alphabetize

bin/python/dnssec-keymgr.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -59,10 +59,10 @@
   <refsection><info><title>DESCRIPTION</title></info>
     <para>
       <command>dnssec-keymgr</command>
-      is a high level Python wrapper to facilitate the key rollover 
+      is a high level Python wrapper to facilitate the key rollover
       process for zones handled by BIND. It uses the BIND commands
       for manipulating DNSSEC key metadata:
-      <command>dnssec-keygen</command> and 
+      <command>dnssec-keygen</command> and
       <command>dnssec-settime</command>.
     </para>
     <para>
@@ -80,14 +80,14 @@
       DNSSEC policy (for example, because the policy has been changed),
       they are automatically corrected.
     </para>
-    </para>
+    <para>
       A zone policy can specify a duration for which we want to
       ensure the key correctness (<option>coverage</option>).  It can
       also specify a rollover period (<option>roll-period</option>).
       If policy indicates that a key should roll over before the
       coverage period ends, then a successor key will automatically be
       created and added to the end of the key series.
-    <para>
+    </para>
     <para>
       If zones are specified on the command line,
       <command>dnssec-keymgr</command> will examine only those zones.
@@ -103,22 +103,12 @@
     </para>
     <para>
       It is expected that this tool will be run automatically and
-      unattended (for example, by <command>cron</command>).  
+      unattended (for example, by <command>cron</command>).
     </para>
   </refsection>
 
   <refsection><info><title>OPTIONS</title></info>
     <variablelist>
-      <varlistentry>
-        <term>-K <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Sets the directory in which keys can be found.  Defaults to the
-            current working directory.
-          </para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>-c <replaceable class="parameter">file</replaceable></term>
         <listitem>
@@ -148,6 +138,37 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-g <replaceable class="parameter">keygen path</replaceable></term>
+        <listitem>
+          <para>
+            Specifies a path to a <command>dnssec-keygen</command> binary.
+            Used for testing.
+            See also the <option>-s</option> option.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-K <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Sets the directory in which keys can be found.  Defaults to the
+            current working directory.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k</term>
+        <listitem>
+          <para>
+            Only apply policies to KSK keys.
+            See also the <option>-z</option> option.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-q</term>
         <listitem>
@@ -159,10 +180,12 @@
       </varlistentry>
 
       <varlistentry>
-        <term>-k</term>
+        <term>-s <replaceable class="parameter">settime path</replaceable></term>
         <listitem>
           <para>
-            Only apply policies to KSK keys.
+            Specifies a path to a <command>dnssec-settime</command> binary.
+            Used for testing.
+            See also the <option>-g</option> option.
           </para>
         </listitem>
       </varlistentry>
@@ -172,26 +195,7 @@
         <listitem>
           <para>
             Only apply policies to ZSK keys.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-g <replaceable class="parameter">keygen path</replaceable></term>
-        <listitem>
-          <para>
-            Specifies a path to a <command>dnssec-keygen</command> binary.
-            Used for testing.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">settime path</replaceable></term>
-        <listitem>
-          <para>
-            Specifies a path to a <command>dnssec-settime</command> binary.
-            Used for testing.
+            See also the <option>-k</option> option.
           </para>
         </listitem>
       </varlistentry>
@@ -233,6 +237,25 @@
       Options that can be specified in policies:
     </para>
     <variablelist>
+      <varlistentry>
+	<term><command>algorithm</command></term>
+	<listitem>
+	  The key algorithm. If no policy is defined, the default is
+          RSASHA256.
+	</listitem>
+      </varlistentry>
+      <varlistentry>
+	<term><command>coverage</command></term>
+	<listitem>
+	  The length of time to ensure that keys will be correct; no action
+          will be taken to create new keys to be activated after this time.
+          This can be represented as a number of seconds, or as a duration using
+	  human-readable units (examples: "1y" or "6 months").
+	  A default value for this option can be set in algorithm policies
+	  as well as in policy classes or zone policies.
+          If no policy is configured, the default is six months.
+	</listitem>
+      </varlistentry>
       <varlistentry>
 	<term><command>directory</command></term>
 	<listitem>
@@ -240,10 +263,14 @@
 	</listitem>
       </varlistentry>
       <varlistentry>
-	<term><command>algorithm</command></term>
+	<term><command>key-size</command></term>
 	<listitem>
-	  The key algorithm. If no policy is defined, the default is
-      RSASHA256.
+	  Specifies the number of bits to use in creating keys.
+	  Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
+	  A default value for this option can be set in algorithm policies
+	  as well as in policy classes or zone policies. If no policy is
+          configured, the default is 1024 bits for DSA keys and 2048 for
+          RSA.
 	</listitem>
       </varlistentry>
       <varlistentry>
@@ -253,59 +280,36 @@
 	</listitem>
       </varlistentry>
       <varlistentry>
-	<term><command>coverage</command></term>
+	<term><command>post-publish</command></term>
 	<listitem>
-	  The length of time to ensure that keys will be correct; no action
-      will be taken to create new keys to be activated after this time.
-      This can be represented as a number of seconds, or as a duration using
-	  human-readable units (examples: "1y" or "6 months").
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies.
-      If no policy is configured, the default is six months.
-	</listitem>
-      </varlistentry>
-      <varlistentry>
-	<term><command>key-size</command></term>
-	<listitem>
-	  Specifies the number of bits to use in creating keys.
-	  Takes two arguments: keytype (eihter "zsk" or "ksk") and size. 
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies. If no policy is
-      configured, the default is 1024 bits for DSA keys and 2048 for
-      RSA.
-	</listitem>
-      </varlistentry>
-      <varlistentry>
-	<term><command>roll-period</command></term>
-	<listitem>
-	  How frequently keys should be rolled over.
-	  Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. 
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies.  If no policy is
-      configured, the default is one year for ZSK's. KSK's do not
-      roll over by default.
+	  How long after inactivation a key should be deleted from the zone.
+	  Note: If <option>roll-period</option> is not set, this value is
+	  ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
+	  duration. A default value for this option can be set in algorithm
+	  policies as well as in policy classes or zone policies. The default
+	  is one month.
 	</listitem>
       </varlistentry>
       <varlistentry>
 	<term><command>pre-publish</command></term>
 	<listitem>
 	  How long before activation a key should be published.  Note: If
-      <option>roll-period</option> is not set, this value is ignored.
-	  Takes two arguments: keytype (either "zsk" or "ksk") and a duration. 
+          <option>roll-period</option> is not set, this value is ignored.
+	  Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
 	  A default value for this option can be set in algorithm policies
 	  as well as in policy classes or zone policies.  The default is
-      one month.
+          one month.
 	</listitem>
       </varlistentry>
       <varlistentry>
-	<term><command>post-publish</command></term>
+	<term><command>roll-period</command></term>
 	<listitem>
-	  How long after inactivation a key should be deleted from the zone.
-	  Note: If <option>roll-period</option> is not set, this value is ignored.
-	  Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. 
+	  How frequently keys should be rolled over.
+	  Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
 	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies. The default is one
-      month.
+	  as well as in policy classes or zone policies.  If no policy is
+          configured, the default is one year for ZSK's. KSK's do not
+          roll over by default.
 	</listitem>
       </varlistentry>
       <varlistentry>