diff --git a/bin/python/dnssec-coverage.8 b/bin/python/dnssec-coverage.8
new file mode 100644
index 0000000000..19e8cf8b01
--- /dev/null
+++ b/bin/python/dnssec-coverage.8
@@ -0,0 +1,121 @@
+.\" Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: dnssec\-coverage
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: April 16, 2012
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DNSSEC\-COVERAGE" "8" "April 16, 2012" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-coverage \- checks future DNSKEY coverage for a zone
+.SH "SYNOPSIS"
+.HP 16
+\fBdnssec\-coverage\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fIDNSKEY\ TTL\fR\fR] [\fB\-m\ \fR\fB\fImax\ TTL\fR\fR] [\fB\-r\ \fR\fB\fIinterval\fR\fR] [\fB\-c\ \fR\fB\fIcompilezone\ path\fR\fR] [zone]
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-coverage\fR
+verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage.
+.PP
+If
+\fBzone\fR
+is specified, then keys found in the key repository matching that zone are scanned, and an ordered list is generated of the events scheduled for that key (i.e., publication, activation, inactivation, deletion). The list of events is walked in order of occurrence. Warnings are generated if any event is scheduled which could cause the zone to enter a state in which validation failures might occur: for example, if the number of published or active keys for a given algorithm drops to zero, or if a key is deleted from the zone too soon after a new key is rolled, and cached data signed by the prior key has not had time to expire from resolver caches.
+.PP
+If
+\fBzone\fR
+is not specified, then all keys in the key repository will be scanned, and all zones for which there are keys will be analyzed. (Note: This method of reporting is only accurate if all the zones that have keys in a given repository share the same TTL parameters.)
+.SH "OPTIONS"
+.PP
+\-f \fIfile\fR
+.RS 4
+If a
+\fBfile\fR
+is specified, then the zone is read from that file; the largest TTL and the DNSKEY TTL are determined directly from the zone data, and the
+\fB\-m\fR
+and
+\fB\-d\fR
+options do not need to be specified on the command line.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which keys can be found. Defaults to the current working directory.
+.RE
+.PP
+\-m \fImaximum TTL\fR
+.RS 4
+Sets the value to be used as the maximum TTL for the zone or zones being analyzed when determining whether there is a possibility of validation failure. When a zone\-signing key is deactivated, there must be enough time for the record in the zone with the longest TTL to have expired from resolver caches before that key can be purged from the DNSKEY RRset. If that condition does not apply, a warning will be generated.
+.sp
+The length of the TTL can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
+.sp
+This option is mandatory unless the
+\fB\-f\fR
+has been used to specify a zone file. (If
+\fB\-f\fR
+has been specified, this option may still be used; it will overrde the value found in the file.)
+.RE
+.PP
+\-d \fIDNSKEY TTL\fR
+.RS 4
+Sets the value to be used as the DNSKEY TTL for the zone or zones being analyzed when determining whether there is a possibility of validation failure. When a key is rolled (that is, replaced with a new key), there must be enough time for the old DNSKEY RRset to have expired from resolver caches before the new key is activated and begins generating signatures. If that condition does not apply, a warning will be generated.
+.sp
+The length of the TTL can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
+.sp
+This option is mandatory unless the
+\fB\-f\fR
+has been used to specify a zone file, or a default key TTL was set with the
+\fB\-L\fR
+to
+\fBdnssec\-keygen\fR. (If either of those is true, this option may still be used; it will overrde the value found in the zone or key file.)
+.RE
+.PP
+\-r \fIresign interval\fR
+.RS 4
+Sets the value to be used as the resign interval for the zone or zones being analyzed when determining whether there is a possibility of validation failure. This value defaults to 22.5 days, which is also the default in
+\fBnamed\fR. However, if it has been changed by the
+\fBsig\-validity\-interval\fR
+option in
+\fInamed.conf\fR, then it should also be changed here.
+.sp
+The length of the interval can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
+.RE
+.PP
+\-c \fIcompilezone path\fR
+.RS 4
+Specifies a path to a
+\fBnamed\-compilezone\fR
+binary. Used for testing.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-checkds\fR(8),
+\fBdnssec\-dsfromkey\fR(8),
+\fBdnssec\-keygen\fR(8),
+\fBdnssec\-signzone\fR(8)
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2013 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/python/dnssec-coverage.html b/bin/python/dnssec-coverage.html
new file mode 100644
index 0000000000..8aecfa8c08
--- /dev/null
+++ b/bin/python/dnssec-coverage.html
@@ -0,0 +1,166 @@
+<!--
+ - Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-coverage</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-coverage</span> &#8212; checks future DNSKEY coverage for a zone</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [zone]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543390"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-coverage</strong></span>
+      verifies that the DNSSEC keys for a given zone or a set of zones
+      have timing metadata set properly to ensure no future lapses in DNSSEC
+      coverage.
+    </p>
+<p>
+      If <code class="option">zone</code> is specified, then keys found in
+      the key repository matching that zone are scanned, and an ordered
+      list is generated of the events scheduled for that key (i.e.,
+      publication, activation, inactivation, deletion).  The list of
+      events is walked in order of occurrence.  Warnings are generated
+      if any event is scheduled which could cause the zone to enter a
+      state in which validation failures might occur: for example, if
+      the number of published or active keys for a given algorithm drops
+      to zero, or if a key is deleted from the zone too soon after a new
+      key is rolled, and cached data signed by the prior key has not had
+      time to expire from resolver caches.
+    </p>
+<p>
+      If <code class="option">zone</code> is not specified, then all keys in the
+      key repository will be scanned, and all zones for which there are
+      keys will be analyzed.  (Note: This method of reporting is only
+      accurate if all the zones that have keys in a given repository
+      share the same TTL parameters.)
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543415"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
+<dd><p>
+            If a <code class="option">file</code> is specified, then the zone is
+            read from that file; the largest TTL and the DNSKEY TTL are
+            determined directly from the zone data, and the
+            <code class="option">-m</code> and <code class="option">-d</code> options do
+            not need to be specified on the command line.
+          </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Sets the directory in which keys can be found.  Defaults to the
+            current working directory.
+          </p></dd>
+<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
+<dd>
+<p>
+            Sets the value to be used as the maximum TTL for the zone or
+            zones being analyzed when determining whether there is a
+            possibility of validation failure.  When a zone-signing key is
+            deactivated, there must be enough time for the record in the
+            zone with the longest TTL to have expired from resolver caches
+            before that key can be purged from the DNSKEY RRset.  If that
+            condition does not apply, a warning will be generated.
+          </p>
+<p>
+            The length of the TTL can be set in seconds, or in larger units
+            of time by adding a suffix: 'mi' for minutes, 'h' for hours,
+            'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
+          </p>
+<p>
+            This option is mandatory unless the <code class="option">-f</code> has
+            been used to specify a zone file.  (If <code class="option">-f</code> has
+            been specified, this option may still be used; it will overrde
+            the value found in the file.)
+          </p>
+</dd>
+<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
+<dd>
+<p>
+            Sets the value to be used as the DNSKEY TTL for the zone or
+            zones being analyzed when determining whether there is a
+            possibility of validation failure.  When a key is rolled (that
+            is, replaced with a new key), there must be enough time
+            for the old DNSKEY RRset to have expired from resolver caches
+            before the new key is activated and begins generating
+            signatures.  If that condition does not apply, a warning
+            will be generated.
+          </p>
+<p>
+            The length of the TTL can be set in seconds, or in larger units
+            of time by adding a suffix: 'mi' for minutes, 'h' for hours,
+            'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
+          </p>
+<p>
+            This option is mandatory unless the <code class="option">-f</code> has
+            been used to specify a zone file, or a default key TTL was
+            set with the <code class="option">-L</code> to
+            <span><strong class="command">dnssec-keygen</strong></span>.  (If either of those is true,
+            this option may still be used; it will overrde the value found
+            in the zone or key file.)
+          </p>
+</dd>
+<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
+<dd>
+<p>
+            Sets the value to be used as the resign interval for the zone
+            or zones being analyzed when determining whether there is a
+            possibility of validation failure.  This value defaults to
+            22.5 days, which is also the default in
+            <span><strong class="command">named</strong></span>.  However, if it has been changed
+            by the <code class="option">sig-validity-interval</code> option in
+            <code class="filename">named.conf</code>, then it should also be
+            changed here.
+          </p>
+<p>
+            The length of the interval can be set in seconds, or in larger
+            units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
+            'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
+          </p>
+</dd>
+<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
+<dd><p>
+            Specifies a path to a <span><strong class="command">named-compilezone</strong></span> binary.
+            Used for testing.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543657"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543701"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>