diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index e88557cbcd..09cedeb2fe 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.2 2000/06/28 03:20:46 jim Exp $
+.\" $Id: dnssec-keygen.8,v 1.3 2000/06/28 23:40:58 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-KEYGEN 8
@@ -45,19 +45,19 @@ is defined in RFC2845.
 A short summary of the options and arguments to
 .Nm dnssec-keygen
 is printed by the
-.Ar h
+.Fl h
 (help) option.
 The
-.Ar a ,
-.Ar b ,
+.Fl a ,
+.Fl b ,
 and
-.Ar n
+.Fl n
 options and their arguments must be supplied when generating keys.
 The domain name that the key has to be generated for is given by
 .Ar name .
 .Pp
 The choice of encryption algorithm is selected by the
-.Ar a
+.Fl a
 option to
 .Nm dnssec-keygen .
 .Ar algorithm
@@ -81,7 +81,7 @@ Implementations of TSIG must support HMAC-MD5.
 The number of bits in the key are determined by the
 .Ar keysize
 argument following the
-.Ar b
+.Fl b
 option.
 The choice of key size depends on the algorithm that is used.
 RSA keys must be between 512 and 2048 bits.
@@ -91,7 +91,7 @@ of 64.
 The length of an HMAC-MD5 key can be between 1 and 512 bits.
 .Pp
 The
-.Ar -n
+.Fl n
 option specifies how the generated key will be used.
 .Ar nametype
 can be either
@@ -111,13 +111,13 @@ are identical.
 is case-insensitive.
 .Pp
 The
-.Ar e
+.Fl e
 option can only be used when generating RSA keys.
 It tells
 .Nm dnssec-keygen
 to use a large exponent.
 When creating Diffie-Hellman keys, the
-.Ar g
+.Fl g
 option selects the Diffie-Hellman generator
 .Ar generator
 that is to be used.
@@ -128,8 +128,10 @@ If no Diffie-Hellman generator is supplied a known prime
 from RFC2539 will be used if possible; otherwise 2 will be used as the
 generator.
 .Pp
-.Ar protocol-value
-sets the protocol value for the generated key.
+The
+.Fl p
+option sets the protocol value for the generated key to
+.Ar protocol-value .
 The default is 2 (email) for keys of type
 .Dv USER 
 and 3 (DNSSEC) for all other key types.
@@ -146,22 +148,25 @@ for generating random numbers,
 will prompt for some keyboard input and use the time intervals between
 keystrokes to provide some randomness.
 The
-.Ar r
+.Fl r
 option overrides this behaviour, making 
 .Nm dnssec-keygen
 use
 .Ar randomdev
 as a source of random data.
 .Pp
-The strength value that the key will sign DNS resource records with is
-given by
+The key's strength value can be set with the
+.Fl s
+option.
+The generated key will sign DNS resource records
+with a strength value of
 .Ar strength-value .
 It should be a number between 0 and 15.
 The default strength is zero.
 The key strength field currently has no defined purpose in DNSSEC.
 .Pp
 The
-.Ar t
+.Fl t
 option indicates if the key is to be used for authentication or
 confidentiality.
 .Ar type
@@ -191,7 +196,7 @@ defines that the key cannot be used for confidentiality though it can
 be used for authentication.
 .Pp
 The 
-.Ar v
+.Fl v
 option can be used to make
 .Nm dnssec-keygen
 more verbose.
diff --git a/bin/dnssec/dnssec-makekeyset.8 b/bin/dnssec/dnssec-makekeyset.8
index aef6e969e9..ec66c37771 100644
--- a/bin/dnssec/dnssec-makekeyset.8
+++ b/bin/dnssec/dnssec-makekeyset.8
@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-makekeyset.8,v 1.2 2000/06/28 03:20:47 jim Exp $
+.\" $Id: dnssec-makekeyset.8,v 1.3 2000/06/28 23:40:59 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-MAKEKEYSET 8
@@ -60,7 +60,7 @@ into a key set.
 .Pp
 For any SIG records that are in the key set, the start time when the
 SIG records become valid is specified with the
-.Ar s
+.Fl s
 option.
 .Ar start-time
 can either be an absolute or relative date.
@@ -70,12 +70,12 @@ A relative start time is supplied when
 .Ar start-time
 is given as +N: N seconds from the current time.
 If no
-.Ar s 
+.Fl s 
 option is supplied, the current date and time is used for the start
 time of the SIG records.
 .Pp
 The expiry date for the SIG records can be set by the
-.Ar e
+.Fl e
 option.
 Note that in this context, the expiry date specifies when the SIG
 records are no longer valid, not when they are deleted from caches on name
@@ -99,7 +99,7 @@ defaults to an expire time of 30 days from the start time of the SIG
 records.
 .Pp
 An alternate source of random data can be specified with the
-.Ar r
+.Fl r
 option.
 .Ar randomdev
 is the name of the file to use to obtain random data.
@@ -107,14 +107,14 @@ By default
 .Pa /dev/random
 is used if this device is available.
 If it is not provided by the operating system and no
-.Ar r
+.Fl r
 option is used,
 .Nm dnssec-makekeyset
 will prompt the user for input from the keyboard and use the time
 between keystrokes to derive some random data.
 .Pp
 The
-.Ar t
+.Fl t
 option is followed by a time-to-live argument
 .Ar TTL
 which indicates the TTL value that will be assigned to the assembled KEY
@@ -122,14 +122,14 @@ and SIG records in the output file.
 .Ar TTL
 is expressed in seconds.
 If no
-.Ar t
+.Fl t
 option is provided,
 .Nm dnssec-makekeyset
 prints a warning and assumes that a default TTL of
 3600 seconds was required.
 .Pp
 The
-.Ar v
+.Fl v
 option can be used to make
 .Nm dnssec-makekeyset
 more verbose.
@@ -140,7 +140,7 @@ increases,
 generates increasingly detailed reports about what it is doing.
 The default level is zero. 
 An option of
-.Ar h
+.Fl h
 gets
 .Nm dnssec-makekeyset
 to print a short summary of its options and arguments.
diff --git a/bin/dnssec/dnssec-signkey.8 b/bin/dnssec/dnssec-signkey.8
index 76b82076a0..2bbefaca20 100644
--- a/bin/dnssec/dnssec-signkey.8
+++ b/bin/dnssec/dnssec-signkey.8
@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signkey.8,v 1.2 2000/06/28 03:20:48 jim Exp $
+.\" $Id: dnssec-signkey.8,v 1.3 2000/06/28 23:41:00 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNKEY 8
@@ -55,24 +55,24 @@ This allows the child's keys to be signed by more than 1 parent zone
 key if these exist. 
 .Pp
 The
-.Ar p
+.Fl p
 option instructs
 .Nm dnssec-signkey
 to use pseudo-random data when signing the keys which is faster, but
 less secure, than using genuinely random data for signing.
 This option may be useful when there are many child zone keysets to
-sign and CPU resources are limited.
+sign of if the entropy source is limited.
 It could also be used for short-lived keys and signatures that don't
 require strengthening against cryptanalysis: for instance when the key
 will be discarded long before it could be compromised.
 .Pp
 An alternate file for obtaining random data can be used with the
-.Ar r
+.Fl r
 option.
 .Ar filename
 is the name of the file to use.
 If no
-.Ar r
+.Fl r
 option is used and the default file for random data
 .Pa /dev/random
 does not exist,
@@ -82,7 +82,7 @@ The time between keystrokes will be measured and used to derive random
 data.
 .Pp
 The
-.Ar v
+.Fl v
 option can be used to make
 .Nm dnssec-signkey
 more verbose.
@@ -94,7 +94,7 @@ generates increasingly detailed reports about what it is doing.
 The default level is zero.
 .Pp
 An option of
-.Ar h
+.Fl h
 makes
 .Nm dnssec-signkey
 print a short summary of its command line options
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index ee6374eb6e..3d69f65534 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.2 2000/06/28 03:20:49 jim Exp $
+.\" $Id: dnssec-signzone.8,v 1.3 2000/06/28 23:41:01 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNZONE 8
@@ -66,7 +66,7 @@ current working directory used by
 .Ar zonefile
 is the name of the unsigned zone file.
 Unless the file name is the same as the name of the zone, the
-.Ar o
+.Fl o
 option should be given.
 .Ar origin
 will be the fully qualified domain origin for the zone.
@@ -87,7 +87,7 @@ generates a file called
 .Ar zonefile.signed
 containing the signed zone file.
 This can be overridden by the
-.Ar f
+.Fl f
 option.
 Instead of this default file name, the signed zone file will be
 written to
@@ -98,12 +98,12 @@ written to
 .Nm dnssec-signzone
 does not verify the signatures by default.
 The
-.Ar a
+.Fl a
 option makes it verify the signatures it generated.
 .Pp
 The date and time when the generated
 SIG records become valid can be specified with the
-.Ar s
+.Fl s
 option.
 .Ar start-time
 can either be an absolute or relative date.
@@ -113,12 +113,12 @@ A relative start time is supplied when
 .Ar start-time
 is given as +N: N seconds from the current time.
 If no
-.Ar s 
+.Fl s 
 option is supplied, the current date and time is used for the start
 time of the SIG records.
 .Pp
 The expiry date for the SIG records can be set by the
-.Ar e
+.Fl e
 option.
 Note that in this context, the expiry date specifies when the SIG
 records are no longer valid, not when they are deleted from caches on name
@@ -159,9 +159,9 @@ The default cycle time is quarter of the difference between the
 signature end and start dates for the current invocation of
 .Nm dnssec-signzone .
 So if the 
-.Ar e
+.Fl e
 and 
-.Ar s
+.Fl s
 options are not specified,
 .Nm dnssec-signzone
 generates signatures that are valid for 30 days from the current
@@ -171,7 +171,7 @@ Therefore any SIG records that
 were due to expire in that time would be replaced with new ones.
 .Pp
 The
-.Ar c
+.Fl c
 option can be used to change the cycle time.
 .Ar cycle-time
 indicates the number of seconds from the current time that should be
@@ -180,7 +180,7 @@ set the cycle time and
 determine when fresh SIG records should be generated.
 .Pp
 The
-.Ar p
+.Fl p
 option instructs
 .Nm dnssec-signzone
 to use pseudo-random data when signing the zone's resource records.
@@ -192,7 +192,7 @@ require strengthening against cryptanalysis: for instance when the signatures
 will be discarded long before the signed data could be compromised.
 .Pp
 An alternate source of random data can be specified with the
-.Ar r
+.Fl r
 option.
 .Ar randomdev
 is the name of the file to use to obtain random data.
@@ -200,21 +200,21 @@ By default
 .Pa /dev/random
 is used if this device is available.
 If it is not provided by the operating system and no
-.Ar r
+.Fl r
 option is used,
 .Nm dnssec-signzone
 will prompt the user for input from the keyboard and use the time
 between keystrokes to derive some random data.
 .Pp
 An option of
-.Ar h
+.Fl h
 makes
 .Nm dnssec-signzone
 print a short summary of its command line options
 and arguments.
 .Pp
 The
-.Ar v
+.Fl v
 option can be used to make
 .Nm dnssec-signzone
 more verbose.
@@ -236,7 +236,7 @@ The zone file for this zone is
 .Dv example.com
 and it can be assumed to contain fully qualified domain names which
 means there is no need to use the
-.Ar o
+.Fl o
 option to set the domain origin.
 This zone file contains the keyset for
 .Dv example.com
diff --git a/doc/man/dnssec/dnssec-keygen.8 b/doc/man/dnssec/dnssec-keygen.8
index e88557cbcd..09cedeb2fe 100644
--- a/doc/man/dnssec/dnssec-keygen.8
+++ b/doc/man/dnssec/dnssec-keygen.8
@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.2 2000/06/28 03:20:46 jim Exp $
+.\" $Id: dnssec-keygen.8,v 1.3 2000/06/28 23:40:58 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-KEYGEN 8
@@ -45,19 +45,19 @@ is defined in RFC2845.
 A short summary of the options and arguments to
 .Nm dnssec-keygen
 is printed by the
-.Ar h
+.Fl h
 (help) option.
 The
-.Ar a ,
-.Ar b ,
+.Fl a ,
+.Fl b ,
 and
-.Ar n
+.Fl n
 options and their arguments must be supplied when generating keys.
 The domain name that the key has to be generated for is given by
 .Ar name .
 .Pp
 The choice of encryption algorithm is selected by the
-.Ar a
+.Fl a
 option to
 .Nm dnssec-keygen .
 .Ar algorithm
@@ -81,7 +81,7 @@ Implementations of TSIG must support HMAC-MD5.
 The number of bits in the key are determined by the
 .Ar keysize
 argument following the
-.Ar b
+.Fl b
 option.
 The choice of key size depends on the algorithm that is used.
 RSA keys must be between 512 and 2048 bits.
@@ -91,7 +91,7 @@ of 64.
 The length of an HMAC-MD5 key can be between 1 and 512 bits.
 .Pp
 The
-.Ar -n
+.Fl n
 option specifies how the generated key will be used.
 .Ar nametype
 can be either
@@ -111,13 +111,13 @@ are identical.
 is case-insensitive.
 .Pp
 The
-.Ar e
+.Fl e
 option can only be used when generating RSA keys.
 It tells
 .Nm dnssec-keygen
 to use a large exponent.
 When creating Diffie-Hellman keys, the
-.Ar g
+.Fl g
 option selects the Diffie-Hellman generator
 .Ar generator
 that is to be used.
@@ -128,8 +128,10 @@ If no Diffie-Hellman generator is supplied a known prime
 from RFC2539 will be used if possible; otherwise 2 will be used as the
 generator.
 .Pp
-.Ar protocol-value
-sets the protocol value for the generated key.
+The
+.Fl p
+option sets the protocol value for the generated key to
+.Ar protocol-value .
 The default is 2 (email) for keys of type
 .Dv USER 
 and 3 (DNSSEC) for all other key types.
@@ -146,22 +148,25 @@ for generating random numbers,
 will prompt for some keyboard input and use the time intervals between
 keystrokes to provide some randomness.
 The
-.Ar r
+.Fl r
 option overrides this behaviour, making 
 .Nm dnssec-keygen
 use
 .Ar randomdev
 as a source of random data.
 .Pp
-The strength value that the key will sign DNS resource records with is
-given by
+The key's strength value can be set with the
+.Fl s
+option.
+The generated key will sign DNS resource records
+with a strength value of
 .Ar strength-value .
 It should be a number between 0 and 15.
 The default strength is zero.
 The key strength field currently has no defined purpose in DNSSEC.
 .Pp
 The
-.Ar t
+.Fl t
 option indicates if the key is to be used for authentication or
 confidentiality.
 .Ar type
@@ -191,7 +196,7 @@ defines that the key cannot be used for confidentiality though it can
 be used for authentication.
 .Pp
 The 
-.Ar v
+.Fl v
 option can be used to make
 .Nm dnssec-keygen
 more verbose.
diff --git a/doc/man/dnssec/dnssec-makekeyset.8 b/doc/man/dnssec/dnssec-makekeyset.8
index aef6e969e9..ec66c37771 100644
--- a/doc/man/dnssec/dnssec-makekeyset.8
+++ b/doc/man/dnssec/dnssec-makekeyset.8
@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-makekeyset.8,v 1.2 2000/06/28 03:20:47 jim Exp $
+.\" $Id: dnssec-makekeyset.8,v 1.3 2000/06/28 23:40:59 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-MAKEKEYSET 8
@@ -60,7 +60,7 @@ into a key set.
 .Pp
 For any SIG records that are in the key set, the start time when the
 SIG records become valid is specified with the
-.Ar s
+.Fl s
 option.
 .Ar start-time
 can either be an absolute or relative date.
@@ -70,12 +70,12 @@ A relative start time is supplied when
 .Ar start-time
 is given as +N: N seconds from the current time.
 If no
-.Ar s 
+.Fl s 
 option is supplied, the current date and time is used for the start
 time of the SIG records.
 .Pp
 The expiry date for the SIG records can be set by the
-.Ar e
+.Fl e
 option.
 Note that in this context, the expiry date specifies when the SIG
 records are no longer valid, not when they are deleted from caches on name
@@ -99,7 +99,7 @@ defaults to an expire time of 30 days from the start time of the SIG
 records.
 .Pp
 An alternate source of random data can be specified with the
-.Ar r
+.Fl r
 option.
 .Ar randomdev
 is the name of the file to use to obtain random data.
@@ -107,14 +107,14 @@ By default
 .Pa /dev/random
 is used if this device is available.
 If it is not provided by the operating system and no
-.Ar r
+.Fl r
 option is used,
 .Nm dnssec-makekeyset
 will prompt the user for input from the keyboard and use the time
 between keystrokes to derive some random data.
 .Pp
 The
-.Ar t
+.Fl t
 option is followed by a time-to-live argument
 .Ar TTL
 which indicates the TTL value that will be assigned to the assembled KEY
@@ -122,14 +122,14 @@ and SIG records in the output file.
 .Ar TTL
 is expressed in seconds.
 If no
-.Ar t
+.Fl t
 option is provided,
 .Nm dnssec-makekeyset
 prints a warning and assumes that a default TTL of
 3600 seconds was required.
 .Pp
 The
-.Ar v
+.Fl v
 option can be used to make
 .Nm dnssec-makekeyset
 more verbose.
@@ -140,7 +140,7 @@ increases,
 generates increasingly detailed reports about what it is doing.
 The default level is zero. 
 An option of
-.Ar h
+.Fl h
 gets
 .Nm dnssec-makekeyset
 to print a short summary of its options and arguments.
diff --git a/doc/man/dnssec/dnssec-signkey.8 b/doc/man/dnssec/dnssec-signkey.8
index 76b82076a0..2bbefaca20 100644
--- a/doc/man/dnssec/dnssec-signkey.8
+++ b/doc/man/dnssec/dnssec-signkey.8
@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signkey.8,v 1.2 2000/06/28 03:20:48 jim Exp $
+.\" $Id: dnssec-signkey.8,v 1.3 2000/06/28 23:41:00 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNKEY 8
@@ -55,24 +55,24 @@ This allows the child's keys to be signed by more than 1 parent zone
 key if these exist. 
 .Pp
 The
-.Ar p
+.Fl p
 option instructs
 .Nm dnssec-signkey
 to use pseudo-random data when signing the keys which is faster, but
 less secure, than using genuinely random data for signing.
 This option may be useful when there are many child zone keysets to
-sign and CPU resources are limited.
+sign of if the entropy source is limited.
 It could also be used for short-lived keys and signatures that don't
 require strengthening against cryptanalysis: for instance when the key
 will be discarded long before it could be compromised.
 .Pp
 An alternate file for obtaining random data can be used with the
-.Ar r
+.Fl r
 option.
 .Ar filename
 is the name of the file to use.
 If no
-.Ar r
+.Fl r
 option is used and the default file for random data
 .Pa /dev/random
 does not exist,
@@ -82,7 +82,7 @@ The time between keystrokes will be measured and used to derive random
 data.
 .Pp
 The
-.Ar v
+.Fl v
 option can be used to make
 .Nm dnssec-signkey
 more verbose.
@@ -94,7 +94,7 @@ generates increasingly detailed reports about what it is doing.
 The default level is zero.
 .Pp
 An option of
-.Ar h
+.Fl h
 makes
 .Nm dnssec-signkey
 print a short summary of its command line options
diff --git a/doc/man/dnssec/dnssec-signzone.8 b/doc/man/dnssec/dnssec-signzone.8
index ee6374eb6e..3d69f65534 100644
--- a/doc/man/dnssec/dnssec-signzone.8
+++ b/doc/man/dnssec/dnssec-signzone.8
@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.2 2000/06/28 03:20:49 jim Exp $
+.\" $Id: dnssec-signzone.8,v 1.3 2000/06/28 23:41:01 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNZONE 8
@@ -66,7 +66,7 @@ current working directory used by
 .Ar zonefile
 is the name of the unsigned zone file.
 Unless the file name is the same as the name of the zone, the
-.Ar o
+.Fl o
 option should be given.
 .Ar origin
 will be the fully qualified domain origin for the zone.
@@ -87,7 +87,7 @@ generates a file called
 .Ar zonefile.signed
 containing the signed zone file.
 This can be overridden by the
-.Ar f
+.Fl f
 option.
 Instead of this default file name, the signed zone file will be
 written to
@@ -98,12 +98,12 @@ written to
 .Nm dnssec-signzone
 does not verify the signatures by default.
 The
-.Ar a
+.Fl a
 option makes it verify the signatures it generated.
 .Pp
 The date and time when the generated
 SIG records become valid can be specified with the
-.Ar s
+.Fl s
 option.
 .Ar start-time
 can either be an absolute or relative date.
@@ -113,12 +113,12 @@ A relative start time is supplied when
 .Ar start-time
 is given as +N: N seconds from the current time.
 If no
-.Ar s 
+.Fl s 
 option is supplied, the current date and time is used for the start
 time of the SIG records.
 .Pp
 The expiry date for the SIG records can be set by the
-.Ar e
+.Fl e
 option.
 Note that in this context, the expiry date specifies when the SIG
 records are no longer valid, not when they are deleted from caches on name
@@ -159,9 +159,9 @@ The default cycle time is quarter of the difference between the
 signature end and start dates for the current invocation of
 .Nm dnssec-signzone .
 So if the 
-.Ar e
+.Fl e
 and 
-.Ar s
+.Fl s
 options are not specified,
 .Nm dnssec-signzone
 generates signatures that are valid for 30 days from the current
@@ -171,7 +171,7 @@ Therefore any SIG records that
 were due to expire in that time would be replaced with new ones.
 .Pp
 The
-.Ar c
+.Fl c
 option can be used to change the cycle time.
 .Ar cycle-time
 indicates the number of seconds from the current time that should be
@@ -180,7 +180,7 @@ set the cycle time and
 determine when fresh SIG records should be generated.
 .Pp
 The
-.Ar p
+.Fl p
 option instructs
 .Nm dnssec-signzone
 to use pseudo-random data when signing the zone's resource records.
@@ -192,7 +192,7 @@ require strengthening against cryptanalysis: for instance when the signatures
 will be discarded long before the signed data could be compromised.
 .Pp
 An alternate source of random data can be specified with the
-.Ar r
+.Fl r
 option.
 .Ar randomdev
 is the name of the file to use to obtain random data.
@@ -200,21 +200,21 @@ By default
 .Pa /dev/random
 is used if this device is available.
 If it is not provided by the operating system and no
-.Ar r
+.Fl r
 option is used,
 .Nm dnssec-signzone
 will prompt the user for input from the keyboard and use the time
 between keystrokes to derive some random data.
 .Pp
 An option of
-.Ar h
+.Fl h
 makes
 .Nm dnssec-signzone
 print a short summary of its command line options
 and arguments.
 .Pp
 The
-.Ar v
+.Fl v
 option can be used to make
 .Nm dnssec-signzone
 more verbose.
@@ -236,7 +236,7 @@ The zone file for this zone is
 .Dv example.com
 and it can be assumed to contain fully qualified domain names which
 means there is no need to use the
-.Ar o
+.Fl o
 option to set the domain origin.
 This zone file contains the keyset for
 .Dv example.com