NLnetLabs · mozzieongit · Nov 19, 2024 · Nov 14, 2024 · Nov 12, 2024 · Nov 12, 2024
diff --git a/doc/manual/source/conf.py b/doc/manual/source/conf.py
@@ -100,7 +100,7 @@
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
@@ -189,8 +189,18 @@
 # (source start file, name, description, authors, manual section).
 man_pages = [
     ('man/dnst', 'dnst', 'DNS Management Tools', author, 1),
-    ('man/dnst-nsec3-hash', 'dnst-nsec3-hash', 'DNS Management Tools', author,
-     1),
+    ('man/dnst-key2ds', 'dnst-key2ds', 'Generate DS RRs from the DNSKEYs in a keyfile', author, 1),
+    ('man/ldns-key2ds', 'ldns-key2ds', 'Generate DS RRs from the DNSKEYs in a keyfile', author, 1),
+    ('man/dnst-keygen', 'dnst-keygen', 'Generate a new key pair for a domain name', author, 1),
+    ('man/ldns-keygen', 'ldns-keygen', 'Generate a new key pair for a domain name', author, 1),
+    ('man/dnst-notify', 'dnst-notify', 'Send a NOTIFY message to a list of name servers', author, 1),
+    ('man/ldns-notify', 'ldns-notify', 'Send a NOTIFY message to a list of name servers', author, 1),
+    ('man/dnst-nsec3-hash', 'dnst-nsec3-hash', 'Print out the NSEC3 hash of a domain name', author, 1),
+    ('man/ldns-nsec3-hash', 'ldns-nsec3-hash', 'Print out the NSEC3 hash of a domain name', author, 1),
+    ('man/dnst-signzone', 'dnst-signzone', 'Sign the zone with the given key(s)', author, 1),
+    ('man/ldns-signzone', 'ldns-signzone', 'Sign the zone with the given key(s)', author, 1),
+    ('man/dnst-update', 'dnst-update', 'Send a dynamic update packet to update an IP (or delete all existing IPs) for a domain name', author, 1),
+    ('man/ldns-update', 'ldns-update', 'Send a dynamic update packet to update an IP (or delete all existing IPs) for a domain name', author, 1),
 ]
 
 

diff --git a/doc/manual/source/index.rst b/doc/manual/source/index.rst
@@ -1,7 +1,12 @@
 dnst |version|
 ==============
 
-The manual goes here ...
+**dnst** is a DNS administration toolbox. It offers DNS and DNSSEC related
+functions like key generation, zone signing, printing NSEC3 hashed domain
+names, and sending UPDATE or NOTIFY messages to your name servers. More is
+coming soon.
+
+It depends on OpenSSL for its cryptography related functions.
 
 .. toctree::
    :maxdepth: 2
@@ -10,5 +15,22 @@ The manual goes here ...
    :name: toc-reference
 
    man/dnst
+   man/dnst-key2ds
+   man/dnst-keygen
+   man/dnst-notify
    man/dnst-nsec3-hash
+   man/dnst-signzone
+   man/dnst-update
+
+.. toctree::
+   :maxdepth: 2
+   :hidden:
+   :caption: LDNS Tools reference
+   :name: toc-reference-ldns
 
+   man/ldns-key2ds
+   man/ldns-keygen
+   man/ldns-notify
+   man/ldns-nsec3-hash
+   man/ldns-signzone
+   man/ldns-update
diff --git a/doc/manual/source/man/dnst-key2ds.rst b/doc/manual/source/man/dnst-key2ds.rst
@@ -0,0 +1,45 @@
+dnst key2ds
+===============
+
+Synopsis
+--------
+
+:program:`dnst key2ds` ``[OPTIONS]`` ``<KEYFILE>``
+
+Description
+-----------
+
+**dnst key2ds** generates a DS RR for each DNSKEY in ``<KEYFILE>``.
+
+The following file will be created for each key: ``K<name>+<alg>+<id>.ds``. The
+base name ``K<name>+<alg>+<id>`` will be printed to stdout.
+
+
+Options
+-------
+
+.. option:: -a <NUMBER OR MNEMONIC>, --algorithm <NUMBER OR MNEMONIC>
+
+      Use the given algorithm for the digest. Defaults to the digest algorithm
+      used for the DNSKEY, and if it can't be determined SHA-1.
+
+.. option:: -f, --force
+
+      Overwrite existing ``.ds`` files.
+
+.. option:: --ignore-sep
+
+      Ignore the SEP flag and make DS records for any key.
+
+.. option:: -n
+
+      Write the generated DS records to stdout instead of a file.
+
+.. option:: -h, --help
+
+      Print the help text (short summary with ``-h``, long help with
+      ``--help``).
+
+.. option:: -V, --version
+
+      Print the version.
diff --git a/doc/manual/source/man/dnst-keygen.rst b/doc/manual/source/man/dnst-keygen.rst
@@ -0,0 +1,74 @@
+dnst keygen
+===============
+
+Synopsis
+--------
+
+:program:`dnst keygen` ``[OPTIONS]`` ``-a <ALGORITHM>`` ``<DOMAIN NAME>``
+
+Description
+-----------
+
+**dnst keygen** generates a new key pair for a given domain name.
+
+The following files will be created:
+
+- ``K<name>+<alg>+<tag>.key``: The public key file containing a DNSKEY RR in
+  zone file format.
+
+- ``K<name>+<alg>+<tag>.private``: The private key file containing the private
+  key data fields in BIND's *Private-key-format*.
+
+- ``K<name>+<alg>+<tag>.ds``: The public key digest file containing the DS RR
+  in zone file format. It is only created for key signing keys.
+
+| ``<name>`` is the fully-qualified owner name for the key (with a trailing dot).
+| ``<alg>`` is the algorithm number of the key, zero-padded to 3 digits.
+| ``<tag>`` is the 16-bit tag of the key, zero-padded to 5 digits.
+
+Upon completion, ``K<name>+<alg>+<tag>`` will be printed.
+
+Options
+-------
+
+.. option:: -a <NUMBER OR MNEMONIC>
+
+      Use the given signing algorithm.
+
+      Possible values are:
+
+      =================== ========== =========================
+      **Mnemonic**        **Number** **Description**
+      =================== ========== =========================
+      ``list``                       List available algorithms
+      ``RSASHA256``        8         RSA with SHA-256
+      ``ECDSAP256SHA256`` 13         ECDSA P-256 with SHA-256
+      ``ECDSAP384SHA384`` 14         ECDSA P-384 with SHA-384
+      ``ED25519``         15         ED25519
+      ``ED448``           16         ED448
+      =================== ========== =========================
+
+.. option:: -k
+
+      Generate a key signing key (KSK) instead of a zone signing key (ZSK).
+
+.. option:: -b <BITS>
+
+      The length of the key (for RSA keys only). Defaults to 2048.
+
+.. option:: -r <DEVICE>
+
+      The randomness source to use for generation. Defaults to ``/dev/urandom``.
+
+.. option:: -s
+
+      Create symlinks ``.key`` and ``.private`` to the generated keys.
+
+.. option:: -f
+
+      Overwrite existing symlinks (for use with ``-s``).
+
+.. option:: -h, --help
+
+      Print the help text (short summary with ``-h``, long help with
+      ``--help``).
diff --git a/doc/manual/source/man/dnst-notify.rst b/doc/manual/source/man/dnst-notify.rst
@@ -0,0 +1,50 @@
+dnst notify
+===============
+
+Synopsis
+--------
+
+:program:`dnst notify` ``[OPTIONS]`` ``-z <ZONE>`` ``<SERVERS>...``
+
+Description
+-----------
+
+**dnst notify** sends a NOTIFY message to the specified name servers. A name
+server can be specified as a domain name or IP address.
+
+This tells them that an updated zone is available at the primaries. It can
+perform TSIG signatures, and it can add a SOA serial number of the updated
+zone. If a server already has that serial number it will disregard the message.
+
+Options
+-------
+
+.. option:: -z <ZONE>
+
+      The zone to send the NOTIFY for.
+
+.. option:: -s <SOA VERSION>
+
+      SOA version number to include in the NOTIFY message.
+
+.. option:: -y, --tsig <NAME:KEY[:ALGO]>
+
+      A base64 TSIG key and optional algorithm to use for the NOTIFY message.
+      The algorithm defaults to **hmac-sha512**.
+
+.. option:: -p, --port <PORT>
+
+      Destination port to send the UDP packet to. Defaults to 53.
+
+.. option:: -d, --debug
+
+      Print debug information.
+
+.. option:: -r, --retries <RETRIES>
+
+      Max number of retries. Defaults to 15.
+
+.. option:: -h, --help
+
+      Print the help text (short summary with ``-h``, long help with
+      ``--help``).
diff --git a/doc/manual/source/man/dnst-nsec3-hash.rst b/doc/manual/source/man/dnst-nsec3-hash.rst
@@ -1,30 +1,39 @@
-dnst-nsec3-hash
+dnst nsec3-hash
 ===============
 
 Synopsis
 --------
 
-:program:`dnst nsec3-hash` [``options``] :samp:`domain-name`
+:program:`dnst nsec3-hash` ``[OPTIONS]`` ``<DOMAIN NAME>``
 
 Description
 -----------
 
-**dnst nsec3-hash** prints the NSEC3 hash for the given domain name.
+**dnst nsec3-hash** prints the NSEC3 hash of a given domain name.
 
 Options
 -------
 
-.. option:: -a number-or-mnemonic, --algorithm=number-or-mnemonic
+.. option:: -a <NUMBER OR MNEMONIC>, --algorithm <NUMBER OR MNEMONIC>
 
       Use the given algorithm number for the hash calculation. Defaults to
-      ``sha1``.
+      1 (SHA-1).
 
-.. option:: -s salt, --salt=count
+.. option:: -i <NUMBER>, -t <NUMBER>, --iterations <NUMBER>
+
+      Use the given number of additional iterations for the hash
+      calculation. Defaults to 1.
+
+.. option:: -s <HEX STRING>, --salt <HEX STRING>
 
       Use the given salt for the hash calculation. The salt value should be
-      in hexadecimal format.
+      in hexadecimal format. Defaults to an empty salt.
+
+.. option:: -h, --help
 
-.. option:: -i count, -t count, --iterations=count
+      Print the help text (short summary with ``-h``, long help with
+      ``--help``).
 
-      Use *count* iterations for the hash calculation.
+.. option:: -V, --version
 
+      Print the version.