diff --git a/bin/python/dnssec-keymgr.8 b/bin/python/dnssec-keymgr.8
index cb8c7479b2..fc91fcf1f3 100644
--- a/bin/python/dnssec-keymgr.8
+++ b/bin/python/dnssec-keymgr.8
@@ -18,12 +18,12 @@
 .\"     Title: dnssec-keymgr
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2016-04-03
+.\"      Date: 2016-06-03
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "DNSSEC\-KEYMGR" "8" "2016\-04\-03" "ISC" "BIND9"
+.TH "DNSSEC\-KEYMGR" "8" "2016\-06\-03" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -47,7 +47,7 @@
 dnssec-keymgr \- Ensures correct DNSKEY coverage for a zone based on a defined policy
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-keymgr\fR\ 'u
-\fBdnssec\-keymgr\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-c\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fItime\fR\fR] [\fB\-k\fR] [\fB\-z\fR] [\fB\-g\ \fR\fB\fIpath\fR\fR] [\fB\-s\ \fR\fB\fIpath\fR\fR] [zone...]
+\fBdnssec\-keymgr\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-c\ \fR\fB\fIfile\fR\fR] [\fB\-f\fR] [\fB\-k\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-z\fR] [\fB\-g\ \fR\fB\fIpath\fR\fR] [\fB\-r\ \fR\fB\fIpath\fR\fR] [\fB\-s\ \fR\fB\fIpath\fR\fR] [zone...]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keymgr\fR
@@ -95,7 +95,7 @@ is specified, then the DNSSEC policy is read from
 Force: allow updating of key events even if they are already in the past\&. This is not recommended for use with zones in which keys have already been published\&. However, if a set of keys has been generated all of which have publication and activation dates in the past, but the keys have not been published in a zone as yet, then this option can be used to clean them up and turn them into a proper series of keys with appropriate rollover intervals\&.
 .RE
 .PP
-\-g \fIkeygen path\fR
+\-g \fIkeygen\-path\fR
 .RS 4
 Specifies a path to a
 \fBdnssec\-keygen\fR
@@ -104,6 +104,13 @@ binary\&. Used for testing\&. See also the
 option\&.
 .RE
 .PP
+\-h
+.RS 4
+Print the
+\fBdnssec\-keymgr\fR
+help summary and exit\&.
+.RE
+.PP
 \-K \fIdirectory\fR
 .RS 4
 Sets the directory in which keys can be found\&. Defaults to the current working directory\&.
@@ -124,7 +131,16 @@ and
 \fBdnssec\-settime\fR\&.
 .RE
 .PP
-\-s \fIsettime path\fR
+\-r \fIrandomdev\fR
+.RS 4
+Specifies a path to a file containing random data\&. This is passed to the
+\fBdnssec\-keygen\fR
+binary using its
+\fB\-r\fR
+option\&.
+.RE
+.PP
+\-s \fIsettime\-path\fR
 .RS 4
 Specifies a path to a
 \fBdnssec\-settime\fR
@@ -133,6 +149,13 @@ binary\&. Used for testing\&. See also the
 option\&.
 .RE
 .PP
+\-v
+.RS 4
+Print the
+\fBdnssec\-keymgr\fR
+version and exit\&.
+.RE
+.PP
 \-z
 .RS 4
 Only apply policies to ZSK keys\&. See also the
@@ -154,14 +177,14 @@ file can specify three kinds of policies:
 .IP \(bu 2.3
 .\}
 \fIPolicy classes\fR
-	(\fBpolicy \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR)
-	can be inherited by zone policies or other policy classes; these
-	can be used to create sets of different security profiles\&. For
-	example, a policy class \fBnormal\fR might specify
-	1024\-bit key sizes, but a class \fBextra\fR might
-	specify 2048 bits instead; \fBextra\fR would be
-	used for zones that had unusually high security needs\&.
-      .RE
+(\fBpolicy \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR) can be inherited by zone policies or other policy classes; these can be used to create sets of different security profiles\&. For example, a policy class
+\fBnormal\fR
+might specify 1024\-bit key sizes, but a class
+\fBextra\fR
+might specify 2048 bits instead;
+\fBextra\fR
+would be used for zones that had unusually high security needs\&.
+.RE
 .sp
 .RS 4
 .ie n \{\
@@ -171,13 +194,10 @@ file can specify three kinds of policies:
 .sp -1
 .IP \(bu 2.3
 .\}
-	Algorithm policies:
-	(\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR )
-	override default per\-algorithm settings\&.  For example, by default,
-	RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK\&. This
-	can be modified using \fBalgorithm\-policy\fR, and the
-	new key sizes would then be used for any key of type RSASHA256\&.
-      .RE
+Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR
+) override default per\-algorithm settings\&. For example, by default, RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK\&. This can be modified using
+\fBalgorithm\-policy\fR, and the new key sizes would then be used for any key of type RSASHA256\&.
+.RE
 .sp
 .RS 4
 .ie n \{\
@@ -187,85 +207,62 @@ file can specify three kinds of policies:
 .sp -1
 .IP \(bu 2.3
 .\}
-	Zone policies:
-	(\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR )
-	set policy for a single zone by name\&. A zone policy can inherit
-	a policy class by including a \fBpolicy\fR option\&.
-      .RE
+Zone policies: (\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
+) set policy for a single zone by name\&. A zone policy can inherit a policy class by including a
+\fBpolicy\fR
+option\&.
+.RE
 .PP
 Options that can be specified in policies:
 .PP
 \fBalgorithm\fR
 .RS 4
-	  The key algorithm\&. If no policy is defined, the default is
-          RSASHA256\&.
-	.RE
+The key algorithm\&. If no policy is defined, the default is RSASHA256\&.
+.RE
 .PP
 \fBcoverage\fR
 .RS 4
-	  The length of time to ensure that keys will be correct; no action
-          will be taken to create new keys to be activated after this time\&.
-          This can be represented as a number of seconds, or as a duration using
-	  human\-readable units (examples: "1y" or "6 months")\&.
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies\&.
-          If no policy is configured, the default is six months\&.
-	.RE
+The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time\&. This can be represented as a number of seconds, or as a duration using human\-readable units (examples: "1y" or "6 months")\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is six months\&.
+.RE
 .PP
 \fBdirectory\fR
 .RS 4
-	  Specifies the directory in which keys should be stored\&.
-	.RE
+Specifies the directory in which keys should be stored\&.
+.RE
 .PP
 \fBkey\-size\fR
 .RS 4
-	  Specifies the number of bits to use in creating keys\&.
-	  Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&.
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies\&. If no policy is
-          configured, the default is 1024 bits for DSA keys and 2048 for
-          RSA\&.
-	.RE
+Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 1024 bits for DSA keys and 2048 for RSA\&.
+.RE
 .PP
 \fBkeyttl\fR
 .RS 4
-	  The key TTL\&. If no policy is defined, the default is one hour\&.
-	.RE
+The key TTL\&. If no policy is defined, the default is one hour\&.
+.RE
 .PP
 \fBpost\-publish\fR
 .RS 4
-	  How long after inactivation a key should be deleted from the zone\&.
-	  Note: If \fBroll\-period\fR is not set, this value is
-	  ignored\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
-	  duration\&. A default value for this option can be set in algorithm
-	  policies as well as in policy classes or zone policies\&. The default
-	  is one month\&.
-	.RE
+How long after inactivation a key should be deleted from the zone\&. Note: If
+\fBroll\-period\fR
+is not set, this value is ignored\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
+.RE
 .PP
 \fBpre\-publish\fR
 .RS 4
-	  How long before activation a key should be published\&.  Note: If
-          \fBroll\-period\fR is not set, this value is ignored\&.
-	  Takes two arguments: keytype (either "zsk" or "ksk") and a duration\&.
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies\&.  The default is
-          one month\&.
-	.RE
+How long before activation a key should be published\&. Note: If
+\fBroll\-period\fR
+is not set, this value is ignored\&. Takes two arguments: keytype (either "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
+.RE
 .PP
 \fBroll\-period\fR
 .RS 4
-	  How frequently keys should be rolled over\&.
-	  Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&.
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies\&.  If no policy is
-          configured, the default is one year for ZSK\*(Aqs\&. KSK\*(Aqs do not
-          roll over by default\&.
-	.RE
+How frequently keys should be rolled over\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSK\*(Aqs\&. KSK\*(Aqs do not roll over by default\&.
+.RE
 .PP
 \fBstandby\fR
 .RS 4
-	  Not yet implemented\&.
-	.RE
+Not yet implemented\&.
+.RE
 .SH "REMAINING WORK"
 .sp
 .RS 4
@@ -276,13 +273,16 @@ Options that can be specified in policies:
 .sp -1
 .IP \(bu 2.3
 .\}
-      Enable scheduling of KSK rollovers using the \fB\-P sync\fR
-      and \fB\-D sync\fR options to
-      \fBdnssec\-keygen\fR and
-      \fBdnssec\-settime\fR\&.  Check the parent zone
-      (as in \fBdnssec\-checkds\fR) to determine when it\*(Aqs
-      safe for the key to roll\&.
-    .RE
+Enable scheduling of KSK rollovers using the
+\fB\-P sync\fR
+and
+\fB\-D sync\fR
+options to
+\fBdnssec\-keygen\fR
+and
+\fBdnssec\-settime\fR\&. Check the parent zone (as in
+\fBdnssec\-checkds\fR) to determine when it\*(Aqs safe for the key to roll\&.
+.RE
 .sp
 .RS 4
 .ie n \{\
@@ -292,9 +292,8 @@ Options that can be specified in policies:
 .sp -1
 .IP \(bu 2.3
 .\}
-      Allow configuration of standby keys and use of the REVOKE bit,
-      for keys that use RFC 5011 semantics\&.
-    .RE
+Allow configuration of standby keys and use of the REVOKE bit, for keys that use RFC 5011 semantics\&.
+.RE
 .SH "SEE ALSO"
 .PP
 \fBdnssec-coverage\fR(8),
diff --git a/bin/python/dnssec-keymgr.html b/bin/python/dnssec-keymgr.html
index 4fc43d2b49..dd7c6f79fa 100644
--- a/bin/python/dnssec-keymgr.html
+++ b/bin/python/dnssec-keymgr.html
@@ -27,16 +27,15 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keymgr</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-c <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>time</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [<code class="option">-g <em class="replaceable"><code>path</code></em></code>] [<code class="option">-s <em class="replaceable"><code>path</code></em></code>] [zone...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keymgr</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-c <em class="replaceable"><code>file</code></em></code>] [<code class="option">-f</code>] [<code class="option">-k</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-z</code>] [<code class="option">-g <em class="replaceable"><code>path</code></em></code>] [<code class="option">-r <em class="replaceable"><code>path</code></em></code>] [<code class="option">-s <em class="replaceable"><code>path</code></em></code>] [zone...]</p></div>
 </div>
 <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
 <p>
-      <span class="command"><strong>dnssec-keymgr</strong></span>
-      is a high level Python wrapper to facilitate the key rollover
-      process for zones handled by BIND. It uses the BIND commands
-      for manipulating DNSSEC key metadata:
-      <span class="command"><strong>dnssec-keygen</strong></span> and
+      <span class="command"><strong>dnssec-keymgr</strong></span> is a high level Python wrapper
+      to facilitate the key rollover process for zones handled by
+      BIND. It uses the BIND commands for manipulating DNSSEC key
+      metadata: <span class="command"><strong>dnssec-keygen</strong></span> and
       <span class="command"><strong>dnssec-settime</strong></span>.
     </p>
 <p>
@@ -102,12 +101,17 @@
             option can be used to clean them up and turn them into a
             proper series of keys with appropriate rollover intervals.
           </p></dd>
-<dt><span class="term">-g <em class="replaceable"><code>keygen path</code></em></span></dt>
+<dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>
 <dd><p>
             Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
             Used for testing.
             See also the <code class="option">-s</code> option.
           </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
+            and exit.
+          </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Sets the directory in which keys can be found.  Defaults to the
@@ -123,12 +127,23 @@
             Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
             and <span class="command"><strong>dnssec-settime</strong></span>.
           </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>settime path</code></em></span></dt>
+<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
+<dd><p>
+            Specifies a path to a file containing random data.
+            This is passed to the <span class="command"><strong>dnssec-keygen</strong></span> binary
+            using its <code class="option">-r</code> option.
+
+          </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>settime-path</code></em></span></dt>
 <dd><p>
             Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
             Used for testing.
             See also the <code class="option">-g</code> option.
           </p></dd>
+<dt><span class="term">-v</span></dt>
+<dd><p>
+	    Print the <span class="command"><strong>dnssec-keymgr</strong></span> version and exit.
+          </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd><p>
             Only apply policies to ZSK keys.
@@ -143,115 +158,115 @@
       of policies:
     </p>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-<span class="emphasis"><em>Policy classes</em></span>
-	(<code class="option">policy <em class="replaceable"><code>name</code></em> { ... };</code>)
-	can be inherited by zone policies or other policy classes; these
-	can be used to create sets of different security profiles. For
-	example, a policy class <strong class="userinput"><code>normal</code></strong> might specify
-	1024-bit key sizes, but a class <strong class="userinput"><code>extra</code></strong> might
-	specify 2048 bits instead; <strong class="userinput"><code>extra</code></strong> would be
-	used for zones that had unusually high security needs.
-      </li>
-<li class="listitem">
-	Algorithm policies:
-	(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
-	override default per-algorithm settings.  For example, by default,
-	RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
-	can be modified using <span class="command"><strong>algorithm-policy</strong></span>, and the
-	new key sizes would then be used for any key of type RSASHA256.
-      </li>
-<li class="listitem">
-	Zone policies:
-	(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
-	set policy for a single zone by name. A zone policy can inherit
-	a policy class by including a <code class="option">policy</code> option.
-      </li>
+<li class="listitem"><p>
+	  <span class="emphasis"><em>Policy classes</em></span>
+	  (<code class="option">policy <em class="replaceable"><code>name</code></em> { ... };</code>)
+	  can be inherited by zone policies or other policy classes; these
+	  can be used to create sets of different security profiles. For
+	  example, a policy class <strong class="userinput"><code>normal</code></strong> might specify
+	  1024-bit key sizes, but a class <strong class="userinput"><code>extra</code></strong> might
+	  specify 2048 bits instead; <strong class="userinput"><code>extra</code></strong> would be
+	  used for zones that had unusually high security needs.
+	</p></li>
+<li class="listitem"><p>
+	  Algorithm policies:
+	  (<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
+	  override default per-algorithm settings.  For example, by default,
+	  RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
+	  can be modified using <span class="command"><strong>algorithm-policy</strong></span>, and the
+	  new key sizes would then be used for any key of type RSASHA256.
+	</p></li>
+<li class="listitem"><p>
+	  Zone policies:
+	  (<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
+	  set policy for a single zone by name. A zone policy can inherit
+	  a policy class by including a <code class="option">policy</code> option.
+	</p></li>
 </ul></div>
 <p>
       Options that can be specified in policies:
     </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>algorithm</strong></span></span></dt>
-<dd>
-	  The key algorithm. If no policy is defined, the default is
-          RSASHA256.
-	</dd>
+<dd><p>
+	    The key algorithm. If no policy is defined, the default is
+            RSASHA256.
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>
-<dd>
-	  The length of time to ensure that keys will be correct; no action
-          will be taken to create new keys to be activated after this time.
-          This can be represented as a number of seconds, or as a duration using
-	  human-readable units (examples: "1y" or "6 months").
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies.
-          If no policy is configured, the default is six months.
-	</dd>
+<dd><p>
+	    The length of time to ensure that keys will be correct; no action
+            will be taken to create new keys to be activated after this time.
+            This can be represented as a number of seconds, or as a duration using
+	    human-readable units (examples: "1y" or "6 months").
+	    A default value for this option can be set in algorithm policies
+	    as well as in policy classes or zone policies.
+            If no policy is configured, the default is six months.
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
-<dd>
-	  Specifies the directory in which keys should be stored.
-	</dd>
+<dd><p>
+	    Specifies the directory in which keys should be stored.
+          </p></dd>
 <dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>
-<dd>
-	  Specifies the number of bits to use in creating keys.
-	  Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies. If no policy is
-          configured, the default is 1024 bits for DSA keys and 2048 for
-          RSA.
-	</dd>
+<dd><p>
+	    Specifies the number of bits to use in creating keys.
+	    Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
+	    A default value for this option can be set in algorithm policies
+	    as well as in policy classes or zone policies. If no policy is
+            configured, the default is 1024 bits for DSA keys and 2048 for
+            RSA.
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
-<dd>
-	  The key TTL. If no policy is defined, the default is one hour.
-	</dd>
+<dd><p>
+	    The key TTL. If no policy is defined, the default is one hour.
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>post-publish</strong></span></span></dt>
-<dd>
-	  How long after inactivation a key should be deleted from the zone.
-	  Note: If <code class="option">roll-period</code> is not set, this value is
-	  ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
-	  duration. A default value for this option can be set in algorithm
-	  policies as well as in policy classes or zone policies. The default
-	  is one month.
-	</dd>
+<dd><p>
+	    How long after inactivation a key should be deleted from the zone.
+	    Note: If <code class="option">roll-period</code> is not set, this value is
+	    ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
+	    duration. A default value for this option can be set in algorithm
+	    policies as well as in policy classes or zone policies. The default
+	    is one month.
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>pre-publish</strong></span></span></dt>
-<dd>
-	  How long before activation a key should be published.  Note: If
-          <code class="option">roll-period</code> is not set, this value is ignored.
-	  Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies.  The default is
-          one month.
-	</dd>
+<dd><p>
+	    How long before activation a key should be published.  Note: If
+            <code class="option">roll-period</code> is not set, this value is ignored.
+	    Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
+	    A default value for this option can be set in algorithm policies
+	    as well as in policy classes or zone policies.  The default is
+            one month.
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>
-<dd>
-	  How frequently keys should be rolled over.
-	  Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
-	  A default value for this option can be set in algorithm policies
-	  as well as in policy classes or zone policies.  If no policy is
-          configured, the default is one year for ZSK's. KSK's do not
-          roll over by default.
-	</dd>
+<dd><p>
+	    How frequently keys should be rolled over.
+	    Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
+	    A default value for this option can be set in algorithm policies
+	    as well as in policy classes or zone policies.  If no policy is
+            configured, the default is one year for ZSK's. KSK's do not
+            roll over by default.
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>
-<dd>
-	  Not yet implemented.
-	</dd>
+<dd><p>
+	    Not yet implemented.
+	  </p></dd>
 </dl></div>
 </div>
 <div class="refsection">
 <a name="id-1.10"></a><h2>REMAINING WORK</h2>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-      Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>
-      and <code class="option">-D sync</code> options to
-      <span class="command"><strong>dnssec-keygen</strong></span> and
-      <span class="command"><strong>dnssec-settime</strong></span>.  Check the parent zone
-      (as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's
-      safe for the key to roll.
-    </li>
-<li class="listitem">
-      Allow configuration of standby keys and use of the REVOKE bit,
-      for keys that use RFC 5011 semantics.
-    </li>
+<li class="listitem"><p>
+        Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>
+        and <code class="option">-D sync</code> options to
+        <span class="command"><strong>dnssec-keygen</strong></span> and
+        <span class="command"><strong>dnssec-settime</strong></span>.  Check the parent zone
+        (as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's
+        safe for the key to roll.
+      </p></li>
+<li class="listitem"><p>
+        Allow configuration of standby keys and use of the REVOKE bit,
+        for keys that use RFC 5011 semantics.
+      </p></li>
 </ul></div>
 </div>
 <div class="refsection">