diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
index fce37ab3d6..9ab0041872 100644
--- a/bin/rndc/Makefile.in
+++ b/bin/rndc/Makefile.in
@@ -13,7 +13,7 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.31 2001/08/03 22:03:10 gson Exp $
+# $Id: Makefile.in,v 1.32 2001/08/28 17:29:34 gson Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -49,9 +49,9 @@ SUBDIRS =	unix
 
 TARGETS =	rndc rndc-confgen
 
-MANPAGES =	rndc.8 rndc.conf.5
+MANPAGES =	rndc.8 rndc-confgen.8 rndc.conf.5
 
-HTMLPAGES =	rndc.html rndc.conf.html
+HTMLPAGES =	rndc.html rndc-confgen.html rndc.conf.html
 
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
diff --git a/bin/rndc/rndc-confgen.8 b/bin/rndc/rndc-confgen.8
new file mode 100644
index 0000000000..e76ab62cb1
--- /dev/null
+++ b/bin/rndc/rndc-confgen.8
@@ -0,0 +1,134 @@
+.\"
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.TH "RNDC-CONFGEN" "8" "Aug 27, 2001" "BIND9" ""
+.SH NAME
+rndc-confgen \- rndc key generation tool
+.SH SYNOPSIS
+.sp
+\fBrndc-confgen\fR [ \fB-a\fR ]  [ \fB-b \fIkeysize\fB\fR ]  [ \fB-c \fIkeyfile\fB\fR ]  [ \fB-h\fR ]  [ \fB-k \fIkeyname\fB\fR ]  [ \fB-p \fIport\fB\fR ]  [ \fB-r \fIrandomfile\fB\fR ]  [ \fB-s \fIaddress\fB\fR ]  [ \fB-t \fIchrootdir\fB\fR ]  [ \fB-u \fIuser\fB\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBrndc-confgen\fR generates configuration files
+for \fBrndc\fR. It can be used as a
+convenient alternative to writing the
+\fIrndc.conf\fR file
+and the corresponding \fBcontrols\fR
+and \fBkey\fR
+statements in \fInamed.conf\fR by hand.
+Alternatively, it can be run with the \fB-a\fR
+option to set up a \fIrndc.key\fR file and
+avoid the need for a \fIrndc.conf\fR file
+and a \fBcontrols\fR statement altogether.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Do automatic \fBrndc\fR configuration.
+This creates a file \fIrndc.key\fR
+in \fI/etc\fR (or whatever
+sysconfdir
+was specified as when BIND was built)
+that is read by both \fBrndc\fR
+and \fBnamed\fR on startup. The
+\fIrndc.key\fR file defines a default
+command channel and authentication key allowing
+\fBrndc\fR to communicate with
+\fBnamed\fR with no further configuration.
+
+Running \fBrndc-confgen -a\fR allows
+BIND 9 and \fBrndc\fR to be used as drop-in
+replacements for BIND 8 and \fBndc\fR,
+with no changes to the existing BIND 8
+\fInamed.conf\fR file.
+.TP
+\fB-b \fIkeysize\fB\fR
+Specifies the size of the authentication key in bits.
+Must be between 1 and 512 bits; the default is 128.
+.TP
+\fB-c \fIkeyfile\fB\fR
+Used with the \fB-a\fR option to specify
+an alternate location for \fIrndc.key\fR.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBrndc-confgen\fR.
+.TP
+\fB-k \fIkeyname\fB\fR
+Specifies the key name of the rndc authentication key.
+This must be a valid domain name.
+The default is rndc-key.
+.TP
+\fB-p \fIport\fB\fR
+Specifies the command channel port where \fBnamed\fR
+listens for connections from \fBrndc\fR.
+The default is 953.
+.TP
+\fB-r \fIrandomfile\fB\fR
+Specifies a source of random data for generating the
+authoriazation. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-p \fIprotocol\fB\fR
+Sets the protocol value for the generated key. The protocol
+is a number between 0 and 255. The default is 2 (email) for
+keys of type USER and 3 (DNSSEC) for all other key types.
+Other possible values for this argument are listed in
+RFC 2535 and its successors.
+.TP
+\fB-s \fIaddress\fB\fR
+Specifies the IP address where \fBnamed\fR
+listens for command channel connections from
+\fBrndc\fR. The default is the loopback
+address 127.0.0.1.
+.TP
+\fB-t \fIchrootdir\fB\fR
+Used with the \fB-a\fR option to specify
+a directory where \fBnamed\fR will run
+chrooted. An additional copy of the \fIrndc.key\fR
+will be written relative to this directory so that
+it will be found by the chrooted \fBnamed\fR.
+.TP
+\fB-u \fIuser\fB\fR
+Used with the \fB-a\fR option to set the owner
+of the \fIrndc.key\fR file generated.
+.SH "EXAMPLES"
+.PP
+To allow \fBrndc\fR to be used with
+no manual configuration, run
+.PP
+\fBrndc-confgen -a\fR
+.PP
+To print a sample \fIrndc.conf\fR file and
+corresponding \fBcontrols\fR and \fBkey\fR
+statements to be manually inserted into \fInamed.conf\fR,
+run
+.PP
+\fBrndc-confgen\fR
+.SH "SEE ALSO"
+.PP
+\fBrndc\fR(8),
+\fBrndc.conf\fR(5),
+\fBnamed\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/bin/rndc/rndc-confgen.docbook b/bin/rndc/rndc-confgen.docbook
new file mode 100644
index 0000000000..b32fe0ff75
--- /dev/null
+++ b/bin/rndc/rndc-confgen.docbook
@@ -0,0 +1,273 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: rndc-confgen.docbook,v 1.1 2001/08/28 17:29:35 gson Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>Aug 27, 2001</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>rndc-confgen</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>rndc-confgen</application></refname>
+    <refpurpose>rndc key generation tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>rndc-confgen</command>
+      <arg><option>-a</option></arg>
+      <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+      <arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
+      <arg><option>-h</option></arg>
+      <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
+      <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">address</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
+      <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>rndc-confgen</command> generates configuration files
+	for <command>rndc</command>.  It can be used as a
+        convenient alternative to writing the
+        <filename>rndc.conf</filename> file
+        and the corresponding <command>controls</command>
+        and <command>key</command>
+	statements in <filename>named.conf</filename> by hand.
+        Alternatively, it can be run with the <command>-a</command>
+        option to set up a <filename>rndc.key</filename> file and
+        avoid the need for a <filename>rndc.conf</filename> file
+        and a <command>controls</command> statement altogether.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-a</term>
+	<listitem>
+	  <para>
+	      Do automatic <command>rndc</command> configuration.
+	      This creates a file <filename>rndc.key</filename>
+	      in <filename>/etc</filename> (or whatever
+              <varname>sysconfdir</varname>
+	      was specified as when <acronym>BIND</acronym> was built)
+              that is read by both <command>rndc</command>
+              and <command>named</command> on startup.  The
+	      <filename>rndc.key</filename> file defines a default
+              command channel and authentication key allowing
+	      <command>rndc</command> to communicate with
+	      <command>named</command> with no further configuration.
+	  </para>
+	  <para>
+	      Running <command>rndc-confgen -a</command> allows
+	      BIND 9 and <command>rndc</command> to be used as drop-in
+	      replacements for BIND 8 and <command>ndc</command>,
+	      with no changes to the existing BIND 8
+	      <filename>named.conf</filename> file.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-b <replaceable class="parameter">keysize</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the size of the authentication key in bits.
+	       Must be between 1 and 512 bits; the default is 128.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">keyfile</replaceable></term>
+	<listitem>
+	  <para>
+	       Used with the <command>-a</command> option to specify
+	       an alternate location for <filename>rndc.key</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+	<listitem>
+	  <para>
+	       Prints a short summary of the options and arguments to
+	       <command>rndc-confgen</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k <replaceable class="parameter">keyname</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the key name of the rndc authentication key.
+	       This must be a valid domain name.
+	       The default is <constant>rndc-key</constant>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p <replaceable class="parameter">port</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the command channel port where <command>named</command>
+	       listens for connections from <command>rndc</command>.
+	       The default is 953.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-r <replaceable class="parameter">randomfile</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies a source of random data for generating the
+	       authoriazation.  If the operating
+	       system does not provide a <filename>/dev/random</filename>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <filename>randomdev</filename> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <filename>keyboard</filename> indicates that keyboard
+	       input should be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p <replaceable class="parameter">protocol</replaceable></term>
+	<listitem>
+	  <para>
+	       Sets the protocol value for the generated key.  The protocol
+	       is a number between 0 and 255.  The default is 2 (email) for
+	       keys of type USER and 3 (DNSSEC) for all other key types.
+	       Other possible values for this argument are listed in
+	       RFC 2535 and its successors.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s <replaceable class="parameter">address</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the IP address where <command>named</command>
+	       listens for command channel connections from
+	       <command>rndc</command>.  The default is the loopback
+	       address 127.0.0.1.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">chrootdir</replaceable></term>
+	<listitem>
+	  <para>
+	       Used with the <command>-a</command> option to specify
+	       a directory where <command>named</command> will run
+	       chrooted.  An additional copy of the <filename>rndc.key</filename>
+	       will be written relative to this directory so that
+	       it will be found by the chrooted <command>named</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-u <replaceable class="parameter">user</replaceable></term>
+	<listitem>
+	  <para>
+	       Used with the <command>-a</command> option to set the owner
+	       of the <filename>rndc.key</filename> file generated.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLES</title>
+    <para>
+        To allow <command>rndc</command> to be used with
+	no manual configuration, run
+    </para>
+    <para>
+        <userinput>rndc-confgen -a</userinput>
+    </para>
+    <para>
+        To print a sample <filename>rndc.conf</filename> file and
+	corresponding <command>controls</command> and <command>key</command>
+	statements to be manually inserted into <filename>named.conf</filename>,
+	run
+    </para>
+    <para>
+        <userinput>rndc-confgen</userinput>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>rndc</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>rndc.conf</refentrytitle>
+	<manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Software Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html
new file mode 100644
index 0000000000..ca3765c1c4
--- /dev/null
+++ b/bin/rndc/rndc-confgen.html
@@ -0,0 +1,556 @@
+<!--
+ - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+<HTML
+><HEAD
+><TITLE
+>rndc-confgen</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.61
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>rndc-confgen</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>rndc-confgen</SPAN
+>&nbsp;--&nbsp;rndc key generation tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>rndc-confgen</B
+>  [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-b <TT
+CLASS="REPLACEABLE"
+><I
+>keysize</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>keyfile</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>keyname</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomfile</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>address</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>chrootdir</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-u <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+></TT
+>]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN44"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>rndc-confgen</B
+> generates configuration files
+	for <B
+CLASS="COMMAND"
+>rndc</B
+>.  It can be used as a
+        convenient alternative to writing the
+        <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file
+        and the corresponding <B
+CLASS="COMMAND"
+>controls</B
+>
+        and <B
+CLASS="COMMAND"
+>key</B
+>
+	statements in <TT
+CLASS="FILENAME"
+>named.conf</TT
+> by hand.
+        Alternatively, it can be run with the <B
+CLASS="COMMAND"
+>-a</B
+>
+        option to set up a <TT
+CLASS="FILENAME"
+>rndc.key</TT
+> file and
+        avoid the need for a <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file
+        and a <B
+CLASS="COMMAND"
+>controls</B
+> statement altogether.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN57"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+>	      Do automatic <B
+CLASS="COMMAND"
+>rndc</B
+> configuration.
+	      This creates a file <TT
+CLASS="FILENAME"
+>rndc.key</TT
+>
+	      in <TT
+CLASS="FILENAME"
+>/etc</TT
+> (or whatever
+              <TT
+CLASS="VARNAME"
+>sysconfdir</TT
+>
+	      was specified as when <SPAN
+CLASS="ACRONYM"
+>BIND</SPAN
+> was built)
+              that is read by both <B
+CLASS="COMMAND"
+>rndc</B
+>
+              and <B
+CLASS="COMMAND"
+>named</B
+> on startup.  The
+	      <TT
+CLASS="FILENAME"
+>rndc.key</TT
+> file defines a default
+              command channel and authentication key allowing
+	      <B
+CLASS="COMMAND"
+>rndc</B
+> to communicate with
+	      <B
+CLASS="COMMAND"
+>named</B
+> with no further configuration.
+	  </P
+><P
+>	      Running <B
+CLASS="COMMAND"
+>rndc-confgen -a</B
+> allows
+	      BIND 9 and <B
+CLASS="COMMAND"
+>rndc</B
+> to be used as drop-in
+	      replacements for BIND 8 and <B
+CLASS="COMMAND"
+>ndc</B
+>,
+	      with no changes to the existing BIND 8
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+> file.
+	  </P
+></DD
+><DT
+>-b <TT
+CLASS="REPLACEABLE"
+><I
+>keysize</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the size of the authentication key in bits.
+	       Must be between 1 and 512 bits; the default is 128.
+	  </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>keyfile</I
+></TT
+></DT
+><DD
+><P
+>	       Used with the <B
+CLASS="COMMAND"
+>-a</B
+> option to specify
+	       an alternate location for <TT
+CLASS="FILENAME"
+>rndc.key</TT
+>.
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>rndc-confgen</B
+>.
+	  </P
+></DD
+><DT
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>keyname</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the key name of the rndc authentication key.
+	       This must be a valid domain name.
+	       The default is <TT
+CLASS="CONSTANT"
+>rndc-key</TT
+>.
+	  </P
+></DD
+><DT
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the command channel port where <B
+CLASS="COMMAND"
+>named</B
+>
+	       listens for connections from <B
+CLASS="COMMAND"
+>rndc</B
+>.
+	       The default is 953.
+	  </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomfile</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies a source of random data for generating the
+	       authoriazation.  If the operating
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+	       input should be used.
+	  </P
+></DD
+><DT
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>protocol</I
+></TT
+></DT
+><DD
+><P
+>	       Sets the protocol value for the generated key.  The protocol
+	       is a number between 0 and 255.  The default is 2 (email) for
+	       keys of type USER and 3 (DNSSEC) for all other key types.
+	       Other possible values for this argument are listed in
+	       RFC 2535 and its successors.
+	  </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>address</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the IP address where <B
+CLASS="COMMAND"
+>named</B
+>
+	       listens for command channel connections from
+	       <B
+CLASS="COMMAND"
+>rndc</B
+>.  The default is the loopback
+	       address 127.0.0.1.
+	  </P
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>chrootdir</I
+></TT
+></DT
+><DD
+><P
+>	       Used with the <B
+CLASS="COMMAND"
+>-a</B
+> option to specify
+	       a directory where <B
+CLASS="COMMAND"
+>named</B
+> will run
+	       chrooted.  An additional copy of the <TT
+CLASS="FILENAME"
+>rndc.key</TT
+>
+	       will be written relative to this directory so that
+	       it will be found by the chrooted <B
+CLASS="COMMAND"
+>named</B
+>.
+	  </P
+></DD
+><DT
+>-u <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+></DT
+><DD
+><P
+>	       Used with the <B
+CLASS="COMMAND"
+>-a</B
+> option to set the owner
+	       of the <TT
+CLASS="FILENAME"
+>rndc.key</TT
+> file generated.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN145"
+></A
+><H2
+>EXAMPLES</H2
+><P
+>        To allow <B
+CLASS="COMMAND"
+>rndc</B
+> to be used with
+	no manual configuration, run
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>rndc-confgen -a</B
+></TT
+>
+    </P
+><P
+>        To print a sample <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file and
+	corresponding <B
+CLASS="COMMAND"
+>controls</B
+> and <B
+CLASS="COMMAND"
+>key</B
+>
+	statements to be manually inserted into <TT
+CLASS="FILENAME"
+>named.conf</TT
+>,
+	run
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>rndc-confgen</B
+></TT
+>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN158"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc.conf</SPAN
+>(5)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN171"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file