Improve language in documentation

Various language specific improvements, from Suzanne Goldlust's
review.

doc/arm/dnssec.rst

@@ -17,14 +17,14 @@ Converting From Insecure to Secure
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 A zone can be changed from insecure to secure in three ways: using a
-dynamic DNS update, or via the ``auto-dnssec`` zone option, or set a
+dynamic DNS update, via the ``auto-dnssec`` zone option, or by setting a
 DNSSEC policy for the zone with ``dnssec-policy``.
 
-For either method, ``named`` must be configured so that it can see
+For any method, ``named`` must be configured so that it can see
 the ``K*`` files which contain the public and private parts of the keys
 that are used to sign the zone. These files are generated
-by ``dnssec-keygen`` (or created when needed by ``named`` if
+by ``dnssec-keygen``, or created when needed by ``named`` if
-``dnssec-policy`` is used). Keys should be placed in the
+``dnssec-policy`` is used. Keys should be placed in the
 key-directory, as specified in ``named.conf``:
 
 ::
@@ -41,9 +41,9 @@ configuration causes all records in the zone to be signed with the
 ZSK, and the DNSKEY RRset to be signed with the KSK. An NSEC
 chain is generated as part of the initial signing process.
 
-With ``dnssec-policy you specify what keys should be KSK and/or ZSK.
+With ``dnssec-policy``, it is possible to specify which keys should be
-If you want a key to sign all records with a key you will need to
+KSK and/or ZSK. To sign all records with a key, a CSK must be specified.
-specify a CSK. For example:
+For example:
 
 ::
 
@@ -97,7 +97,7 @@ other updates are possible as well.
 Fully Automatic Zone Signing
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-To enable automatic signing, you can set a ``dnssec-policy``, or add the
+To enable automatic signing, set a ``dnssec-policy`` or add the
 ``auto-dnssec`` option to the zone statement in ``named.conf``.
 ``auto-dnssec`` has two possible arguments: ``allow`` or ``maintain``.
 
@@ -111,10 +111,10 @@ automatically adjusts the zone's DNSKEY records on a schedule according to
 the keys' timing metadata. (See :ref:`man_dnssec-keygen` and
 :ref:`man_dnssec-settime` for more information.)
 
-``dnssec-policy`` is like ``auto-dnssec maintain``, but will also automatically
+``dnssec-policy`` is similar to ``auto-dnssec maintain``, but
-create new keys when necessary. Also any configuration related to DNSSEC
+``dnssec-policy`` also automatically creates new keys when necessary. In
-signing is retrieved from the policy (ignoring existing DNSSEC ``named.conf``
+addition, any configuration related to DNSSEC signing is retrieved from the
-options).
+policy, ignoring existing DNSSEC ``named.conf`` options.
 
 ``named`` periodically searches the key directory for keys matching
 the zone; if the keys' metadata indicates that any change should be
@@ -243,7 +243,7 @@ conversion is complete, the NSEC chain is removed and the
 NSEC3PARAM record has a zero flag field. The NSEC3 chain is
 generated before the NSEC chain is destroyed.
 
-NSEC3 is not supported yet with ``dnssec-policy``.
+NSEC3 is not yet supported with ``dnssec-policy``.
 
 Converting From NSEC3 to NSEC
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

doc/arm/reference.rst

@@ -1533,8 +1533,8 @@ default is used.
    If ``full``, the server collects statistical data on all zones,
    unless specifically turned off on a per-zone basis by specifying
    ``zone-statistics terse`` or ``zone-statistics none`` in the ``zone``
-   statement. These include, for example, DNSSEC signing operations
+   statement. The statistical data includes, for example, DNSSEC signing
-   and the number of authoritative answers per query type.  The
+   operations and the number of authoritative answers per query type. The
    default is ``terse``, providing minimal statistics on zones
    (including name and current serial number, but not query type
    counters).