Add hyperlinks to dig/mdig/delv +options

2025-08-30 22:15:20 +00:00 · 2022-04-25 18:12:17 +02:00
parent 0342dddce7
commit ac0c2378ca
8 changed files with 102 additions and 93 deletions
--- a/bin/delv/delv.rst
+++ b/bin/delv/delv.rst
@@ -107,7 +107,7 @@ Options
   or more trust anchors for the root zone (".").
   Keys that do not match the root zone name are ignored. An alternate
-   key name can be specified using the ``+root=NAME`` options.
+   key name can be specified using the :option:`+root` option.
   Note: When reading the trust anchor file, :program:`delv` treats ``trust-anchors``,
   ``initial-key``, and ``static-key`` identically. That is, for a managed key,
@@ -134,7 +134,7 @@ Options
   This option sets the systemwide debug level to ``level``. The allowed range is
   from 0 to 99. The default is 0 (no debugging). Debugging traces from
   :program:`delv` become more verbose as the debug level increases. See the
-   ``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for
+   :option:`+mtrace`, :option:`+rtrace`, and :option:`+vtrace` options below for
   additional debugging details.
 .. option:: -h
@@ -148,7 +148,7 @@ Options
   server being queried is performing DNSSEC validation, then it does
   not return invalid data; this can cause :program:`delv` to time out. When it
   is necessary to examine invalid data to debug a DNSSEC problem, use
-   ``dig +cd``.)
+   :option:`dig +cd`.)
 .. option:: -m
@@ -309,8 +309,8 @@ assign values to options like the timeout interval. They have the form
 .. option:: +all, +noall
-   This option sets or clears the display options ``+[no]comments``,
+   This option sets or clears the display options :option:`+comments`,
-   ``+[no]rrcomments``, and ``+[no]trust`` as a group.
+   :option:`+rrcomments`, and :option:`+trust` as a group.
 .. option:: +multiline, +nomultiline
@@ -326,7 +326,7 @@ assign values to options like the timeout interval. They have the form
   *not* control whether to request DNSSEC records or to
   validate them. DNSSEC records are always requested, and validation
   always occurs unless suppressed by the use of :option:`-i` or
-   ``+noroot``.
+   :option:`+noroot`.
 .. option:: +root[=ROOT], +noroot
--- a/bin/dig/dig.rst
+++ b/bin/dig/dig.rst
@@ -224,8 +224,8 @@ Each query option is identified by a keyword preceded by a plus sign
 the string ``no`` to negate the meaning of that keyword. Other keywords
 assign values to options, like the timeout interval. They have the form
 ``+keyword=value``. Keywords may be abbreviated, provided the
-abbreviation is unambiguous; for example, ``+cd`` is equivalent to
+abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
-``+cdflag``. The query options are:
+:option:`+cdflag`. The query options are:
 .. option:: +aaflag, +noaaflag
@@ -280,7 +280,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
   ``B`` bytes.  The maximum and minimum sizes of this buffer are 65535 and
   0, respectively.  ``+bufsize`` restores the default buffer size.
-.. option:: +cdflag, +nocdflag
+.. option:: +cd, +cdflag, +nocdflag
   This option sets [or does not set] the CD (checking disabled) bit in the query. This
   requests the server to not perform DNSSEC validation of responses.
@@ -304,7 +304,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
   Other types of comments in the output are not affected by this option, but
   can be controlled using other command-line switches. These include
-   ``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
+   :option:`+cmd`, :option:`+question`, :option:`+stats`, and :option:`+rrcomments`.
 .. option:: +cookie=####, +nocookie
@@ -312,7 +312,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
   from a previous response allows the server to identify a previous
   client. The default is ``+cookie``.
-   ``+cookie`` is also set when ``+trace`` is set to better emulate the
+   ``+cookie`` is also set when :option:`+trace` is set to better emulate the
   default queries from a nameserver.
 .. option:: +crypto, +nocrypto
@@ -326,13 +326,14 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
 .. option:: +defname, +nodefname
-   This option, which is deprecated, is treated as a synonym for ``+[no]search``.
+   This option, which is deprecated, is treated as a synonym for
   :option:`+search`, :option:`+nosearch`.
 .. option:: +dns64prefix, +nodns64prefix
   Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found.
-.. option:: +dnssec, +nodnssec
+.. option:: +dnssec, +do, +nodnssec, +nodo
   This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
   the OPT record in the additional section of the query.
@@ -341,7 +342,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
   This option sets the search list to contain the single domain ``somename``, as if
   specified in a ``domain`` directive in ``/etc/resolv.conf``, and
-   enables search list processing as if the ``+search`` option were
+   enables search list processing as if the :option:`+search` option were
   given.
 .. option:: +dscp=value
@@ -403,31 +404,31 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
 .. option:: +https-get[=value], +nohttps-get
-   Similar to ``+https``, except that the HTTP GET request mode is used
+   Similar to :option:`+https`, except that the HTTP GET request mode is used
   when sending the query.
 .. option:: +https-post[=value], +nohttps-post
-   Same as ``+https``.
+   Same as :option:`+https`.
 .. option:: +http-plain[=value], +nohttp-plain
-   Similar to ``+https``, except that HTTP queries will be sent over a
+   Similar to :option:`+https`, except that HTTP queries will be sent over a
   non-encrypted channel. When this option is in use, the port number
   defaults to 80 and the HTTP request mode is POST.
 .. option:: +http-plain-get[=value], +nohttp-plain-get
-   Similar to ``+http-plain``, except that the HTTP request mode is GET.
+   Similar to :option:`+http-plain`, except that the HTTP request mode is GET.
 .. option:: +http-plain-post[=value], +nohttp-plain-post
-   Same as ``+http-plain``.
+   Same as :option:`+http-plain`.
 .. option:: +identify, +noidentify
   This option shows [or does not show] the IP address and port number that
-   supplied the answer, when the ``+short`` option is enabled. If short
+   supplied the answer, when the :option:`+short` option is enabled. If short
   form answers are requested, the default is not to show the source
   address and port number of the server that provided the answer.
@@ -478,7 +479,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
   statement is present. Names with fewer dots are interpreted as
   relative names, and are searched for in the domains listed in the
   ``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
-   ``+search`` is set.
+   :option:`+search` is set.
 .. option:: +nsid, +nonsid
@@ -533,19 +534,19 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
 .. option:: +rdflag, +nordflag
-   This option is a synonym for ``+[no]recurse``.
+   This option is a synonym for :option:`+recurse`, :option:`+norecurse`.
 .. option:: +recurse, +norecurse
   This option toggles the setting of the RD (recursion desired) bit in the query.
   This bit is set by default, which means :program:`dig` normally sends
   recursive queries. Recursion is automatically disabled when the
-   ``+nssearch`` or ``+trace`` query option is used.
+   :option:`+nssearch` or :option:`+trace` query option is used.
 .. option:: +retry=T
   This option sets the number of times to retry UDP and TCP queries to server to ``T``
-   instead of the default, 2.  Unlike ``+tries``, this does not include
+   instead of the default, 2.  Unlike :option:`+tries`, this does not include
   the initial query.
 .. option:: +rrcomments, +norrcomments
@@ -561,7 +562,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
   default.
   ``ndots`` from ``resolv.conf`` (default 1), which may be overridden by
-   ``+ndots``, determines whether the name is treated as relative
+   :option:`+ndots`, determines whether the name is treated as relative
   and hence whether a search is eventually performed.
 .. option:: +short, +noshort
@@ -632,27 +633,30 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
   name servers. When this option is in use, the port number defaults
   to 853.
-``+[no]tls-ca[=file-name]``
+.. option:: +tls-ca[=file-name], +notls-ca
   This option enables remote server TLS certificate validation for
   DNS transports, relying on TLS. Certificate authorities
   certificates are loaded from the specified PEM file
   (``file-name``). If the file is not specified, the default
   certificates from the global certificates store are used.
-``+[no]tls-certfile=file-name`` and ``+[no]tls-keyfile=file-name``
+.. option:: +tls-certfile=file-name, +tls-keyfile=file-name, +notls-certfile, +notls-keyfile
   These options set the state of certificate-based client
   authentication for DNS transports, relying on TLS. Both certificate
   chain file and private key file are expected to be in PEM format.
   Both options must be specified at the same time.
-``+[no]tls-hostname=hostname``
+.. option:: +tls-hostname=hostname, +notls-hostname
-   This option makes ``dig`` use the provided hostname during remote
+
   This option makes :program:`dig` use the provided hostname during remote
   server TLS certificate verification. Otherwise, the DNS server name
-   is used. This option has no effect if ``+tls-ca`` is not specified.
+   is used. This option has no effect if :option:`+tls-ca` is not specified.
 .. option:: +topdown, +notopdown
-   This feature is related to ``dig +sigchase``, which is obsolete and
+   This feature is related to :option:`dig +sigchase`, which is obsolete and
   has been removed. Use :iscman:`delv` instead.
 .. option:: +trace, +notrace
@@ -667,7 +671,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
   If ``@server`` is also specified, it affects only the initial query for
   the root zone name servers.
-   ``+dnssec`` is also set when ``+trace`` is set, to better emulate the
+   :option:`+dnssec` is also set when :option:`+trace` is set, to better emulate the
   default queries from a name server.
 .. option:: +tries=T
@@ -678,7 +682,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
 .. option:: +trusted-key=####
-   This option formerly specified trusted keys for use with ``dig +sigchase``. This
+   This option formerly specified trusted keys for use with :option:`dig +sigchase`. This
   feature is now obsolete and has been removed; use :iscman:`delv` instead.
 .. option:: +ttlid, +nottlid
@@ -689,7 +693,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
   This option displays [or does not display] the TTL in friendly human-readable time
   units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes,
-   hours, days, and weeks. This implies ``+ttlid``.
+   hours, days, and weeks. This implies :option:`+ttlid`.
 .. option:: +unknownformat, +nounknownformat
@@ -700,12 +704,12 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
 .. option:: +vc, +novc
   This option uses [or does not use] TCP when querying name servers. This alternate
-   syntax to ``+[no]tcp`` is provided for backwards compatibility. The
+   syntax to :option:`+tcp` is provided for backwards compatibility. The
   ``vc`` stands for "virtual circuit."
 .. option:: +yaml, +noyaml
-   When enabled, this option prints the responses (and, if ``+qr`` is in use, also the
+   When enabled, this option prints the responses (and, if :option:`+qr` is in use, also the
   outgoing queries) in a detailed YAML format.
 .. option:: +zflag, +nozflag
@@ -730,8 +734,8 @@ query.
 A global set of query options, which should be applied to all queries,
 can also be supplied. These global query options must precede the first
 tuple of name, class, type, options, flags, and query options supplied
-on the command line. Any global query options (except ``+[no]cmd`` and
+on the command line. Any global query options (except :option:`+cmd` and
-``+[no]short`` options) can be overridden by a query-specific set of
+:option:`+short` options) can be overridden by a query-specific set of
 query options. For example:
 ::
@@ -741,8 +745,8 @@ query options. For example:
 shows how :program:`dig` can be used from the command line to make three
 lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1,
 and a query for the NS records of ``isc.org``. A global query option of
-``+qr`` is applied, so that :program:`dig` shows the initial query it made for
+:option:`+qr` is applied, so that :program:`dig` shows the initial query it made for
-each lookup. The final query has a local query option of ``+noqr`` which
+each lookup. The final query has a local query option of :option:`+qr` which
 means that :program:`dig` does not print the initial query when it looks up the
 NS records for ``isc.org``.
@@ -754,7 +758,7 @@ support, it can accept and display non-ASCII domain names. :program:`dig`
 appropriately converts character encoding of a domain name before sending
 a request to a DNS server or displaying a reply from the server.
 To turn off IDN support, use the parameters
-``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment
+:option:`+idnin` and :option:`+idnout`, or define the ``IDN_DISABLE`` environment
 variable.
 Return Codes
--- a/bin/tools/mdig.rst
+++ b/bin/tools/mdig.rst
@@ -216,7 +216,7 @@ The global query options are:
 .. option:: +vc, +novc
   This option uses [or does not use] TCP when querying name servers. This alternate
-   syntax to ``+[no]tcp`` is provided for backwards compatibility. The
+   syntax to :option:`+tcp` is provided for backwards compatibility. The
   ``vc`` stands for "virtual circuit".
 Local Options
@@ -249,7 +249,7 @@ The local query options are:
 .. option:: +aaflag, +noaaflag
-   This is a synonym for ``+[no]aaonly``.
+   This is a synonym for :option:`+aaonly`, :option:`+noaaonly`.
 .. option:: +aaonly, +noaaonly
@@ -325,7 +325,7 @@ The local query options are:
 .. option:: +retry=T
   This sets the number of times to retry UDP queries to server to ``T``
-   instead of the default, 2. Unlike ``+tries``, this does not include
+   instead of the default, 2. Unlike :option:`+tries`, this does not include
   the initial query.
 .. option:: +subnet=addr[/prefix-length], +nosubnet
--- a/doc/dnssec-guide/troubleshooting.rst
+++ b/doc/dnssec-guide/troubleshooting.rst
@@ -100,7 +100,7 @@ Visible DNSSEC Validation Symptoms
 After determining the query path, it is necessary to
 determine whether the problem is actually related to DNSSEC
-validation. You can use the ``+cd`` flag in :iscman:`dig` to disable
+validation. You can use the :option:`dig +cd` flag to disable
 validation, as described in
 :ref:`how_do_i_know_validation_problem`.
@@ -318,9 +318,9 @@ shortened for ease of display):
 Next, we query for the DNSKEY and RRSIG of ``example.net`` to see if
 there's anything wrong. Since we are having trouble validating, we
-can use the ``+cd`` option to temporarily disable checking and return
+can use the :option:`dig +cd` option to temporarily disable checking and return
 results, even though they do not pass the validation tests. The
-``+multiline`` option tells :iscman:`dig` to print the type, algorithm type,
+:option:`dig +multiline` option causes :iscman:`dig` to print the type, algorithm type,
 and key id for DNSKEY records. Again,
 some long strings are shortened for ease of display:
--- a/doc/dnssec-guide/validation.rst
+++ b/doc/dnssec-guide/validation.rst
@@ -324,10 +324,10 @@ How Do I Know I Have a Validation Problem?
 Since all DNSSEC validation failures result in a general ``SERVFAIL``
 message, how do we know if it was really a validation error?
-Fortunately, there is a flag in :iscman:`dig`, (``+cd``, for "checking
+Fortunately, there is a flag in :iscman:`dig`, ("CD" for "checking
 disabled") which tells the server to disable DNSSEC validation. If
 you receive a ``SERVFAIL`` message, re-run the query a second time
-and set the ``+cd`` flag. If the query succeeds with ``+cd``, but
+and set the :option:`dig +cd` flag. If the query succeeds with :option:`dig +cd`, but
 ends in ``SERVFAIL`` without it, you know you are dealing with a
 validation problem. So using the previous example of
 ``www.dnssec-failed.org`` and with DNSSEC validation enabled in the
@@ -748,7 +748,7 @@ larger packets over UDP. To support EDNS, both the DNS server
 and the network need to be properly prepared to support the larger
 packet sizes and multiple fragments.
-This is important for DNSSEC, since the ``+do`` bit that signals
+This is important for DNSSEC, since the :option:`dig +do` bit that signals
 DNSSEC-awareness is carried within EDNS, and DNSSEC responses are larger
 than traditional DNS ones. If DNS servers and the network environment cannot
 support large UDP packets, it will cause retransmission over TCP, or the
--- a/doc/man/delv.1in
+++ b/doc/man/delv.1in
@@ -121,7 +121,7 @@ is \fB@sysconfdir@/bind.keys\fP, which is included with BIND 9 and contains one
 or more trust anchors for the root zone (".").
 .sp
 Keys that do not match the root zone name are ignored. An alternate
-key name can be specified using the \fB+root=NAME\fP options.
+key name can be specified using the \fI\%+root\fP option.
 .sp
 Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP,
 \fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key,
@@ -151,7 +151,7 @@ This option sets the query class for the requested data. Currently, only class
 This option sets the systemwide debug level to \fBlevel\fP\&. The allowed range is
 from 0 to 99. The default is 0 (no debugging). Debugging traces from
 \fBdelv\fP become more verbose as the debug level increases. See the
-\fB+mtrace\fP, \fB+rtrace\fP, and \fB+vtrace\fP options below for
+\fI\%+mtrace\fP, \fI\%+rtrace\fP, and \fI\%+vtrace\fP options below for
 additional debugging details.
 .UNINDENT
 .INDENT 0.0
@@ -167,7 +167,7 @@ however, that this does not set the CD bit on upstream queries. If the
 server being queried is performing DNSSEC validation, then it does
 not return invalid data; this can cause \fBdelv\fP to time out. When it
 is necessary to examine invalid data to debug a DNSSEC problem, use
-\fBdig +cd\fP\&.)
+\fI\%dig +cd\fP\&.)
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -347,8 +347,8 @@ multiline mode is active.
 .INDENT 0.0
 .TP
 .B +all, +noall
-This option sets or clears the display options \fB+[no]comments\fP,
+This option sets or clears the display options \fI\%+comments\fP,
-\fB+[no]rrcomments\fP, and \fB+[no]trust\fP as a group.
+\fI\%+rrcomments\fP, and \fI\%+trust\fP as a group.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -366,7 +366,7 @@ The default is to do so. Note that (unlike in \fI\%dig\fP) this does
 \fInot\fP control whether to request DNSSEC records or to
 validate them. DNSSEC records are always requested, and validation
 always occurs unless suppressed by the use of \fI\%\-i\fP or
-\fB+noroot\fP\&.
+\fI\%+noroot\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
--- a/doc/man/dig.1in
+++ b/doc/man/dig.1in
@@ -258,8 +258,8 @@ Each query option is identified by a keyword preceded by a plus sign
 the string \fBno\fP to negate the meaning of that keyword. Other keywords
 assign values to options, like the timeout interval. They have the form
 \fB+keyword=value\fP\&. Keywords may be abbreviated, provided the
-abbreviation is unambiguous; for example, \fB+cd\fP is equivalent to
+abbreviation is unambiguous; for example, \fI\%+cd\fP is equivalent to
-\fB+cdflag\fP\&. The query options are:
+\fI\%+cdflag\fP\&. The query options are:
 .INDENT 0.0
 .TP
 .B +aaflag, +noaaflag
@@ -325,7 +325,7 @@ This option sets the UDP message buffer size advertised using EDNS0 to
 .UNINDENT
 .INDENT 0.0
 .TP
-.B +cdflag, +nocdflag
+.B +cd, +cdflag, +nocdflag
 This option sets [or does not set] the CD (checking disabled) bit in the query. This
 requests the server to not perform DNSSEC validation of responses.
 .UNINDENT
@@ -351,7 +351,7 @@ the response section. The default is to print these comments.
 .sp
 Other types of comments in the output are not affected by this option, but
 can be controlled using other command\-line switches. These include
-\fB+[no]cmd\fP, \fB+[no]question\fP, \fB+[no]stats\fP, and \fB+[no]rrcomments\fP\&.
+\fI\%+cmd\fP, \fI\%+question\fP, \fI\%+stats\fP, and \fI\%+rrcomments\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -360,7 +360,7 @@ This option sends [or does not send] a COOKIE EDNS option, with an optional valu
 from a previous response allows the server to identify a previous
 client. The default is \fB+cookie\fP\&.
 .sp
-\fB+cookie\fP is also set when \fB+trace\fP is set to better emulate the
+\fB+cookie\fP is also set when \fI\%+trace\fP is set to better emulate the
 default queries from a nameserver.
 .UNINDENT
 .INDENT 0.0
@@ -376,7 +376,8 @@ key ID is displayed as the replacement, e.g. \fB[ key id = value ]\fP\&.
 .INDENT 0.0
 .TP
 .B +defname, +nodefname
-This option, which is deprecated, is treated as a synonym for \fB+[no]search\fP\&.
+This option, which is deprecated, is treated as a synonym for
 \fI\%+search\fP, \fI\%+nosearch\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -385,7 +386,7 @@ Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B +dnssec, +nodnssec
+.B +dnssec, +do, +nodnssec, +nodo
 This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
 the OPT record in the additional section of the query.
 .UNINDENT
@@ -394,7 +395,7 @@ the OPT record in the additional section of the query.
 .B +domain=somename
 This option sets the search list to contain the single domain \fBsomename\fP, as if
 specified in a \fBdomain\fP directive in \fB/etc/resolv.conf\fP, and
-enables search list processing as if the \fB+search\fP option were
+enables search list processing as if the \fI\%+search\fP option were
 given.
 .UNINDENT
 .INDENT 0.0
@@ -466,36 +467,36 @@ query URI; the default is \fB/dns\-query\fP\&. So, for example, \fBdig
 .INDENT 0.0
 .TP
 .B +https\-get[=value], +nohttps\-get
-Similar to \fB+https\fP, except that the HTTP GET request mode is used
+Similar to \fI\%+https\fP, except that the HTTP GET request mode is used
 when sending the query.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B +https\-post[=value], +nohttps\-post
-Same as \fB+https\fP\&.
+Same as \fI\%+https\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B +http\-plain[=value], +nohttp\-plain
-Similar to \fB+https\fP, except that HTTP queries will be sent over a
+Similar to \fI\%+https\fP, except that HTTP queries will be sent over a
 non\-encrypted channel. When this option is in use, the port number
 defaults to 80 and the HTTP request mode is POST.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B +http\-plain\-get[=value], +nohttp\-plain\-get
-Similar to \fB+http\-plain\fP, except that the HTTP request mode is GET.
+Similar to \fI\%+http\-plain\fP, except that the HTTP request mode is GET.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B +http\-plain\-post[=value], +nohttp\-plain\-post
-Same as \fB+http\-plain\fP\&.
+Same as \fI\%+http\-plain\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B +identify, +noidentify
 This option shows [or does not show] the IP address and port number that
-supplied the answer, when the \fB+short\fP option is enabled. If short
+supplied the answer, when the \fI\%+short\fP option is enabled. If short
 form answers are requested, the default is not to show the source
 address and port number of the server that provided the answer.
 .UNINDENT
@@ -553,7 +554,7 @@ the \fBndots\fP statement in \fB/etc/resolv.conf\fP, or 1 if no \fBndots\fP
 statement is present. Names with fewer dots are interpreted as
 relative names, and are searched for in the domains listed in the
 \fBsearch\fP or \fBdomain\fP directive in \fB/etc/resolv.conf\fP if
-\fB+search\fP is set.
+\fI\%+search\fP is set.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -618,7 +619,7 @@ QUERY.
 .INDENT 0.0
 .TP
 .B +rdflag, +nordflag
-This option is a synonym for \fB+[no]recurse\fP\&.
+This option is a synonym for \fI\%+recurse\fP, \fI\%+norecurse\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -626,13 +627,13 @@ This option is a synonym for \fB+[no]recurse\fP\&.
 This option toggles the setting of the RD (recursion desired) bit in the query.
 This bit is set by default, which means \fBdig\fP normally sends
 recursive queries. Recursion is automatically disabled when the
-\fB+nssearch\fP or \fB+trace\fP query option is used.
+\fI\%+nssearch\fP or \fI\%+trace\fP query option is used.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B +retry=T
 This option sets the number of times to retry UDP and TCP queries to server to \fBT\fP
-instead of the default, 2.  Unlike \fB+tries\fP, this does not include
+instead of the default, 2.  Unlike \fI\%+tries\fP, this does not include
 the initial query.
 .UNINDENT
 .INDENT 0.0
@@ -650,7 +651,7 @@ directive in \fBresolv.conf\fP, if any. The search list is not used by
 default.
 .sp
 \fBndots\fP from \fBresolv.conf\fP (default 1), which may be overridden by
-\fB+ndots\fP, determines whether the name is treated as relative
+\fI\%+ndots\fP, determines whether the name is treated as relative
 and hence whether a search is eventually performed.
 .UNINDENT
 .INDENT 0.0
@@ -734,28 +735,32 @@ to 853.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \fB+[no]tls\-ca[=file\-name]\fP
+.B +tls\-ca[=file\-name], +notls\-ca
 This option enables remote server TLS certificate validation for
 DNS transports, relying on TLS. Certificate authorities
 certificates are loaded from the specified PEM file
 (\fBfile\-name\fP). If the file is not specified, the default
 certificates from the global certificates store are used.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \fB+[no]tls\-certfile=file\-name\fP and \fB+[no]tls\-keyfile=file\-name\fP
+.B +tls\-certfile=file\-name, +tls\-keyfile=file\-name, +notls\-certfile, +notls\-keyfile
 These options set the state of certificate\-based client
 authentication for DNS transports, relying on TLS. Both certificate
 chain file and private key file are expected to be in PEM format.
 Both options must be specified at the same time.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \fB+[no]tls\-hostname=hostname\fP
+.B +tls\-hostname=hostname, +notls\-hostname
 This option makes \fBdig\fP use the provided hostname during remote
 server TLS certificate verification. Otherwise, the DNS server name
-is used. This option has no effect if \fB+tls\-ca\fP is not specified.
+is used. This option has no effect if \fI\%+tls\-ca\fP is not specified.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B +topdown, +notopdown
-This feature is related to \fBdig +sigchase\fP, which is obsolete and
+This feature is related to \fI\%dig +sigchase\fP, which is obsolete and
 has been removed. Use \fI\%delv\fP instead.
 .UNINDENT
 .INDENT 0.0
@@ -771,7 +776,7 @@ lookup.
 If \fB@server\fP is also specified, it affects only the initial query for
 the root zone name servers.
 .sp
-\fB+dnssec\fP is also set when \fB+trace\fP is set, to better emulate the
+\fI\%+dnssec\fP is also set when \fI\%+trace\fP is set, to better emulate the
 default queries from a name server.
 .UNINDENT
 .INDENT 0.0
@@ -784,7 +789,7 @@ the number of tries is silently rounded up to 1.
 .INDENT 0.0
 .TP
 .B +trusted\-key=####
-This option formerly specified trusted keys for use with \fBdig +sigchase\fP\&. This
+This option formerly specified trusted keys for use with \fI\%dig +sigchase\fP\&. This
 feature is now obsolete and has been removed; use \fI\%delv\fP instead.
 .UNINDENT
 .INDENT 0.0
@@ -797,7 +802,7 @@ This option displays [or does not display] the TTL when printing the record.
 .B +ttlunits, +nottlunits
 This option displays [or does not display] the TTL in friendly human\-readable time
 units of \fBs\fP, \fBm\fP, \fBh\fP, \fBd\fP, and \fBw\fP, representing seconds, minutes,
-hours, days, and weeks. This implies \fB+ttlid\fP\&.
+hours, days, and weeks. This implies \fI\%+ttlid\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -810,13 +815,13 @@ presentation format.
 .TP
 .B +vc, +novc
 This option uses [or does not use] TCP when querying name servers. This alternate
-syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The
+syntax to \fI\%+tcp\fP is provided for backwards compatibility. The
 \fBvc\fP stands for "virtual circuit."
 .UNINDENT
 .INDENT 0.0
 .TP
 .B +yaml, +noyaml
-When enabled, this option prints the responses (and, if \fB+qr\fP is in use, also the
+When enabled, this option prints the responses (and, if \fI\%+qr\fP is in use, also the
 outgoing queries) in a detailed YAML format.
 .UNINDENT
 .INDENT 0.0
@@ -841,8 +846,8 @@ query.
 A global set of query options, which should be applied to all queries,
 can also be supplied. These global query options must precede the first
 tuple of name, class, type, options, flags, and query options supplied
-on the command line. Any global query options (except \fB+[no]cmd\fP and
+on the command line. Any global query options (except \fI\%+cmd\fP and
-\fB+[no]short\fP options) can be overridden by a query\-specific set of
+\fI\%+short\fP options) can be overridden by a query\-specific set of
 query options. For example:
 .INDENT 0.0
 .INDENT 3.5
@@ -858,8 +863,8 @@ dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
 shows how \fBdig\fP can be used from the command line to make three
 lookups: an ANY query for \fBwww.isc.org\fP, a reverse lookup of 127.0.0.1,
 and a query for the NS records of \fBisc.org\fP\&. A global query option of
-\fB+qr\fP is applied, so that \fBdig\fP shows the initial query it made for
+\fI\%+qr\fP is applied, so that \fBdig\fP shows the initial query it made for
-each lookup. The final query has a local query option of \fB+noqr\fP which
+each lookup. The final query has a local query option of \fI\%+qr\fP which
 means that \fBdig\fP does not print the initial query when it looks up the
 NS records for \fBisc.org\fP\&.
 .SH IDN SUPPORT
@@ -869,7 +874,7 @@ support, it can accept and display non\-ASCII domain names. \fBdig\fP
 appropriately converts character encoding of a domain name before sending
 a request to a DNS server or displaying a reply from the server.
 To turn off IDN support, use the parameters
-\fB+noidnin\fP and \fB+noidnout\fP, or define the \fBIDN_DISABLE\fP environment
+\fI\%+idnin\fP and \fI\%+idnout\fP, or define the \fBIDN_DISABLE\fP environment
 variable.
 .SH RETURN CODES
 .sp
--- a/doc/man/mdig.1in
+++ b/doc/man/mdig.1in
@@ -248,7 +248,7 @@ hours, days, and weeks. This implies +ttlid.
 .TP
 .B +vc, +novc
 This option uses [or does not use] TCP when querying name servers. This alternate
-syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The
+syntax to \fI\%+tcp\fP is provided for backwards compatibility. The
 \fBvc\fP stands for "virtual circuit".
 .UNINDENT
 .SH LOCAL OPTIONS
@@ -283,7 +283,7 @@ The local query options are:
 .INDENT 0.0
 .TP
 .B +aaflag, +noaaflag
-This is a synonym for \fB+[no]aaonly\fP\&.
+This is a synonym for \fI\%+aaonly\fP, \fI\%+noaaonly\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -372,7 +372,7 @@ recursive queries.
 .TP
 .B +retry=T
 This sets the number of times to retry UDP queries to server to \fBT\fP
-instead of the default, 2. Unlike \fB+tries\fP, this does not include
+instead of the default, 2. Unlike \fI\%+tries\fP, this does not include
 the initial query.
 .UNINDENT
 .INDENT 0.0