diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 84688b08ea..cdae394fb5 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -474,13 +474,16 @@ stages:
       junit: junit.xml
 
 .docs: &docs_job
-  variables:
-    DOC_BUILD_TARGET: man
   stage: docs
   script:
     - *configure
-    - meson compile -C build ${DOC_BUILD_TARGET}
+    - meson compile -C build arm man
     - find build/man/ -maxdepth 2 -name "*.[0-9]" -exec mandoc -T lint "{}" \; | ( ! grep -v -e "skipping paragraph macro. sp after" -e "unknown font, skipping request. ft C" -e "input text line longer than 80 bytes" )
+    - test -z "${DOC_CHECK_MISC_CHANGE}" || ninja -C build doc-misc
+    - test -z "${DOC_CHECK_MISC_CHANGE}" || cp build/doc/misc/options build/doc/misc/rndc.grammar build/doc/misc/*.zoneopt doc/misc/
+    - test -z "${DOC_CHECK_MISC_CHANGE}" || git diff > doc-misc.patch
+    - test -z "${DOC_CHECK_MISC_CHANGE}" || if test "$(git status --porcelain --untracked-files=no | wc -l)" -gt "0"; then git status --short; exit 1; fi
+
 
 .respdiff: &respdiff_job
   stage: system
@@ -662,7 +665,6 @@ changelog:
     GIT_AUTHOR_EMAIL: $GITLAB_USER_EMAIL
     GIT_COMMITTER_NAME: $GITLAB_USER_NAME
     GIT_COMMITTER_EMAIL: $GITLAB_USER_EMAIL
-    DOC_BUILD_TARGET: arm man
   before_script:
     - echo -e "$CI_MERGE_REQUEST_TITLE\n" > commitmsg
     - sed -i 's/^Draft:\s*//' commitmsg
@@ -695,9 +697,12 @@ docs:
   <<: *default_triggering_rules
   <<: *base_image
   <<: *docs_job
+  variables:
+    DOC_CHECK_MISC_CHANGE: 1
   needs: []
   artifacts:
     untracked: true
+    when: always
 
 docs:tarball:
   <<: *default_triggering_rules
diff --git a/doc/arm/_ext/mergegrammar.py b/doc/arm/_ext/mergegrammar.py
index 0628be64a1..42fb502265 100644
--- a/doc/arm/_ext/mergegrammar.py
+++ b/doc/arm/_ext/mergegrammar.py
@@ -13,17 +13,13 @@
 
 # Depends on CWD - Sphinx plugin
 
-import os
 import json
 from pathlib import Path
 
 import parsegrammar
 
-buildroot = os.getenv("BIND_BUILD_ROOT")
-if buildroot is None:
-    raise RuntimeError("Running outside meson?")
 
-misc_path = Path(buildroot) / "doc" / "misc"
+misc_path = Path(__file__).resolve().parent.parent.parent / "misc"
 options_path = misc_path / "options"
 
 
@@ -47,7 +43,7 @@ def read_zone():
 
 
 def read_main():
-    with Path(options_path).open(encoding="ascii") as fp:
+    with options_path.open(encoding="ascii") as fp:
         optgrammar = parsegrammar.parse_mapbody(fp)
     return optgrammar
 
diff --git a/doc/arm/_ext/rndcconf.py b/doc/arm/_ext/rndcconf.py
index bc7bd7846b..b09dfcf4be 100644
--- a/doc/arm/_ext/rndcconf.py
+++ b/doc/arm/_ext/rndcconf.py
@@ -15,7 +15,6 @@
 Sphinx domain "rndcconf". See iscconf.py for details.
 """
 
-import os
 from pathlib import Path
 
 from docutils import nodes
@@ -23,8 +22,7 @@ from docutils import nodes
 import iscconf
 import parsegrammar
 
-buildroot = os.getenv("BIND_BUILD_ROOT")
-grammar_path = Path(buildroot) / "doc" / "misc" / "rndc.grammar"
+grammar_path = Path(__file__).resolve().parent.parent.parent / "misc" / "rndc.grammar"
 
 
 class ToBeReplacedStatementList(nodes.General, nodes.Element):
diff --git a/doc/arm/conf.py b/doc/arm/conf.py
index dedada00ca..fc122c1bf7 100644
--- a/doc/arm/conf.py
+++ b/doc/arm/conf.py
@@ -11,8 +11,8 @@
 # information regarding copyright ownership.
 ############################################################################
 
-import os
 import sys
+import re
 
 from pathlib import Path
 from typing import List, Tuple
@@ -151,7 +151,15 @@ project = "BIND 9"
 copyright = "2023, Internet Systems Consortium"
 author = "Internet Systems Consortium"
 
-version = os.getenv("BIND_PROJECT_VERSION")
+meson_path = Path(__file__).resolve().parent.parent.parent / "meson.build"
+with meson_path.open(encoding="utf-8") as meson_build:
+    pattern = re.compile(r"    version: '(?P<version>.*)',")
+    for line in meson_build:
+        match = pattern.match(line)
+        if match:
+            version = match.group("version")
+            assert version.startswith("9.")
+            break
 
 release = version
 
diff --git a/doc/ext/configblock.py b/doc/ext/configblock.py
index cc34a77ce7..368df5ba18 100644
--- a/doc/ext/configblock.py
+++ b/doc/ext/configblock.py
@@ -9,7 +9,6 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-import os
 from pathlib import Path
 
 from docutils import nodes
@@ -19,18 +18,14 @@ from sphinx.util.docutils import SphinxDirective
 from sphinx.util.typing import ExtensionMetadata
 
 
-BIND_BUILD_ROOT = os.getenv("BIND_BUILD_ROOT")
-if BIND_BUILD_ROOT is None:
-    raise RuntimeError("running outside meson?")
-
-miscpath = Path(BIND_BUILD_ROOT) / "doc" / "misc"
+misc_path = Path(__file__).resolve().parent.parent.parent / "misc"
 
 
 class ConfigBlockDirective(SphinxDirective):
     required_arguments = 1
 
     def run(self) -> list[nodes.Node]:
-        target = miscpath / self.arguments[0]
+        target = misc_path / self.arguments[0]
 
         block = "{}" if not target.exists() else target.read_text()
 
diff --git a/doc/meson.build b/doc/meson.build
index 3c30d254a1..2faef3bf03 100644
--- a/doc/meson.build
+++ b/doc/meson.build
@@ -11,6 +11,7 @@
 
 # Manpages can be build without sphinx
 subdir('man')
+subdir('misc')
 
 if not sphinx_build.found()
     subdir_done()
@@ -18,4 +19,3 @@ endif
 
 subdir('arm')
 subdir('dnssec-guide')
-subdir('misc')
diff --git a/doc/misc/forward.zoneopt b/doc/misc/forward.zoneopt
new file mode 100644
index 0000000000..af060cf347
--- /dev/null
+++ b/doc/misc/forward.zoneopt
@@ -0,0 +1,6 @@
+zone <string> [ <class> ] {
+	type forward;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
+	template <string>;
+};
diff --git a/doc/misc/hint.zoneopt b/doc/misc/hint.zoneopt
new file mode 100644
index 0000000000..260db7fb5f
--- /dev/null
+++ b/doc/misc/hint.zoneopt
@@ -0,0 +1,6 @@
+zone <string> [ <class> ] {
+	type hint;
+	check-names ( fail | warn | ignore );
+	file <quoted_string>;
+	template <string>;
+};
diff --git a/doc/misc/in-view.zoneopt b/doc/misc/in-view.zoneopt
new file mode 100644
index 0000000000..c63c4273e5
--- /dev/null
+++ b/doc/misc/in-view.zoneopt
@@ -0,0 +1,3 @@
+zone <string> [ <class> ] {
+	in-view <string>;
+};
diff --git a/doc/misc/mirror.zoneopt b/doc/misc/mirror.zoneopt
new file mode 100644
index 0000000000..aa193235a7
--- /dev/null
+++ b/doc/misc/mirror.zoneopt
@@ -0,0 +1,47 @@
+zone <string> [ <class> ] {
+	type mirror;
+	allow-notify { <address_match_element>; ... };
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
+	allow-update-forwarding { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	check-names ( fail | warn | ignore );
+	database <string>;
+	file <quoted_string>;
+	ixfr-from-differences <boolean>;
+	journal <quoted_string>;
+	masterfile-format ( raw | text );
+	masterfile-style ( full | relative );
+	max-ixfr-ratio ( unlimited | <percentage> );
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-records <integer>;
+	max-records-per-type <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-transfer-idle-in <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-in <integer>;
+	max-transfer-time-out <integer>;
+	max-types-per-name <integer>;
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	min-transfer-rate-in <integer> <integer>;
+	multi-master <boolean>;
+	notify ( explicit | master-only | primary-only | <boolean> );
+	notify-defer <integer>;
+	notify-delay <integer>;
+	notify-source ( <ipv4_address> | * );
+	notify-source-v6 ( <ipv6_address> | * );
+	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	provide-zoneversion <boolean>;
+	request-expire <boolean>;
+	request-ixfr <boolean>;
+	request-ixfr-max-diffs <integer>;
+	template <string>;
+	transfer-source ( <ipv4_address> | * );
+	transfer-source-v6 ( <ipv6_address> | * );
+	try-tcp-refresh <boolean>;
+	zero-no-soa-ttl <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/options b/doc/misc/options
new file mode 100644
index 0000000000..3215fc7af7
--- /dev/null
+++ b/doc/misc/options
@@ -0,0 +1,695 @@
+acl <string> { <address_match_element>; ... }; // may occur multiple times
+
+controls {
+	inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
+	unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
+}; // may occur multiple times
+
+dlz <string> {
+	database <string>;
+	search <boolean>;
+}; // may occur multiple times
+
+dnssec-policy <string> {
+	cdnskey <boolean>;
+	cds-digest-types { <string>; ... };
+	dnskey-ttl <duration>;
+	inline-signing <boolean>;
+	keys { ( csk | ksk | zsk ) [ key-directory | key-store <string> ] lifetime <duration_or_unlimited> algorithm <string> [ tag-range <integer> <integer> ] [ <integer> ]; ... };
+	max-zone-ttl <duration>;
+	nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
+	offline-ksk <boolean>;
+	parent-ds-ttl <duration>;
+	parent-propagation-delay <duration>;
+	publish-safety <duration>;
+	purge-keys <duration>;
+	retire-safety <duration>;
+	signatures-jitter <duration>;
+	signatures-refresh <duration>;
+	signatures-validity <duration>;
+	signatures-validity-dnskey <duration>;
+	zone-propagation-delay <duration>;
+}; // may occur multiple times
+
+dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
+
+http <string> {
+	endpoints { <quoted_string>; ... };
+	listener-clients <integer>;
+	streams-per-connection <integer>;
+}; // optional (only available if configured), may occur multiple times
+
+key <string> {
+	algorithm <string>;
+	secret <string>;
+}; // may occur multiple times
+
+key-store <string> {
+	directory <string>;
+	pkcs11-uri <quoted_string>;
+}; // may occur multiple times
+
+logging {
+	category <string> { <string>; ... }; // may occur multiple times
+	channel <string> {
+		buffered <boolean>;
+		file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ];
+		null;
+		print-category <boolean>;
+		print-severity <boolean>;
+		print-time ( iso8601 | iso8601-utc | iso8601-tzinfo | local | <boolean> );
+		severity <log_severity>;
+		stderr;
+		syslog [ <syslog_facility> ];
+	}; // may occur multiple times
+};
+
+options {
+	allow-new-zones <boolean>;
+	allow-notify { <address_match_element>; ... };
+	allow-proxy { <address_match_element>; ... }; // experimental
+	allow-proxy-on { <address_match_element>; ... }; // experimental
+	allow-query { <address_match_element>; ... };
+	allow-query-cache { <address_match_element>; ... };
+	allow-query-cache-on { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-recursion { <address_match_element>; ... };
+	allow-recursion-on { <address_match_element>; ... };
+	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
+	allow-update { <address_match_element>; ... };
+	allow-update-forwarding { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	answer-cookie <boolean>;
+	attach-cache <string>;
+	auth-nxdomain <boolean>;
+	automatic-interface-scan <boolean>;
+	bindkeys-file <quoted_string>; // test only
+	blackhole { <address_match_element>; ... };
+	catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
+	check-dup-records ( fail | warn | ignore );
+	check-integrity <boolean>;
+	check-mx ( fail | warn | ignore );
+	check-mx-cname ( fail | warn | ignore );
+	check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
+	check-sibling <boolean>;
+	check-spf ( warn | ignore );
+	check-srv-cname ( fail | warn | ignore );
+	check-svcb <boolean>;
+	check-wildcard <boolean>;
+	clients-per-query <integer>;
+	cookie-algorithm ( siphash24 );
+	cookie-secret <string>; // may occur multiple times
+	deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
+	deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
+	directory <quoted_string>;
+	disable-algorithms <string> { <string>; ... }; // may occur multiple times
+	disable-ds-digests <string> { <string>; ... }; // may occur multiple times
+	disable-empty-zone <string>; // may occur multiple times
+	dns64 <netprefix> {
+		break-dnssec <boolean>;
+		clients { <address_match_element>; ... };
+		exclude { <address_match_element>; ... };
+		mapped { <address_match_element>; ... };
+		recursive-only <boolean>;
+		suffix <ipv6_address>;
+	}; // may occur multiple times
+	dns64-contact <string>;
+	dns64-server <string>;
+	dnskey-sig-validity <integer>; // obsolete
+	dnsrps-enable <boolean>; // obsolete
+	dnsrps-library <quoted_string>; // obsolete
+	dnsrps-options { <unspecified-text> }; // obsolete
+	dnssec-accept-expired <boolean>;
+	dnssec-dnskey-kskonly <boolean>; // obsolete
+	dnssec-loadkeys-interval <integer>;
+	dnssec-policy <string>;
+	dnssec-secure-to-insecure <boolean>; // obsolete
+	dnssec-update-mode ( maintain | no-resign ); // obsolete
+	dnssec-validation ( yes | no | auto );
+	dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // optional (only available if configured)
+	dnstap-identity ( <quoted_string> | none | hostname ); // optional (only available if configured)
+	dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // optional (only available if configured)
+	dnstap-version ( <quoted_string> | none ); // optional (only available if configured)
+	dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
+	dump-file <quoted_string>;
+	edns-udp-size <integer>;
+	empty-contact <string>;
+	empty-server <string>;
+	empty-zones-enable <boolean>;
+	fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+	fetches-per-server <integer> [ ( drop | fail ) ];
+	fetches-per-zone <integer> [ ( drop | fail ) ];
+	flush-zones-on-shutdown <boolean>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
+	fstrm-set-buffer-hint <integer>; // optional (only available if configured)
+	fstrm-set-flush-timeout <integer>; // optional (only available if configured)
+	fstrm-set-input-queue-size <integer>; // optional (only available if configured)
+	fstrm-set-output-notify-threshold <integer>; // optional (only available if configured)
+	fstrm-set-output-queue-model ( mpsc | spsc ); // optional (only available if configured)
+	fstrm-set-output-queue-size <integer>; // optional (only available if configured)
+	fstrm-set-reopen-interval <duration>; // optional (only available if configured)
+	geoip-directory ( <quoted_string> | none );
+	hostname ( <quoted_string> | none );
+	http-listener-clients <integer>; // optional (only available if configured)
+	http-port <integer>; // optional (only available if configured)
+	http-streams-per-connection <integer>; // optional (only available if configured)
+	https-port <integer>; // optional (only available if configured)
+	interface-interval <duration>;
+	ipv4only-contact <string>;
+	ipv4only-enable <boolean>;
+	ipv4only-server <string>;
+	ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
+	keep-response-order { <address_match_element>; ... }; // obsolete
+	key-directory <quoted_string>;
+	lame-ttl <duration>;
+	listen-on [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
+	listen-on-v6 [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
+	lmdb-mapsize <sizeval>; // optional (only available if configured)
+	managed-keys-directory <quoted_string>;
+	masterfile-format ( raw | text );
+	masterfile-style ( full | relative );
+	match-mapped-addresses <boolean>;
+	max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+	max-cache-ttl <duration>;
+	max-clients-per-query <integer>;
+	max-ixfr-ratio ( unlimited | <percentage> );
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-ncache-ttl <duration>;
+	max-query-count <integer>;
+	max-query-restarts <integer>;
+	max-records <integer>;
+	max-records-per-type <integer>;
+	max-recursion-depth <integer>;
+	max-recursion-queries <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-rsa-exponent-size <integer>;
+	max-stale-ttl <duration>;
+	max-transfer-idle-in <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-in <integer>;
+	max-transfer-time-out <integer>;
+	max-types-per-name <integer>;
+	max-udp-size <integer>;
+	max-validation-failures-per-fetch <integer>; // experimental
+	max-validations-per-fetch <integer>; // experimental
+	max-zone-ttl ( unlimited | <duration> ); // deprecated
+	memstatistics <boolean>;
+	memstatistics-file <quoted_string>;
+	message-compression <boolean>;
+	min-cache-ttl <duration>;
+	min-ncache-ttl <duration>;
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	min-transfer-rate-in <integer> <integer>;
+	minimal-any <boolean>;
+	minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+	multi-master <boolean>;
+	new-zones-directory <quoted_string>;
+	no-case-compress { <address_match_element>; ... };
+	nocookie-udp-size <integer>;
+	notify ( explicit | master-only | primary-only | <boolean> );
+	notify-defer <integer>;
+	notify-delay <integer>;
+	notify-rate <integer>;
+	notify-source ( <ipv4_address> | * );
+	notify-source-v6 ( <ipv6_address> | * );
+	notify-to-soa <boolean>;
+	nsec3-test-zone <boolean>; // test only
+	nta-lifetime <duration>;
+	nta-recheck <duration>;
+	nxdomain-redirect <string>;
+	parental-source ( <ipv4_address> | * );
+	parental-source-v6 ( <ipv6_address> | * );
+	pid-file ( <quoted_string> | none );
+	port <integer>;
+	preferred-glue <string>;
+	prefetch <integer> [ <integer> ];
+	provide-ixfr <boolean>;
+	provide-zoneversion <boolean>;
+	qname-minimization ( strict | relaxed | disabled | off );
+	query-source [ address ] ( <ipv4_address> | * | none );
+	query-source-v6 [ address ] ( <ipv6_address> | * | none );
+	querylog <boolean>;
+	rate-limit {
+		all-per-second <integer>;
+		errors-per-second <integer>;
+		exempt-clients { <address_match_element>; ... };
+		ipv4-prefix-length <integer>;
+		ipv6-prefix-length <integer>;
+		log-only <boolean>;
+		max-table-size <integer>;
+		min-table-size <integer>;
+		nodata-per-second <integer>;
+		nxdomains-per-second <integer>;
+		qps-scale <integer>;
+		referrals-per-second <integer>;
+		responses-per-second <integer>;
+		slip <integer>;
+		window <integer>;
+	};
+	recursing-file <quoted_string>;
+	recursion <boolean>;
+	recursive-clients <integer>;
+	request-expire <boolean>;
+	request-ixfr <boolean>;
+	request-ixfr-max-diffs <integer>;
+	request-nsid <boolean>;
+	request-zoneversion <boolean>;
+	require-server-cookie <boolean>;
+	resolver-query-timeout <integer>;
+	resolver-use-dns64 <boolean>;
+	response-padding { <address_match_element>; ... } block-size <integer>;
+	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
+	responselog <boolean>;
+	reuseport <boolean>;
+	root-key-sentinel <boolean>;
+	rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
+	secroots-file <quoted_string>;
+	send-cookie <boolean>;
+	send-report-channel <string>;
+	serial-query-rate <integer>;
+	serial-update-method ( date | increment | unixtime );
+	server-id ( <quoted_string> | none | hostname );
+	servfail-ttl <duration>;
+	session-keyalg <string>;
+	session-keyfile ( <quoted_string> | none );
+	session-keyname <string>;
+	sig-signing-nodes <integer>;
+	sig-signing-signatures <integer>;
+	sig-signing-type <integer>;
+	sig-validity-interval <integer> [ <integer> ]; // obsolete
+	sig0checks-quota <integer>; // experimental
+	sig0checks-quota-exempt { <address_match_element>; ... }; // experimental
+	sig0key-checks-limit <integer>;
+	sig0message-checks-limit <integer>;
+	stale-answer-client-timeout ( disabled | off | <integer> );
+	stale-answer-enable <boolean>;
+	stale-answer-ttl <duration>;
+	stale-cache-enable <boolean>;
+	stale-refresh-time <duration>;
+	startup-notify-rate <integer>;
+	statistics-file <quoted_string>;
+	synth-from-dnssec <boolean>;
+	tcp-advertised-timeout <integer>;
+	tcp-clients <integer>;
+	tcp-idle-timeout <integer>;
+	tcp-initial-timeout <integer>;
+	tcp-keepalive-timeout <integer>;
+	tcp-listen-queue <integer>;
+	tcp-primaries-timeout <integer>;
+	tcp-receive-buffer <integer>;
+	tcp-send-buffer <integer>;
+	tkey-domain <quoted_string>;
+	tkey-gssapi-credential <quoted_string>;
+	tkey-gssapi-keytab <quoted_string>;
+	tls-port <integer>;
+	transfer-format ( many-answers | one-answer );
+	transfer-message-size <integer>;
+	transfer-source ( <ipv4_address> | * );
+	transfer-source-v6 ( <ipv6_address> | * );
+	transfers-in <integer>;
+	transfers-out <integer>;
+	transfers-per-ns <integer>;
+	trust-anchor-telemetry <boolean>;
+	try-tcp-refresh <boolean>;
+	udp-receive-buffer <integer>;
+	udp-send-buffer <integer>;
+	update-check-ksk <boolean>; // obsolete
+	update-quota <integer>;
+	v6-bias <integer>;
+	validate-except { <string>; ... };
+	version ( <quoted_string> | none );
+	zero-no-soa-ttl <boolean>;
+	zero-no-soa-ttl-cache <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
+
+plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
+
+remote-servers <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
+
+server <netprefix> {
+	bogus <boolean>;
+	edns <boolean>;
+	edns-udp-size <integer>;
+	edns-version <integer>;
+	keys <server_key>;
+	max-udp-size <integer>;
+	notify-source ( <ipv4_address> | * );
+	notify-source-v6 ( <ipv6_address> | * );
+	padding <integer>;
+	provide-ixfr <boolean>;
+	query-source [ address ] ( <ipv4_address> | * );
+	query-source-v6 [ address ] ( <ipv6_address> | * );
+	request-expire <boolean>;
+	request-ixfr <boolean>;
+	request-ixfr-max-diffs <integer>;
+	request-nsid <boolean>;
+	request-zoneversion <boolean>;
+	require-cookie <boolean>;
+	send-cookie <boolean>;
+	tcp-keepalive <boolean>;
+	tcp-only <boolean>;
+	transfer-format ( many-answers | one-answer );
+	transfer-source ( <ipv4_address> | * );
+	transfer-source-v6 ( <ipv6_address> | * );
+	transfers <integer>;
+}; // may occur multiple times
+
+statistics-channels {
+	inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
+}; // optional (only available if configured), may occur multiple times
+
+template <string> {
+	allow-notify { <address_match_element>; ... };
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
+	allow-update { <address_match_element>; ... };
+	allow-update-forwarding { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	check-dup-records ( fail | warn | ignore );
+	check-integrity <boolean>;
+	check-mx ( fail | warn | ignore );
+	check-mx-cname ( fail | warn | ignore );
+	check-names ( fail | warn | ignore );
+	check-sibling <boolean>;
+	check-spf ( warn | ignore );
+	check-srv-cname ( fail | warn | ignore );
+	check-svcb <boolean>;
+	check-wildcard <boolean>;
+	checkds ( explicit | <boolean> );
+	database <string>;
+	dlz <string>;
+	dnskey-sig-validity <integer>; // obsolete
+	dnssec-dnskey-kskonly <boolean>; // obsolete
+	dnssec-loadkeys-interval <integer>;
+	dnssec-policy <string>;
+	dnssec-secure-to-insecure <boolean>; // obsolete
+	dnssec-update-mode ( maintain | no-resign ); // obsolete
+	file <quoted_string>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
+	initial-file <quoted_string>;
+	inline-signing <boolean>;
+	ixfr-from-differences <boolean>;
+	journal <quoted_string>;
+	key-directory <quoted_string>;
+	log-report-channel <boolean>;
+	masterfile-format ( raw | text );
+	masterfile-style ( full | relative );
+	max-ixfr-ratio ( unlimited | <percentage> );
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-records <integer>;
+	max-records-per-type <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-transfer-idle-in <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-in <integer>;
+	max-transfer-time-out <integer>;
+	max-types-per-name <integer>;
+	max-zone-ttl ( unlimited | <duration> ); // deprecated
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	min-transfer-rate-in <integer> <integer>;
+	multi-master <boolean>;
+	notify ( explicit | master-only | primary-only | <boolean> );
+	notify-defer <integer>;
+	notify-delay <integer>;
+	notify-source ( <ipv4_address> | * );
+	notify-source-v6 ( <ipv6_address> | * );
+	notify-to-soa <boolean>;
+	nsec3-test-zone <boolean>; // test only
+	parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	parental-source ( <ipv4_address> | * );
+	parental-source-v6 ( <ipv6_address> | * );
+	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	provide-zoneversion <boolean>;
+	request-expire <boolean>;
+	request-ixfr <boolean>;
+	request-ixfr-max-diffs <integer>;
+	send-report-channel <string>;
+	serial-update-method ( date | increment | unixtime );
+	server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
+	server-names { <string>; ... };
+	sig-signing-nodes <integer>;
+	sig-signing-signatures <integer>;
+	sig-signing-type <integer>;
+	sig-validity-interval <integer> [ <integer> ]; // obsolete
+	transfer-source ( <ipv4_address> | * );
+	transfer-source-v6 ( <ipv6_address> | * );
+	try-tcp-refresh <boolean>;
+	type ( primary | master | secondary | slave | mirror | forward | hint | redirect | static-stub | stub );
+	update-check-ksk <boolean>; // obsolete
+	update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
+	zero-no-soa-ttl <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+}; // may occur multiple times
+
+tls <string> {
+	ca-file <quoted_string>;
+	cert-file <quoted_string>;
+	cipher-suites <string>;
+	ciphers <string>;
+	dhparam-file <quoted_string>;
+	key-file <quoted_string>;
+	prefer-server-ciphers <boolean>;
+	protocols { <string>; ... };
+	remote-hostname <quoted_string>;
+	session-tickets <boolean>;
+}; // may occur multiple times
+
+trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
+
+view <string> [ <class> ] {
+	allow-new-zones <boolean>;
+	allow-notify { <address_match_element>; ... };
+	allow-proxy { <address_match_element>; ... }; // experimental
+	allow-proxy-on { <address_match_element>; ... }; // experimental
+	allow-query { <address_match_element>; ... };
+	allow-query-cache { <address_match_element>; ... };
+	allow-query-cache-on { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-recursion { <address_match_element>; ... };
+	allow-recursion-on { <address_match_element>; ... };
+	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
+	allow-update { <address_match_element>; ... };
+	allow-update-forwarding { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	attach-cache <string>;
+	auth-nxdomain <boolean>;
+	catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
+	check-dup-records ( fail | warn | ignore );
+	check-integrity <boolean>;
+	check-mx ( fail | warn | ignore );
+	check-mx-cname ( fail | warn | ignore );
+	check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
+	check-sibling <boolean>;
+	check-spf ( warn | ignore );
+	check-srv-cname ( fail | warn | ignore );
+	check-svcb <boolean>;
+	check-wildcard <boolean>;
+	clients-per-query <integer>;
+	deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
+	deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
+	disable-algorithms <string> { <string>; ... }; // may occur multiple times
+	disable-ds-digests <string> { <string>; ... }; // may occur multiple times
+	disable-empty-zone <string>; // may occur multiple times
+	dlz <string> {
+		database <string>;
+		search <boolean>;
+	}; // may occur multiple times
+	dns64 <netprefix> {
+		break-dnssec <boolean>;
+		clients { <address_match_element>; ... };
+		exclude { <address_match_element>; ... };
+		mapped { <address_match_element>; ... };
+		recursive-only <boolean>;
+		suffix <ipv6_address>;
+	}; // may occur multiple times
+	dns64-contact <string>;
+	dns64-server <string>;
+	dnskey-sig-validity <integer>; // obsolete
+	dnsrps-enable <boolean>; // obsolete
+	dnsrps-options { <unspecified-text> }; // obsolete
+	dnssec-accept-expired <boolean>;
+	dnssec-dnskey-kskonly <boolean>; // obsolete
+	dnssec-loadkeys-interval <integer>;
+	dnssec-policy <string>;
+	dnssec-secure-to-insecure <boolean>; // obsolete
+	dnssec-update-mode ( maintain | no-resign ); // obsolete
+	dnssec-validation ( yes | no | auto );
+	dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // optional (only available if configured)
+	dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
+	dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
+	edns-udp-size <integer>;
+	empty-contact <string>;
+	empty-server <string>;
+	empty-zones-enable <boolean>;
+	fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+	fetches-per-server <integer> [ ( drop | fail ) ];
+	fetches-per-zone <integer> [ ( drop | fail ) ];
+	forward ( first | only );
+	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
+	ipv4only-contact <string>;
+	ipv4only-enable <boolean>;
+	ipv4only-server <string>;
+	ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
+	key <string> {
+		algorithm <string>;
+		secret <string>;
+	}; // may occur multiple times
+	key-directory <quoted_string>;
+	lame-ttl <duration>;
+	lmdb-mapsize <sizeval>; // optional (only available if configured)
+	masterfile-format ( raw | text );
+	masterfile-style ( full | relative );
+	match-clients { <address_match_element>; ... };
+	match-destinations { <address_match_element>; ... };
+	match-recursive-only <boolean>;
+	max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+	max-cache-ttl <duration>;
+	max-clients-per-query <integer>;
+	max-ixfr-ratio ( unlimited | <percentage> );
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-ncache-ttl <duration>;
+	max-query-count <integer>;
+	max-query-restarts <integer>;
+	max-records <integer>;
+	max-records-per-type <integer>;
+	max-recursion-depth <integer>;
+	max-recursion-queries <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-stale-ttl <duration>;
+	max-transfer-idle-in <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-in <integer>;
+	max-transfer-time-out <integer>;
+	max-types-per-name <integer>;
+	max-udp-size <integer>;
+	max-validation-failures-per-fetch <integer>; // experimental
+	max-validations-per-fetch <integer>; // experimental
+	max-zone-ttl ( unlimited | <duration> ); // deprecated
+	message-compression <boolean>;
+	min-cache-ttl <duration>;
+	min-ncache-ttl <duration>;
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	min-transfer-rate-in <integer> <integer>;
+	minimal-any <boolean>;
+	minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+	multi-master <boolean>;
+	new-zones-directory <quoted_string>;
+	no-case-compress { <address_match_element>; ... };
+	nocookie-udp-size <integer>;
+	notify ( explicit | master-only | primary-only | <boolean> );
+	notify-defer <integer>;
+	notify-delay <integer>;
+	notify-source ( <ipv4_address> | * );
+	notify-source-v6 ( <ipv6_address> | * );
+	notify-to-soa <boolean>;
+	nsec3-test-zone <boolean>; // test only
+	nta-lifetime <duration>;
+	nta-recheck <duration>;
+	nxdomain-redirect <string>;
+	parental-source ( <ipv4_address> | * );
+	parental-source-v6 ( <ipv6_address> | * );
+	plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
+	preferred-glue <string>;
+	prefetch <integer> [ <integer> ];
+	provide-ixfr <boolean>;
+	provide-zoneversion <boolean>;
+	qname-minimization ( strict | relaxed | disabled | off );
+	query-source [ address ] ( <ipv4_address> | * | none );
+	query-source-v6 [ address ] ( <ipv6_address> | * | none );
+	rate-limit {
+		all-per-second <integer>;
+		errors-per-second <integer>;
+		exempt-clients { <address_match_element>; ... };
+		ipv4-prefix-length <integer>;
+		ipv6-prefix-length <integer>;
+		log-only <boolean>;
+		max-table-size <integer>;
+		min-table-size <integer>;
+		nodata-per-second <integer>;
+		nxdomains-per-second <integer>;
+		qps-scale <integer>;
+		referrals-per-second <integer>;
+		responses-per-second <integer>;
+		slip <integer>;
+		window <integer>;
+	};
+	recursion <boolean>;
+	request-expire <boolean>;
+	request-ixfr <boolean>;
+	request-ixfr-max-diffs <integer>;
+	request-nsid <boolean>;
+	request-zoneversion <boolean>;
+	require-server-cookie <boolean>;
+	resolver-query-timeout <integer>;
+	resolver-use-dns64 <boolean>;
+	response-padding { <address_match_element>; ... } block-size <integer>;
+	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
+	root-key-sentinel <boolean>;
+	rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
+	send-cookie <boolean>;
+	send-report-channel <string>;
+	serial-update-method ( date | increment | unixtime );
+	server <netprefix> {
+		bogus <boolean>;
+		edns <boolean>;
+		edns-udp-size <integer>;
+		edns-version <integer>;
+		keys <server_key>;
+		max-udp-size <integer>;
+		notify-source ( <ipv4_address> | * );
+		notify-source-v6 ( <ipv6_address> | * );
+		padding <integer>;
+		provide-ixfr <boolean>;
+		query-source [ address ] ( <ipv4_address> | * );
+		query-source-v6 [ address ] ( <ipv6_address> | * );
+		request-expire <boolean>;
+		request-ixfr <boolean>;
+		request-ixfr-max-diffs <integer>;
+		request-nsid <boolean>;
+		request-zoneversion <boolean>;
+		require-cookie <boolean>;
+		send-cookie <boolean>;
+		tcp-keepalive <boolean>;
+		tcp-only <boolean>;
+		transfer-format ( many-answers | one-answer );
+		transfer-source ( <ipv4_address> | * );
+		transfer-source-v6 ( <ipv6_address> | * );
+		transfers <integer>;
+	}; // may occur multiple times
+	servfail-ttl <duration>;
+	sig-signing-nodes <integer>;
+	sig-signing-signatures <integer>;
+	sig-signing-type <integer>;
+	sig-validity-interval <integer> [ <integer> ]; // obsolete
+	sig0key-checks-limit <integer>;
+	sig0message-checks-limit <integer>;
+	stale-answer-client-timeout ( disabled | off | <integer> );
+	stale-answer-enable <boolean>;
+	stale-answer-ttl <duration>;
+	stale-cache-enable <boolean>;
+	stale-refresh-time <duration>;
+	synth-from-dnssec <boolean>;
+	transfer-format ( many-answers | one-answer );
+	transfer-source ( <ipv4_address> | * );
+	transfer-source-v6 ( <ipv6_address> | * );
+	trust-anchor-telemetry <boolean>;
+	trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
+	try-tcp-refresh <boolean>;
+	update-check-ksk <boolean>; // obsolete
+	v6-bias <integer>;
+	validate-except { <string>; ... };
+	zero-no-soa-ttl <boolean>;
+	zero-no-soa-ttl-cache <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+}; // may occur multiple times
+
diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt
new file mode 100644
index 0000000000..dd1b94756b
--- /dev/null
+++ b/doc/misc/primary.zoneopt
@@ -0,0 +1,68 @@
+zone <string> [ <class> ] {
+	type primary;
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
+	allow-update { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	check-dup-records ( fail | warn | ignore );
+	check-integrity <boolean>;
+	check-mx ( fail | warn | ignore );
+	check-mx-cname ( fail | warn | ignore );
+	check-names ( fail | warn | ignore );
+	check-sibling <boolean>;
+	check-spf ( warn | ignore );
+	check-srv-cname ( fail | warn | ignore );
+	check-svcb <boolean>;
+	check-wildcard <boolean>;
+	checkds ( explicit | <boolean> );
+	database <string>;
+	dlz <string>;
+	dnskey-sig-validity <integer>; // obsolete
+	dnssec-dnskey-kskonly <boolean>; // obsolete
+	dnssec-loadkeys-interval <integer>;
+	dnssec-policy <string>;
+	dnssec-secure-to-insecure <boolean>; // obsolete
+	dnssec-update-mode ( maintain | no-resign ); // obsolete
+	file <quoted_string>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
+	initial-file <quoted_string>;
+	inline-signing <boolean>;
+	ixfr-from-differences <boolean>;
+	journal <quoted_string>;
+	key-directory <quoted_string>;
+	log-report-channel <boolean>;
+	masterfile-format ( raw | text );
+	masterfile-style ( full | relative );
+	max-ixfr-ratio ( unlimited | <percentage> );
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-records <integer>;
+	max-records-per-type <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-out <integer>;
+	max-types-per-name <integer>;
+	max-zone-ttl ( unlimited | <duration> ); // deprecated
+	notify ( explicit | master-only | primary-only | <boolean> );
+	notify-defer <integer>;
+	notify-delay <integer>;
+	notify-source ( <ipv4_address> | * );
+	notify-source-v6 ( <ipv6_address> | * );
+	notify-to-soa <boolean>;
+	nsec3-test-zone <boolean>; // test only
+	parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	parental-source ( <ipv4_address> | * );
+	parental-source-v6 ( <ipv6_address> | * );
+	provide-zoneversion <boolean>;
+	send-report-channel <string>;
+	serial-update-method ( date | increment | unixtime );
+	sig-signing-nodes <integer>;
+	sig-signing-signatures <integer>;
+	sig-signing-type <integer>;
+	sig-validity-interval <integer> [ <integer> ]; // obsolete
+	template <string>;
+	update-check-ksk <boolean>; // obsolete
+	update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
+	zero-no-soa-ttl <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/redirect.zoneopt b/doc/misc/redirect.zoneopt
new file mode 100644
index 0000000000..e338b6e231
--- /dev/null
+++ b/doc/misc/redirect.zoneopt
@@ -0,0 +1,16 @@
+zone <string> [ <class> ] {
+	type redirect;
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	dlz <string>;
+	file <quoted_string>;
+	masterfile-format ( raw | text );
+	masterfile-style ( full | relative );
+	max-records <integer>;
+	max-records-per-type <integer>;
+	max-types-per-name <integer>;
+	max-zone-ttl ( unlimited | <duration> ); // deprecated
+	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	template <string>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/rndc.grammar b/doc/misc/rndc.grammar
new file mode 100644
index 0000000000..9d5604f98a
--- /dev/null
+++ b/doc/misc/rndc.grammar
@@ -0,0 +1,21 @@
+key <string> {
+	algorithm <string>;
+	secret <string>;
+}; // may occur multiple times
+
+options {
+	default-key <string>;
+	default-port <integer>;
+	default-server <string>;
+	default-source-address ( <ipv4_address> | * );
+	default-source-address-v6 ( <ipv6_address> | * );
+};
+
+server <string> {
+	addresses { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
+	key <string>;
+	port <integer>;
+	source-address ( <ipv4_address> | * );
+	source-address-v6 ( <ipv6_address> | * );
+}; // may occur multiple times
+
diff --git a/doc/misc/secondary.zoneopt b/doc/misc/secondary.zoneopt
new file mode 100644
index 0000000000..7529112a33
--- /dev/null
+++ b/doc/misc/secondary.zoneopt
@@ -0,0 +1,70 @@
+zone <string> [ <class> ] {
+	type secondary;
+	allow-notify { <address_match_element>; ... };
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
+	allow-update-forwarding { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	check-names ( fail | warn | ignore );
+	checkds ( explicit | <boolean> );
+	database <string>;
+	dlz <string>;
+	dnskey-sig-validity <integer>; // obsolete
+	dnssec-dnskey-kskonly <boolean>; // obsolete
+	dnssec-loadkeys-interval <integer>;
+	dnssec-policy <string>;
+	dnssec-update-mode ( maintain | no-resign ); // obsolete
+	file <quoted_string>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
+	inline-signing <boolean>;
+	ixfr-from-differences <boolean>;
+	journal <quoted_string>;
+	key-directory <quoted_string>;
+	log-report-channel <boolean>;
+	masterfile-format ( raw | text );
+	masterfile-style ( full | relative );
+	max-ixfr-ratio ( unlimited | <percentage> );
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-records <integer>;
+	max-records-per-type <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-transfer-idle-in <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-in <integer>;
+	max-transfer-time-out <integer>;
+	max-types-per-name <integer>;
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	min-transfer-rate-in <integer> <integer>;
+	multi-master <boolean>;
+	notify ( explicit | master-only | primary-only | <boolean> );
+	notify-defer <integer>;
+	notify-delay <integer>;
+	notify-source ( <ipv4_address> | * );
+	notify-source-v6 ( <ipv6_address> | * );
+	notify-to-soa <boolean>;
+	nsec3-test-zone <boolean>; // test only
+	parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	parental-source ( <ipv4_address> | * );
+	parental-source-v6 ( <ipv6_address> | * );
+	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	provide-zoneversion <boolean>;
+	request-expire <boolean>;
+	request-ixfr <boolean>;
+	request-ixfr-max-diffs <integer>;
+	send-report-channel <string>;
+	sig-signing-nodes <integer>;
+	sig-signing-signatures <integer>;
+	sig-signing-type <integer>;
+	sig-validity-interval <integer> [ <integer> ]; // obsolete
+	template <string>;
+	transfer-source ( <ipv4_address> | * );
+	transfer-source-v6 ( <ipv6_address> | * );
+	try-tcp-refresh <boolean>;
+	update-check-ksk <boolean>; // obsolete
+	zero-no-soa-ttl <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/static-stub.zoneopt b/doc/misc/static-stub.zoneopt
new file mode 100644
index 0000000000..14928922dd
--- /dev/null
+++ b/doc/misc/static-stub.zoneopt
@@ -0,0 +1,14 @@
+zone <string> [ <class> ] {
+	type static-stub;
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	forward ( first | only );
+	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
+	max-records <integer>;
+	max-records-per-type <integer>;
+	max-types-per-name <integer>;
+	server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
+	server-names { <string>; ... };
+	template <string>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt
new file mode 100644
index 0000000000..4d25095484
--- /dev/null
+++ b/doc/misc/stub.zoneopt
@@ -0,0 +1,28 @@
+zone <string> [ <class> ] {
+	type stub;
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	check-names ( fail | warn | ignore );
+	database <string>;
+	file <quoted_string>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
+	masterfile-format ( raw | text );
+	masterfile-style ( full | relative );
+	max-records <integer>;
+	max-records-per-type <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-transfer-idle-in <integer>;
+	max-transfer-time-in <integer>;
+	max-types-per-name <integer>;
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	min-transfer-rate-in <integer> <integer>;
+	multi-master <boolean>;
+	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	template <string>;
+	transfer-source ( <ipv4_address> | * );
+	transfer-source-v6 ( <ipv6_address> | * );
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/meson.build b/meson.build
index 154820dfdb..8d6b9c77a9 100644
--- a/meson.build
+++ b/meson.build
@@ -1619,6 +1619,8 @@ alias_target('system-test-dependencies', system_test_targets)
 
 ### Documentation
 
+alias_target('doc-misc', doc_misc_targets)
+
 if doc_opt.allowed()
     man_srcconf = man_srcset.apply(config, strict: false)
     foreach man : man_srcconf.sources()