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611755">Sample DLZ Driver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612027">Sample DLZ Driver</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571523">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
@@ -268,13 +268,13 @@
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2614725">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2614457">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2614734">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2614467">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612165">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2613672">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612196">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2613703">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2613843">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2613780">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2613869">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2613875">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615047">Library References</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615189">Library References</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="reference"><a href="Bv9ARM.ch13.html">I. Manual pages</a></span></dt>
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
 <div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2624644"></a><h2>DESCRIPTION</h2>
+<a name="id2625332"></a><h2>DESCRIPTION</h2>
 <p>
      <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
      IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2625273"></a><h2>SEE ALSO</h2>
+<a name="id2625347"></a><h2>SEE ALSO</h2>
 <p>
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2625287"></a><h2>AUTHOR</h2>
+<a name="id2625361"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -51,7 +51,7 @@
 <div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2666830"></a><h2>DESCRIPTION</h2>
+<a name="id2664242"></a><h2>DESCRIPTION</h2>
 <p>
      <span><strong class="command">tsig-keygen</strong></span> and <span><strong class="command">ddns-confgen</strong></span>
      are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669050"></a><h2>OPTIONS</h2>
+<a name="id2664345"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd><p>
@@ -159,7 +159,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669267"></a><h2>SEE ALSO</h2>
+<a name="id2665040"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -167,7 +167,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669305"></a><h2>AUTHOR</h2>
+<a name="id2665078"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -53,7 +53,7 @@
 <div class="cmdsynopsis"><p><code class="command">delv</code>  [queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617619"></a><h2>DESCRIPTION</h2>
+<a name="id2617624"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">delv</strong></span>
      (Domain Entity Lookup &amp; Validation) is a tool for sending
      DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617691"></a><h2>SIMPLE USAGE</h2>
+<a name="id2617697"></a><h2>SIMPLE USAGE</h2>
 <p>
      A typical invocation of <span><strong class="command">delv</strong></span> looks like:
      </p>
@@ -151,7 +151,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617822"></a><h2>OPTIONS</h2>
+<a name="id2618033"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
 <dd>
@@ -285,7 +285,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2673326"></a><h2>QUERY OPTIONS</h2>
+<a name="id2673332"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">delv</strong></span>
      provides a number of query options which affect the way results are
      displayed, and in some cases the way lookups are performed.
@@ -471,12 +471,12 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2673788"></a><h2>FILES</h2>
+<a name="id2673862"></a><h2>FILES</h2>
 <p><code class="filename">/etc/bind.keys</code></p>
 <p><code class="filename">/etc/resolv.conf</code></p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2673808"></a><h2>SEE ALSO</h2>
+<a name="id2673881"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
      <em class="citetitle">RFC4034</em>,
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615489"></a><h2>DESCRIPTION</h2>
+<a name="id2615357"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
      (domain information groper) is a flexible tool
      for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615591"></a><h2>SIMPLE USAGE</h2>
+<a name="id2615460"></a><h2>SIMPLE USAGE</h2>
 <p>
      A typical invocation of <span><strong class="command">dig</strong></span> looks like:
      </p>
@@ -152,7 +152,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615717"></a><h2>OPTIONS</h2>
+<a name="id2615586"></a><h2>OPTIONS</h2>
 <p>
      The <code class="option">-b</code> option sets the source IP address of the query
      to <em class="parameter"><code>address</code></em>.  This must be a valid
@@ -260,7 +260,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667204"></a><h2>QUERY OPTIONS</h2>
+<a name="id2667414"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
      provides a number of query options which affect
      the way in which lookups are made and the results displayed.  Some of
@@ -688,7 +688,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2668628"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2668906"></a><h2>MULTIPLE QUERIES</h2>
 <p>
      The BIND 9 implementation of <span><strong class="command">dig </strong></span>
      supports
@@ -734,7 +734,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2668781"></a><h2>IDN SUPPORT</h2>
+<a name="id2668992"></a><h2>IDN SUPPORT</h2>
 <p>
      If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
      domain name) support, it can accept and display non-ASCII domain names.
@@ -748,14 +748,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2668810"></a><h2>FILES</h2>
+<a name="id2669020"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
    </p>
 <p><code class="filename">${HOME}/.digrc</code>
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2668832"></a><h2>SEE ALSO</h2>
+<a name="id2669042"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -763,7 +763,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2668869"></a><h2>BUGS</h2>
+<a name="id2669079"></a><h2>BUGS</h2>
 <p>
      There are probably too many query options.
    </p>
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -51,7 +51,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618166"></a><h2>DESCRIPTION</h2>
+<a name="id2618649"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-checkds</strong></span>
      verifies the correctness of Delegation Signer (DS) or DNSSEC
      Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618180"></a><h2>OPTIONS</h2>
+<a name="id2618663"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd><p>
@@ -88,14 +88,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618282"></a><h2>SEE ALSO</h2>
+<a name="id2618765"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618316"></a><h2>AUTHOR</h2>
+<a name="id2618868"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619074"></a><h2>DESCRIPTION</h2>
+<a name="id2619079"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-coverage</strong></span>
      verifies that the DNSSEC keys for a given zone or a set of zones
      have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619100"></a><h2>OPTIONS</h2>
+<a name="id2619106"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
@@ -192,7 +192,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619546"></a><h2>SEE ALSO</h2>
+<a name="id2619552"></a><h2>SEE ALSO</h2>
 <p>
      <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
@@ -201,7 +201,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619590"></a><h2>AUTHOR</h2>
+<a name="id2619595"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -52,14 +52,14 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620050"></a><h2>DESCRIPTION</h2>
+<a name="id2620260"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-dsfromkey</strong></span>
      outputs the Delegation Signer (DS) resource record (RR), as defined in
      RFC 3658 and RFC 4509, for the given key(s).
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620064"></a><h2>OPTIONS</h2>
+<a name="id2620274"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-1</span></dt>
 <dd><p>
@@ -144,7 +144,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620736"></a><h2>EXAMPLE</h2>
+<a name="id2620809"></a><h2>EXAMPLE</h2>
 <p>
      To build the SHA-256 DS RR from the
      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -159,7 +159,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620772"></a><h2>FILES</h2>
+<a name="id2620845"></a><h2>FILES</h2>
 <p>
      The keyfile can be designed by the key identification
      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -173,13 +173,13 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620813"></a><h2>CAVEAT</h2>
+<a name="id2620887"></a><h2>CAVEAT</h2>
 <p>
      A keyfile error can give a "file not found" even if the file exists.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620823"></a><h2>SEE ALSO</h2>
+<a name="id2621989"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -189,7 +189,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2622091"></a><h2>AUTHOR</h2>
+<a name="id2622028"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -51,7 +51,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code>  {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2621027"></a><h2>DESCRIPTION</h2>
+<a name="id2621100"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-importkey</strong></span>
      reads a public DNSKEY record and generates a pair of
      .key/.private files.  The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2621054"></a><h2>OPTIONS</h2>
+<a name="id2621128"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
 <dd>
@@ -114,7 +114,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2621260"></a><h2>TIMING OPTIONS</h2>
+<a name="id2621470"></a><h2>TIMING OPTIONS</h2>
 <p>
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2621785"></a><h2>FILES</h2>
+<a name="id2621586"></a><h2>FILES</h2>
 <p>
      A keyfile can be designed by the key identification
      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -151,7 +151,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2621811"></a><h2>SEE ALSO</h2>
+<a name="id2621611"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -159,7 +159,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2621844"></a><h2>AUTHOR</h2>
+<a name="id2621644"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2622790"></a><h2>DESCRIPTION</h2>
+<a name="id2622181"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keyfromlabel</strong></span>
      generates a key pair of files that referencing a key object stored
      in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2622816"></a><h2>OPTIONS</h2>
+<a name="id2622206"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -243,7 +243,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2674006"></a><h2>TIMING OPTIONS</h2>
+<a name="id2674080"></a><h2>TIMING OPTIONS</h2>
 <p>
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2674196"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2674201"></a><h2>GENERATED KEY FILES</h2>
 <p>
      When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
      successfully,
@@ -354,7 +354,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2674358"></a><h2>SEE ALSO</h2>
+<a name="id2674363"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -363,7 +363,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2674395"></a><h2>AUTHOR</h2>
+<a name="id2674401"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2623697"></a><h2>DESCRIPTION</h2>
+<a name="id2623361"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
      and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2623717"></a><h2>OPTIONS</h2>
+<a name="id2623381"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -285,7 +285,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2674713"></a><h2>TIMING OPTIONS</h2>
+<a name="id2674855"></a><h2>TIMING OPTIONS</h2>
 <p>
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
@@ -359,7 +359,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2675040"></a><h2>GENERATED KEYS</h2>
+<a name="id2675045"></a><h2>GENERATED KEYS</h2>
 <p>
      When <span><strong class="command">dnssec-keygen</strong></span> completes
      successfully,
@@ -405,7 +405,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2675147"></a><h2>EXAMPLE</h2>
+<a name="id2675221"></a><h2>EXAMPLE</h2>
 <p>
      To generate a 768-bit DSA key for the domain
      <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -426,7 +426,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2675204"></a><h2>SEE ALSO</h2>
+<a name="id2675277"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 2539</em>,
@@ -435,7 +435,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2675235"></a><h2>AUTHOR</h2>
+<a name="id2675308"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637738"></a><h2>DESCRIPTION</h2>
+<a name="id2626480"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-revoke</strong></span>
      reads a DNSSEC key file, sets the REVOKED bit on the key as defined
      in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637752"></a><h2>OPTIONS</h2>
+<a name="id2626493"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
@@ -109,14 +109,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637890"></a><h2>SEE ALSO</h2>
+<a name="id2633185"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 5011</em>.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637914"></a><h2>AUTHOR</h2>
+<a name="id2633209"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638913"></a><h2>DESCRIPTION</h2>
+<a name="id2637348"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-settime</strong></span>
      reads a DNSSEC private key file and sets the key timing metadata
      as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
@@ -76,7 +76,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2640268"></a><h2>OPTIONS</h2>
+<a name="id2637406"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f</span></dt>
 <dd><p>
@@ -131,7 +131,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2640407"></a><h2>TIMING OPTIONS</h2>
+<a name="id2640071"></a><h2>TIMING OPTIONS</h2>
 <p>
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
@@ -210,7 +210,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2641706"></a><h2>PRINTING OPTIONS</h2>
+<a name="id2640210"></a><h2>PRINTING OPTIONS</h2>
 <p>
      <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
      timing metadata associated with a key.
@@ -236,7 +236,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2644517"></a><h2>SEE ALSO</h2>
+<a name="id2640290"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -244,7 +244,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2644550"></a><h2>AUTHOR</h2>
+<a name="id2640323"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2644279"></a><h2>DESCRIPTION</h2>
+<a name="id2644762"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
      signs a zone.  It generates
      NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2644298"></a><h2>OPTIONS</h2>
+<a name="id2644781"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -512,7 +512,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2676699"></a><h2>EXAMPLE</h2>
+<a name="id2676705"></a><h2>EXAMPLE</h2>
 <p>
      The following command signs the <strong class="userinput"><code>example.com</code></strong>
      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -542,14 +542,14 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2676778"></a><h2>SEE ALSO</h2>
+<a name="id2676784"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2676806"></a><h2>AUTHOR</h2>
+<a name="id2676811"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645326"></a><h2>DESCRIPTION</h2>
+<a name="id2644990"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-verify</strong></span>
      verifies that a zone is fully signed for each algorithm found
      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645340"></a><h2>OPTIONS</h2>
+<a name="id2645004"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
@@ -138,7 +138,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645524"></a><h2>SEE ALSO</h2>
+<a name="id2645256"></a><h2>SEE ALSO</h2>
 <p>
      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -146,7 +146,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645549"></a><h2>AUTHOR</h2>
+<a name="id2645282"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">genrandom</code>  [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2624770"></a><h2>DESCRIPTION</h2>
+<a name="id2625116"></a><h2>DESCRIPTION</h2>
 <p>
      <span><strong class="command">genrandom</strong></span>
      generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669363"></a><h2>ARGUMENTS</h2>
+<a name="id2665204"></a><h2>ARGUMENTS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
 <dd><p>
@@ -77,14 +77,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669424"></a><h2>SEE ALSO</h2>
+<a name="id2665265"></a><h2>SEE ALSO</h2>
 <p>
      <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
      <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669518"></a><h2>AUTHOR</h2>
+<a name="id2665291"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616034"></a><h2>DESCRIPTION</h2>
+<a name="id2615902"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">host</strong></span>
      is a simple utility for performing DNS lookups.
      It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616938"></a><h2>IDN SUPPORT</h2>
+<a name="id2618309"></a><h2>IDN SUPPORT</h2>
 <p>
      If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
      domain name) support, it can accept and display non-ASCII domain names. 
@@ -228,12 +228,12 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616967"></a><h2>FILES</h2>
+<a name="id2618338"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616981"></a><h2>SEE ALSO</h2>
+<a name="id2618352"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
    </p>
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669780"></a><h2>DESCRIPTION</h2>
+<a name="id2666645"></a><h2>DESCRIPTION</h2>
 <p>
      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
      HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669808"></a><h2>SECURITY CONSIDERATIONS</h2>
+<a name="id2666673"></a><h2>SECURITY CONSIDERATIONS</h2>
 <p>
      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
      are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669824"></a><h2>SEE ALSO</h2>
+<a name="id2666689"></a><h2>SEE ALSO</h2>
 <p>
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 2104</em>.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669841"></a><h2>AUTHOR</h2>
+<a name="id2666706"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-x</code>] [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645922"></a><h2>DESCRIPTION</h2>
+<a name="id2645449"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
      checks the syntax, but not the semantics, of a
      <span><strong class="command">named</strong></span> configuration file.  The file is parsed
@@ -70,7 +70,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645992"></a><h2>OPTIONS</h2>
+<a name="id2645520"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
@@ -119,21 +119,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2646148"></a><h2>RETURN VALUES</h2>
+<a name="id2645880"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
      returns an exit status of 1 if
      errors were detected and 0 otherwise.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2646162"></a><h2>SEE ALSO</h2>
+<a name="id2645894"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2646192"></a><h2>AUTHOR</h2>
+<a name="id2645924"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2676896"></a><h2>DESCRIPTION</h2>
+<a name="id2678608"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
      checks the syntax and integrity of a zone file.  It performs the
      same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -71,7 +71,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2676946"></a><h2>OPTIONS</h2>
+<a name="id2678658"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
@@ -305,14 +305,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2677984"></a><h2>RETURN VALUES</h2>
+<a name="id2679696"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
      returns an exit status of 1 if
      errors were detected and 0 otherwise.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2677997"></a><h2>SEE ALSO</h2>
+<a name="id2679709"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
      <em class="citetitle">RFC 1035</em>,
@@ -320,7 +320,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2678030"></a><h2>AUTHOR</h2>
+<a name="id2679742"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2621995"></a><h2>DESCRIPTION</h2>
+<a name="id2622615"></a><h2>DESCRIPTION</h2>
 <p>
      <span><strong class="command">named-journalprint</strong></span>
      prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2622041"></a><h2>SEE ALSO</h2>
+<a name="id2622661"></a><h2>SEE ALSO</h2>
 <p>
      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
@@ -84,7 +84,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2652929"></a><h2>AUTHOR</h2>
+<a name="id2654777"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-rrchecker</code>  [<code class="option">-h</code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-u</code>] [<code class="option">-C</code>] [<code class="option">-T</code>] [<code class="option">-P</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2652992"></a><h2>DESCRIPTION</h2>
+<a name="id2654840"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-rrchecker</strong></span>
     read a individual DNS resource record from standard input and checks if it
     is syntactically correct.
@@ -78,7 +78,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2653048"></a><h2>SEE ALSO</h2>
+<a name="id2654897"></a><h2>SEE ALSO</h2>
 <p>
      <em class="citetitle">RFC 1034</em>,
      <em class="citetitle">RFC 1035</em>,
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-D <em class="replaceable"><code>string</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2648912"></a><h2>DESCRIPTION</h2>
+<a name="id2647893"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
      is a Domain Name System (DNS) server,
      part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2648942"></a><h2>OPTIONS</h2>
+<a name="id2647924"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -288,7 +288,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2678416"></a><h2>SIGNALS</h2>
+<a name="id2681493"></a><h2>SIGNALS</h2>
 <p>
      In routine operation, signals should not be used to control
      the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -309,7 +309,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2678466"></a><h2>CONFIGURATION</h2>
+<a name="id2681543"></a><h2>CONFIGURATION</h2>
 <p>
      The <span><strong class="command">named</strong></span> configuration file is too complex
      to describe in detail here.  A complete description is provided
@@ -326,7 +326,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2678515"></a><h2>FILES</h2>
+<a name="id2681592"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
@@ -339,7 +339,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2678558"></a><h2>SEE ALSO</h2>
+<a name="id2681636"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
      <em class="citetitle">RFC 1034</em>,
      <em class="citetitle">RFC 1035</em>,
@@ -352,7 +352,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2678697"></a><h2>AUTHOR</h2>
+<a name="id2681774"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
 <div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2625171"></a><h2>DESCRIPTION</h2>
+<a name="id2625313"></a><h2>DESCRIPTION</h2>
 <p>
      <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
      a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2625186"></a><h2>ARGUMENTS</h2>
+<a name="id2625328"></a><h2>ARGUMENTS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">salt</span></dt>
 <dd><p>
@@ -80,14 +80,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669962"></a><h2>SEE ALSO</h2>
+<a name="id2669353"></a><h2>SEE ALSO</h2>
 <p>
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 5155</em>.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669979"></a><h2>AUTHOR</h2>
+<a name="id2669438"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-T</code>] [<code class="option">-P</code>] [<code class="option">-V</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2654664"></a><h2>DESCRIPTION</h2>
+<a name="id2655216"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">nsupdate</strong></span>
      is used to submit Dynamic DNS Update requests as defined in RFC 2136
      to a name server.
@@ -236,7 +236,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2678917"></a><h2>INPUT FORMAT</h2>
+<a name="id2682062"></a><h2>INPUT FORMAT</h2>
 <p><span><strong class="command">nsupdate</strong></span>
      reads input from
      <em class="parameter"><code>filename</code></em>
@@ -549,7 +549,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680065"></a><h2>EXAMPLES</h2>
+<a name="id2683210"></a><h2>EXAMPLES</h2>
 <p>
      The examples below show how
      <span><strong class="command">nsupdate</strong></span>
@@ -603,7 +603,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680115"></a><h2>FILES</h2>
+<a name="id2683329"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
@@ -626,7 +626,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680266"></a><h2>SEE ALSO</h2>
+<a name="id2683412"></a><h2>SEE ALSO</h2>
 <p>
      <em class="citetitle">RFC 2136</em>,
      <em class="citetitle">RFC 3007</em>,
@@ -641,7 +641,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680324"></a><h2>BUGS</h2>
+<a name="id2683469"></a><h2>BUGS</h2>
 <p>
      The TSIG key is redundantly stored in two separate files.
      This is a consequence of nsupdate using the DST library
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2664284"></a><h2>DESCRIPTION</h2>
+<a name="id2662651"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc-confgen</strong></span>
      generates configuration files
      for <span><strong class="command">rndc</strong></span>.  It can be used as a
@@ -66,7 +66,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2664350"></a><h2>OPTIONS</h2>
+<a name="id2663332"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
@@ -180,7 +180,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665232"></a><h2>EXAMPLES</h2>
+<a name="id2664145"></a><h2>EXAMPLES</h2>
 <p>
      To allow <span><strong class="command">rndc</strong></span> to be used with
      no manual configuration, run
@@ -197,7 +197,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669657"></a><h2>SEE ALSO</h2>
+<a name="id2665566"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -205,7 +205,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669696"></a><h2>AUTHOR</h2>
+<a name="id2665605"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2623880"></a><h2>DESCRIPTION</h2>
+<a name="id2623885"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">rndc.conf</code> is the configuration file
      for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
      utility.  This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661394"></a><h2>EXAMPLE</h2>
+<a name="id2660102"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
      options {
        default-server  localhost;
@@ -210,7 +210,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2663495"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2661384"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
      The name server must be configured to accept rndc connections and
      to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -220,7 +220,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2663521"></a><h2>SEE ALSO</h2>
+<a name="id2661410"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -228,7 +228,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2663559"></a><h2>AUTHOR</h2>
+<a name="id2661448"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660106"></a><h2>DESCRIPTION</h2>
+<a name="id2656152"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc</strong></span>
      controls the operation of a name
      server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -81,7 +81,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660156"></a><h2>OPTIONS</h2>
+<a name="id2656202"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
 <dd><p>
@@ -152,7 +152,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661675"></a><h2>COMMANDS</h2>
+<a name="id2659837"></a><h2>COMMANDS</h2>
 <p>
      A list of commands supported by <span><strong class="command">rndc</strong></span> can
      be seen by running <span><strong class="command">rndc</strong></span> without arguments.
@@ -620,7 +620,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2686376"></a><h2>LIMITATIONS</h2>
+<a name="id2686381"></a><h2>LIMITATIONS</h2>
 <p>
      There is currently no way to provide the shared secret for a
      <code class="option">key_id</code> without using the configuration file.
@@ -630,7 +630,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2686394"></a><h2>SEE ALSO</h2>
+<a name="id2686400"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -640,7 +640,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2686450"></a><h2>AUTHOR</h2>
+<a name="id2686455"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -381,6 +381,10 @@
 	  initial packet sizes used in BIND 9.10 and higher when
 	  contacting authoritative servers for the first time.
        </p></li>
 <li><p>
 	  Built-in "empty" zones did not correctly inherit the
 	  "allow-transfer" ACL from the options or view. [RT #38310]
        </p></li>
 </ul></div>
 </div>
 <div class="sect2" lang="en">