[9.20] fix: doc: Minor documentation fixes for the 'rndc dnssec' command

List 'rndc dnssec' arguments in alphabetic order. The `-step` argument was erroneously omitted from the usage output. Closes #5731 Backport of MR !11529 Merge branch 'backport-5731-rndc-documentation-corrections-9.20' into 'bind-9.20' See merge request isc-projects/bind9!11554
2026-06-11 06:49:58 -04:00 · 2026-02-18 14:20:58 +00:00 · 2026-02-18 14:20:58 +00:00 · 68ccf6ab4f
commit 68ccf6ab4f
parent 87a8d4fccc 9101096e1e
2 changed files with 44 additions and 23 deletions
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@ -114,6 +114,10 @@ command is one of the following:\n\
  dnssec -status zone [class [view]]\n\
 		Show the DNSSEC signing state for the specified zone.\n\
 		Requires the zone to have a dnssec-policy.\n\
+  dnssec -step zone [class [view]]\n\
+		Run the key manager for a zone configured with a\n\
+		dnssec-policy in manual mode, executing the operations that\n\
+		had previously been blocked (if any).\n\
  dnstap -reopen\n\
 		Close, truncate and re-open the DNSTAP output file.\n\
  dnstap -roll [count]\n\
--- a/bin/rndc/rndc.rst
+++ b/bin/rndc/rndc.rst
@ -171,34 +171,51 @@ Currently supported commands are:

   See also :option:`rndc addzone` and :option:`rndc modzone`.

-.. option:: dnssec (-status | -step | -rollover -key id [-alg algorithm] [-when time] | -checkds [-key id [-alg algorithm]] [-when time]  published | withdrawn)) zone [class [view]]
+.. option:: dnssec

-   This command allows you to interact with the "dnssec-policy" of a given
-   zone.
+   The following commands allow you to interact with the "dnssec-policy" of a
+   given zone.

-   ``rndc dnssec -status`` show the DNSSEC signing state for the specified
-   zone.
+   .. program:: rndc dnssec
+   .. option:: -checkds [-key id [-alg algorithm]] [-when time] (published | withdrawn) zone [class [view]]

-   ``rndc dnssec -step`` sends a signal to an instance of :iscman:`named` for a
-   zone configured with ``dnssec-policy`` in manual mode, telling it to
-   continue with the operations that had previously been blocked but logged.
-   This gives the human operator a chance to review the log messages,
-   understand what will happen next and then, using ``rndc dnssec -step``, to
-   inform :iscman:`named` to proceed to the next stage.
+     This command informs :iscman:`named` that the DS for a specified zone's
+     key-signing key (KSK) has been confirmed to be published in, or withdrawn
+     from, the parent zone. This is required in order to complete a KSK
+     rollover.  The ``-key id`` and ``-alg algorithm`` arguments can be used to
+     specify a particular KSK, if necessary; if there is only one key acting
+     as a KSK for the zone, these arguments can be omitted. The time of
+     publication or withdrawal for the DS is set to the current time by
+     default, but can be overridden to a specific time with the argument
+     ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS notation.

-   ``rndc dnssec -rollover`` allows you to schedule key rollover for a
-   specific key (overriding the original key lifetime).
+   .. program:: rndc dnssec
+   .. option:: -rollover -key id [-alg algorithm] [-when time] zone [class [view]]

-   ``rndc dnssec -checkds`` informs :iscman:`named` that the DS for
-   a specified zone's key-signing key has been confirmed to be published
-   in, or withdrawn from, the parent zone. This is required in order to
-   complete a KSK rollover.  The ``-key id`` and ``-alg algorithm`` arguments
-   can be used to specify a particular KSK, if necessary; if there is only
-   one key acting as a KSK for the zone, these arguments can be omitted.
-   The time of publication or withdrawal for the DS is set to the current
-   time by default, but can be overridden to a specific time with the
-   argument ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS
-   notation.
+     This command allows you to schedule key rollover for a specific key
+     (overriding the original key lifetime).  The ``-key id`` and
+     ``-alg algorithm`` arguments specify which key to roll.  The time to start
+     the rollover can be set with ``-when time``, where ``time`` is expressed in
+     YYYYMMDDHHMMSS. If not set the rollover will start immediately.
+
+   .. program:: rndc dnssec
+   .. option:: -status [-v] zone [class [view]]
+
+     This command shows the DNSSEC signing state for the specified zone.
+     Adding ``-v`` also lists no longer used keys and shows the key states of
+     the keys.
+
+   .. program:: rndc dnssec
+   .. option:: -step zone [class [view]]
+
+     This command sends a signal to an instance of :iscman:`named` for a
+     zone configured with ``dnssec-policy`` in manual mode, telling it to
+     continue with the operations that had previously been blocked but logged.
+     This gives the human operator a chance to review the log messages,
+     understand what will happen next and then, using ``rndc dnssec -step``, to
+     inform :iscman:`named` to proceed to the next stage.
+
+.. program:: rndc

 .. option:: dnstap (-reopen | -roll [number])