Use compile-time paths in the manual pages

Replace the hard-coded paths for various BIND 9 files (configuration,
pid, etc.) in the man pages and ARM with compile-time values using the
sphinx-build replace system.

This is more complicated, because the restructured text specification
doesn't allow |substitions| inside ``code-blocks``, so for each specific
file we had to create own substition which is sub-optimal, but it is
only way how to do this without adding Sphinx extension.

Makefile.docs

@@ -9,6 +9,16 @@ AM_V_SPHINX_0 = @echo "  SPHINX   $@";
 
 SPHINXBUILDDIR = $(builddir)/_build
 
+LF = \n
+RNDC_CONF = .. |rndc_conf| replace:: ``$(sysconfdir)/rndc.conf``
+RNDC_KEY = .. |rndc_key| replace:: ``$(sysconfdir)/rndc.key``
+NAMED_CONF = .. |named_conf| replace:: ``$(sysconfdir)/named.conf``
+BIND_KEYS = .. |bind_keys| replace:: ``$(sysconfdir)/bind.keys``
+NAMED_PID = .. |named_pid| replace:: ``$(runstatedir)/named.pid``
+SESSION_KEY = .. |session_key| replace:: ``$(runstatedir)/session.key``
+
+export RST_EPILOG = $(RNDC_CONF)$(LF)$(RNDC_KEY)$(LF)$(NAMED_CONF)$(LF)$(BIND_KEYS)$(LF)$(NAMED_PID)$(LF)$(SESSION_KEY)
+
 common_SPHINXOPTS =			\
 	-W				\
 	-c $(srcdir)			\
@@ -17,18 +27,30 @@ common_SPHINXOPTS =			\
 
 # The "today" variable set below is not directly used in the ARM, but its value
 # is implicitly inserted on the title page of the PDF file produced by Sphinx.
-ALLSPHINXOPTS =				\
-	$(common_SPHINXOPTS)		\
-	-D today="$(RELEASE_DATE)"	\
-	$(SPHINXOPTS)			\
+ALLSPHINXOPTS =					\
+	$(common_SPHINXOPTS)			\
+	-D today="$(RELEASE_DATE)"		\
+	-D rst_epilog="$$(printf "$${RST_EPILOG}")"	\
+	$(SPHINXOPTS)				\
 	$(srcdir)
 
-man_SPHINXOPTS =			\
-	$(common_SPHINXOPTS)		\
-	-D version="@""PACKAGE_VERSION@"\
-	-D today="@""RELEASE_DATE@"	\
-	-D release="@""PACKAGE_VERSION@"\
-	$(SPHINXOPTS)			\
+_ = @
+man_RNDC_CONF = .. |rndc_conf| replace:: ``$(_)sysconfdir$(_)/rndc.conf``
+man_RNDC_KEY = .. |rndc_key| replace:: ``$(_)sysconfdir$(_)/rndc.key``
+man_NAMED_CONF = .. |named_conf| replace:: ``$(_)sysconfdir$(_)/named.conf``
+man_BIND_KEYS = .. |bind_keys| replace:: ``$(_)sysconfdir$(_)/bind.keys``
+man_NAMED_PID = .. |named_pid| replace:: ``$(_)runstatedir$(_)/named.pid``
+man_SESSION_KEY = .. |session_key| replace:: ``$(_)runstatedir$(_)/session.key``
+
+export man_RST_EPILOG = $(man_RNDC_CONF)$(LF)$(man_RNDC_KEY)$(LF)$(man_NAMED_CONF)$(LF)$(man_BIND_KEYS)$(LF)$(man_NAMED_PID)$(LF)$(man_SESSION_KEY)
+
+man_SPHINXOPTS =				\
+	$(common_SPHINXOPTS)			\
+	-D version="@""PACKAGE_VERSION@"	\
+	-D today="@""RELEASE_DATE@"		\
+	-D release="@""PACKAGE_VERSION@"	\
+	-D rst_epilog="$$(printf "$${man_RST_EPILOG}")"	\
+	$(SPHINXOPTS)				\
 	$(srcdir)
 
 AM_V_SED = $(AM_V_SED_@AM_V@)

bin/check/named-checkconf.rst

@@ -27,7 +27,7 @@ Description
 ``named-checkconf`` checks the syntax, but not the semantics, of a
 ``named`` configuration file. The file, along with all files included by it, is parsed and checked for syntax
 errors. If no file is specified,
-``/etc/named.conf`` is read by default.
+|named_conf| is read by default.
 
 Note: files that ``named`` reads in separate parser contexts, such as
 ``rndc.key`` and ``bind.keys``, are not automatically read by
@@ -81,7 +81,7 @@ Options
 
 ``filename``
    This indicates the name of the configuration file to be checked. If not specified,
-   it defaults to ``/etc/named.conf``.
+   it defaults to |named_conf|.
 
 Return Values
 ~~~~~~~~~~~~~

bin/confgen/rndc-confgen.rst

@@ -35,9 +35,8 @@ Options
 ~~~~~~~
 
 ``-a``
-   This option sets automatic ``rndc`` configuration, which creates a file ``rndc.key``
-   in ``/etc`` (or a different ``sysconfdir`` specified when BIND
-   was built) that is read by both ``rndc`` and ``named`` on startup.
+   This option sets automatic ``rndc`` configuration, which creates a file
+   |rndc_key| that is read by both ``rndc`` and ``named`` on startup.
    The ``rndc.key`` file defines a default command channel and
    authentication key allowing ``rndc`` to communicate with ``named`` on
    the local host with no further configuration.

bin/delv/delv.rst

@@ -97,7 +97,7 @@ Options
 
 ``-a anchor-file``
    This option specifies a file from which to read DNSSEC trust anchors. The default
-   is ``/etc/bind.keys``, which is included with BIND 9 and contains one
+   is |bind_keys|, which is included with BIND 9 and contains one
    or more trust anchors for the root zone (".").
 
    Keys that do not match the root zone name are ignored. An alternate
@@ -107,8 +107,8 @@ Options
    ``initial-key``, and ``static-key`` identically. That is, for a managed key,
    it is the *initial* key that is trusted; :rfc:`5011` key management is not
    supported. ``delv`` does not consult the managed-keys database maintained by
-   ``named``, which means that if either of the keys in ``/etc/bind.keys`` is
-   revoked and rolled over, ``/etc/bind.keys`` must be updated to
+   ``named``, which means that if either of the keys in |bind_keys| is
+   revoked and rolled over, |bind_keys| must be updated to
    use DNSSEC validation in ``delv``.
 
 ``-b address``
@@ -316,7 +316,7 @@ assign values to options like the timeout interval. They have the form
 Files
 ~~~~~
 
-``/etc/bind.keys``
+|bind_keys|
 
 ``/etc/resolv.conf``
 

bin/named/named.conf.rst

@@ -1133,7 +1133,7 @@ ZONE
 Files
 ~~~~~
 
-``/etc/named.conf``
+|named_conf|
 
 See Also
 ~~~~~~~~

bin/named/named.rst

@@ -29,7 +29,7 @@ distribution from ISC. For more information on the DNS, see :rfc:`1033`,
 :rfc:`1034`, and :rfc:`1035`.
 
 When invoked without arguments, ``named`` reads the default
-configuration file ``/etc/named.conf``, reads any initial data, and
+configuration file |named_conf|, reads any initial data, and
 listens for queries.
 
 Options
@@ -45,7 +45,7 @@ Options
 
 ``-c config-file``
    This option tells ``named`` to use ``config-file`` as its configuration file instead of the default,
-   ``/etc/named.conf``. To ensure that the configuration file
+   |named_conf|. To ensure that the configuration file
    can be reloaded after the server has changed its working directory
    due to to a possible ``directory`` option in the configuration file,
    ``config-file`` should be an absolute pathname.
@@ -206,10 +206,10 @@ in the script used to start the ``named`` process.
 Files
 ~~~~~
 
-``/etc/named.conf``
+|named_conf|
    The default configuration file.
 
-``/var/run/named/named.pid``
+|named_pid|
    The default process-id file.
 
 See Also

bin/nsupdate/nsupdate.rst

@@ -46,7 +46,7 @@ described in :rfc:`3645`.
 
 TSIG relies on a shared secret that should only be known to ``nsupdate``
 and the name server. For instance, suitable ``key`` and ``server``
-statements are added to ``/etc/named.conf`` so that the name server
+statements are added to |named_conf| so that the name server
 can associate the appropriate secret key and algorithm with the IP
 address of the client application that is using TSIG
 authentication. ``ddns-confgen`` can generate suitable
@@ -97,7 +97,7 @@ Options
    This option sets local-host only mode, which sets the server address to localhost
    (disabling the ``server`` so that the server address cannot be
    overridden). Connections to the local server use a TSIG key
-   found in ``/var/run/named/session.key``, which is automatically
+   found in |session_key|, which is automatically
    generated by ``named`` if any local ``primary`` zone has set
    ``update-policy`` to ``local``. The location of this key file can be
    overridden with the ``-k`` option.
@@ -335,7 +335,7 @@ Files
 ``/etc/resolv.conf``
    Used to identify the default name server
 
-``/var/run/named/session.key``
+|session_key|
    Sets the default TSIG key for use in local-only mode
 
 ``K{name}.+157.+{random}.key``

bin/plugins/filter-a.rst

@@ -31,7 +31,7 @@ For example:
 
 ::
 
-   plugin query "/usr/local/lib/filter-a.so" {
+   plugin query "filter-a.so" {
            filter-a-on-v6 yes;
            filter-a-on-v4 yes;
            filter-a { 192.0.2.1; 2001:db8:2::1; };

bin/plugins/filter-aaaa.rst

@@ -35,7 +35,7 @@ enabled with the ``filter-aaaa`` ACL and the ``filter-aaaa-on-v4`` and
 
 ::
 
-   plugin query "/usr/local/lib/filter-aaaa.so" {
+   plugin query "filter-aaaa.so" {
            filter-aaaa-on-v4 yes;
            filter-aaaa-on-v6 yes;
            filter-aaaa { 192.0.2.1; 2001:db8:2::1; };

bin/rndc/rndc.rst

@@ -59,11 +59,11 @@ Options
 
 ``-c config-file``
    This option indicates ``config-file`` as the configuration file instead of the default,
-   ``/etc/rndc.conf``.
+   |rndc_conf|.
 
 ``-k key-file``
    This option indicates ``key-file`` as the key file instead of the default,
-   ``/etc/rndc.key``. The key in ``/etc/rndc.key`` is used to
+   |rndc_key|. The key in |rndc_key| is used to
    authenticate commands sent to the server if the config-file does not
    exist.
 

doc/arm/conf.py

@@ -178,3 +178,17 @@ latex_documents = [
     ]
 
 latex_logo = "isc-logo.pdf"
+
+#
+# The rst_epilog will be completely overwritten from the Makefile,
+# the definition here is provided purely for situations when
+# sphinx-build is run by hand.
+#
+rst_epilog = """
+.. |rndc_conf| replace: ``/etc/rndc.conf``
+.. |rndc_key| replace: ``/etc/rndc.key``
+.. |named_conf| replace: ``/etc/named.conf``
+.. |bind_keys| replace: ``/etc/bind.keys``
+.. |named_pid| replace: ``/run/named.pid``
+.. |session_key| replace: ``/run/session.key``
+"""

doc/arm/configuration.rst

@@ -39,9 +39,6 @@ rules.
    // Two corporate subnets we wish to allow queries from.
    acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
    options {
-        // Working directory
-        directory "/etc/namedb";
-
         allow-query { corpnets; };
    };
    // Provide a reverse mapping for the loopback
@@ -64,8 +61,6 @@ the primary server for ``example.com`` and a secondary server for the subdomain
 ::
 
    options {
-        // Working directory
-        directory "/etc/namedb";
         // Do not allow access to cache
         allow-query-cache { none; };
         // This is the default
@@ -242,9 +237,9 @@ server.
    the server is authenticated with digital signatures that rely on a
    shared secret, and there is no way to provide that secret other than
    with a configuration file. The default location for the ``rndc``
-   configuration file is ``/etc/rndc.conf``, but an alternate location
+   configuration file is |rndc_conf|, but an alternate location
    can be specified with the ``-c`` option. If the configuration file is
-   not found, ``rndc`` also looks in ``/etc/rndc.key`` (or whatever
+   not found, ``rndc`` also looks in |rndc_key| (or whatever
    ``sysconfdir`` was defined when the BIND build was configured). The
    ``rndc.key`` file is generated by running ``rndc-confgen -a`` as
    described in :ref:`controls_statement_definition_and_usage`.
@@ -297,7 +292,7 @@ server.
            default-key    rndc_key;
       };
 
-   This file, if installed as ``/etc/rndc.conf``, allows the
+   This file, if installed as |rndc_conf|, allows the
    command:
 
    ``$ rndc reload``

doc/arm/reference.rst

@@ -404,9 +404,8 @@ If no ``controls`` statement is present, ``named`` sets up a default
 control channel listening on the loopback address 127.0.0.1 and its IPv6
 counterpart, ::1. In this case, and also when the ``controls`` statement
 is present but does not have a ``keys`` clause, ``named`` attempts
-to load the command channel key from the file ``rndc.key`` in ``/etc``
-(or whatever ``sysconfdir`` was specified when BIND was built). To
-create an ``rndc.key`` file, run ``rndc-confgen -a``.
+to load the command channel key from the file |rndc_key|.
+To create an ``rndc.key`` file, run ``rndc-confgen -a``.
 
 To disable the command channel, use an empty ``controls`` statement:
 ``controls { };``.
@@ -1247,7 +1246,7 @@ default is used.
 
 ``pid-file``
    This is the pathname of the file the server writes its process ID in. If not
-   specified, the default is ``/var/run/named/named.pid``. The PID file
+   specified, the default is |named_pid|. The PID file
    is used by programs that send signals to the running name
    server. Specifying ``pid-file none`` disables the use of a PID file;
    no file is written and any existing one is removed. Note
@@ -1268,7 +1267,7 @@ default is used.
 ``bindkeys-file``
    This is the pathname of a file to override the built-in trusted keys provided
    by ``named``. See the discussion of ``dnssec-validation`` for
-   details. If not specified, the default is ``/etc/bind.keys``.
+   details. If not specified, the default is |bind_keys|.
 
 ``secroots-file``
    This is the pathname of the file the server dumps security roots to, when
@@ -1278,7 +1277,7 @@ default is used.
 ``session-keyfile``
    This is the pathname of the file into which to write a TSIG session key
    generated by ``named`` for use by ``nsupdate -l``. If not specified,
-   the default is ``/var/run/named/session.key``. (See :ref:`dynamic_update_policies`,
+   the default is |session_key|. (See :ref:`dynamic_update_policies`,
    and in particular the discussion of the ``update-policy`` statement's
    ``local`` option, for more information about this feature.)
 
@@ -6032,7 +6031,7 @@ A pre-defined ``update-policy`` rule can be switched on with the command
 generates a TSIG session key when starting and stores it in a file;
 this key can then be used by local clients to update the zone while
 ``named`` is running. By default, the session key is stored in the file
-``/var/run/named/session.key``, the key name is "local-ddns", and the
+|session_key|, the key name is "local-ddns", and the
 key algorithm is HMAC-SHA256. These values are configurable with the
 ``session-keyfile``, ``session-keyname``, and ``session-keyalg`` options,
 respectively. A client running on the local system, if run with

doc/man/Makefile.am

@@ -132,6 +132,9 @@ man_SUBST =							\
 	$(AM_V_SED)$(SED)					\
 	  -e 's,[@]PACKAGE_VERSION@,$(PACKAGE_VERSION),'	\
 	  -e 's,[@]RELEASE_DATE@,$(RELEASE_DATE),'		\
+	  -e 's,[@]libdir[@],$(libdir),g'			\
+	  -e 's,[@]runstatedir[@],$(runstatedir),g'		\
+	  -e 's,[@]sysconfdir[@],$(sysconfdir),g'		\
 	  $(srcdir)/$@in >$@
 
 .1in.1:
@@ -170,6 +173,7 @@ if HAVE_SPHINX_BUILD
 manpages.stamp: $(MANPAGES_RST)
 	@rm -f manpages.tmp
 	@touch manpages.tmp
+	echo "${man_RST_EPILOG}"
 	$(AM_V_SPHINX)$(SPHINX_BUILD) -b man -d $(SPHINXBUILDDIR)/.doctrees/man $(man_SPHINXOPTS) $(SPHINXBUILDDIR)/man
 	for f in $(SPHINXBUILDDIR)/man/*; do \
 	  cp -a "$$f" "$(srcdir)/$$(basename $$f)in"; \

doc/man/conf.py

@@ -102,3 +102,17 @@ man_pages = [
     ('rndc', 'rndc', 'name server control utility', author, 8),
     ('tsig-keygen', 'tsig-keygen', 'TSIG key generation tool', author, 8),
     ]
+
+#
+# The rst_epilog will be completely overwritten from the Makefile,
+# the definition here is provided purely for situations when
+# sphinx-build is run by hand.
+#
+rst_epilog = """
+.. |rndc_conf| replace: ``@sysconfdir@/rndc.conf``
+.. |rndc_key| replace: ``@sysconfdir@/rndc.key``
+.. |named_conf| replace: ``@sysconfdir@/named.conf``
+.. |bind_keys| replace: ``@sysconfdir@/bind.keys``
+.. |named_pid| replace: ``@runstatedir@/named.pid``
+.. |session_key| replace: ``@runstatedir@/session.key``
+"""

doc/man/delv.1in

@@ -113,7 +113,7 @@ supplied, \fBdelv\fP performs a lookup for an A record.
 .TP
 .B \fB\-a anchor\-file\fP
 This option specifies a file from which to read DNSSEC trust anchors. The default
-is \fB/etc/bind.keys\fP, which is included with BIND 9 and contains one
+is \fB@sysconfdir@/bind.keys\fP, which is included with BIND 9 and contains one
 or more trust anchors for the root zone (".").
 .sp
 Keys that do not match the root zone name are ignored. An alternate
@@ -123,8 +123,8 @@ Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP
 \fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key,
 it is the \fIinitial\fP key that is trusted; \fI\%RFC 5011\fP key management is not
 supported. \fBdelv\fP does not consult the managed\-keys database maintained by
-\fBnamed\fP, which means that if either of the keys in \fB/etc/bind.keys\fP is
-revoked and rolled over, \fB/etc/bind.keys\fP must be updated to
+\fBnamed\fP, which means that if either of the keys in \fB@sysconfdir@/bind.keys\fP is
+revoked and rolled over, \fB@sysconfdir@/bind.keys\fP must be updated to
 use DNSSEC validation in \fBdelv\fP\&.
 .TP
 .B \fB\-b address\fP
@@ -331,7 +331,7 @@ This option prints response data in YAML format.
 .UNINDENT
 .SH FILES
 .sp
-\fB/etc/bind.keys\fP
+\fB@sysconfdir@/bind.keys\fP
 .sp
 \fB/etc/resolv.conf\fP
 .SH SEE ALSO

doc/man/filter-a.8in

@@ -44,7 +44,7 @@ For example:
 .sp
 .nf
 .ft C
-plugin query "/usr/local/lib/filter\-a.so" {
+plugin query "filter\-a.so" {
         filter\-a\-on\-v6 yes;
         filter\-a\-on\-v4 yes;
         filter\-a { 192.0.2.1; 2001:db8:2::1; };

doc/man/filter-aaaa.8in

@@ -48,7 +48,7 @@ enabled with the \fBfilter\-aaaa\fP ACL and the \fBfilter\-aaaa\-on\-v4\fP and
 .sp
 .nf
 .ft C
-plugin query "/usr/local/lib/filter\-aaaa.so" {
+plugin query "filter\-aaaa.so" {
         filter\-aaaa\-on\-v4 yes;
         filter\-aaaa\-on\-v6 yes;
         filter\-aaaa { 192.0.2.1; 2001:db8:2::1; };

doc/man/named-checkconf.1in

@@ -38,7 +38,7 @@ named-checkconf \- named configuration file syntax checking tool
 \fBnamed\-checkconf\fP checks the syntax, but not the semantics, of a
 \fBnamed\fP configuration file. The file, along with all files included by it, is parsed and checked for syntax
 errors. If no file is specified,
-\fB/etc/named.conf\fP is read by default.
+\fB@sysconfdir@/named.conf\fP is read by default.
 .sp
 Note: files that \fBnamed\fP reads in separate parser contexts, such as
 \fBrndc.key\fP and \fBbind.keys\fP, are not automatically read by
@@ -91,7 +91,7 @@ This option performs a test load of all zones of type \fBprimary\fP found in \fB
 .TP
 .B \fBfilename\fP
 This indicates the name of the configuration file to be checked. If not specified,
-it defaults to \fB/etc/named.conf\fP\&.
+it defaults to \fB@sysconfdir@/named.conf\fP\&.
 .UNINDENT
 .SH RETURN VALUES
 .sp

doc/man/named.8in

@@ -40,7 +40,7 @@ distribution from ISC. For more information on the DNS, see \fI\%RFC 1033\fP,
 \fI\%RFC 1034\fP, and \fI\%RFC 1035\fP\&.
 .sp
 When invoked without arguments, \fBnamed\fP reads the default
-configuration file \fB/etc/named.conf\fP, reads any initial data, and
+configuration file \fB@sysconfdir@/named.conf\fP, reads any initial data, and
 listens for queries.
 .SH OPTIONS
 .INDENT 0.0
@@ -55,7 +55,7 @@ This option tells \fBnamed\fP to use only IPv6, even if the host machine is capa
 .TP
 .B \fB\-c config\-file\fP
 This option tells \fBnamed\fP to use \fBconfig\-file\fP as its configuration file instead of the default,
-\fB/etc/named.conf\fP\&. To ensure that the configuration file
+\fB@sysconfdir@/named.conf\fP\&. To ensure that the configuration file
 can be reloaded after the server has changed its working directory
 due to to a possible \fBdirectory\fP option in the configuration file,
 \fBconfig\-file\fP should be an absolute pathname.
@@ -234,10 +234,10 @@ in the script used to start the \fBnamed\fP process.
 .SH FILES
 .INDENT 0.0
 .TP
-.B \fB/etc/named.conf\fP
+.B \fB@sysconfdir@/named.conf\fP
 The default configuration file.
 .TP
-.B \fB/var/run/named/named.pid\fP
+.B \fB@runstatedir@/named.pid\fP
 The default process\-id file.
 .UNINDENT
 .SH SEE ALSO

doc/man/named.conf.5in

@@ -1231,7 +1231,7 @@ zone string [ class ] {
 .UNINDENT
 .SH FILES
 .sp
-\fB/etc/named.conf\fP
+\fB@sysconfdir@/named.conf\fP
 .SH SEE ALSO
 .sp
 \fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBrndc(8)\fP, \fBrndc\-confgen(8)\fP, \fBtsig\-keygen(8)\fP, BIND 9 Administrator Reference Manual.

doc/man/nsupdate.1in

@@ -57,7 +57,7 @@ described in \fI\%RFC 3645\fP\&.
 .sp
 TSIG relies on a shared secret that should only be known to \fBnsupdate\fP
 and the name server. For instance, suitable \fBkey\fP and \fBserver\fP
-statements are added to \fB/etc/named.conf\fP so that the name server
+statements are added to \fB@sysconfdir@/named.conf\fP so that the name server
 can associate the appropriate secret key and algorithm with the IP
 address of the client application that is using TSIG
 authentication. \fBddns\-confgen\fP can generate suitable
@@ -107,7 +107,7 @@ the key specified is not an HMAC\-MD5 key.
 This option sets local\-host only mode, which sets the server address to localhost
 (disabling the \fBserver\fP so that the server address cannot be
 overridden). Connections to the local server use a TSIG key
-found in \fB/var/run/named/session.key\fP, which is automatically
+found in \fB@runstatedir@/session.key\fP, which is automatically
 generated by \fBnamed\fP if any local \fBprimary\fP zone has set
 \fBupdate\-policy\fP to \fBlocal\fP\&. The location of this key file can be
 overridden with the \fB\-k\fP option.
@@ -355,7 +355,7 @@ DNSKEY, and NSEC records.)
 .B \fB/etc/resolv.conf\fP
 Used to identify the default name server
 .TP
-.B \fB/var/run/named/session.key\fP
+.B \fB@runstatedir@/session.key\fP
 Sets the default TSIG key for use in local\-only mode
 .TP
 .B \fBK{name}.+157.+{random}.key\fP

doc/man/rndc-confgen.8in

@@ -45,9 +45,8 @@ by hand. Alternatively, it can be run with the \fB\-a\fP option to set up a
 .INDENT 0.0
 .TP
 .B \fB\-a\fP
-This option sets automatic \fBrndc\fP configuration, which creates a file \fBrndc.key\fP
-in \fB/etc\fP (or a different \fBsysconfdir\fP specified when BIND
-was built) that is read by both \fBrndc\fP and \fBnamed\fP on startup.
+This option sets automatic \fBrndc\fP configuration, which creates a file
+\fB@sysconfdir@/rndc.key\fP that is read by both \fBrndc\fP and \fBnamed\fP on startup.
 The \fBrndc.key\fP file defines a default command channel and
 authentication key allowing \fBrndc\fP to communicate with \fBnamed\fP on
 the local host with no further configuration.

doc/man/rndc.8in

@@ -69,11 +69,11 @@ IPv4 and IPv6 source addresses.
 .TP
 .B \fB\-c config\-file\fP
 This option indicates \fBconfig\-file\fP as the configuration file instead of the default,
-\fB/etc/rndc.conf\fP\&.
+\fB@sysconfdir@/rndc.conf\fP\&.
 .TP
 .B \fB\-k key\-file\fP
 This option indicates \fBkey\-file\fP as the key file instead of the default,
-\fB/etc/rndc.key\fP\&. The key in \fB/etc/rndc.key\fP is used to
+\fB@sysconfdir@/rndc.key\fP\&. The key in \fB@sysconfdir@/rndc.key\fP is used to
 authenticate commands sent to the server if the config\-file does not
 exist.
 .TP

doc/misc/rst-options.pl

@@ -125,7 +125,7 @@ print <<END;
 Files
 ~~~~~
 
-``/etc/named.conf``
+|named_conf|
 
 See Also
 ~~~~~~~~