diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
index bf9713cd3c..68e30c2187 100644
--- a/bin/rndc/Makefile.in
+++ b/bin/rndc/Makefile.in
@@ -13,7 +13,7 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.22 2001/03/28 01:00:58 halley Exp $
+# $Id: Makefile.in,v 1.23 2001/03/28 02:02:22 halley Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -47,9 +47,9 @@ OBJS =		rndc.@O@
 
 SRCS =		rndc.c
 
-MANPAGES =	rndc.8
+MANPAGES =	rndc.8 rndc.conf.5
 
-HTMLPAGES =	rndc.html
+HTMLPAGES =	rndc.html rndc.conf.html
 
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
index bac24fbebe..43db7a7e06 100644
--- a/bin/rndc/rndc.conf.5
+++ b/bin/rndc/rndc.conf.5
@@ -12,206 +12,130 @@
 .\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-.\" $Id: rndc.conf.5,v 1.14 2001/03/28 00:21:56 bwelling Exp $
-
-.Dd Jun 30, 2000
-.Dt RDNC.CONF 5
-.Os BIND9 9
-.ds vT BIND9 Programmer's Manual
-.Sh NAME
-.Nm rndc.conf
-.Nd rndc configuration file
-.Sh SYNOPSIS
-.Nm rndc.conf
-.Sh DESCRIPTION
-The BIND9 utility for controlling the name server,
-.Nm rndc ,
-has its own configuration file
-.Pa /etc/rndc.conf .
-This file has a similar structure and syntax to
-.Pa named.conf ,
-the file used to configure the name server.
-Statements are enclosed in braces and terminated with a semi-colon.
-Clauses in the statements are also semi-colon terminated.
-The usual comment styles are supported:
-.Bl -tag -width UNIX-style:
-.It C style: /* */
-.It C++ style: // to end of line
-.It Unix style: # to end of line
-.El
-.Pp
-.Pa rndc.conf
-is much simpler than
-.Pa named.conf .
-The file uses three statements: an
-.Dv options
-statement, a
-.Dv server
-statement and a
-.Dv key
-statement.
-.Pp
-The
-.Dv options
-statement contains three clauses.
-The
-.Dv default-server
-clause
-is followed by the name or address of a name server.
-This host will
-be used when no name server is given as an argument to
-.Nm rndc .
-The
-.Dv default-key
-clause
-is followed by the name of a key which is identified by a
-.Dv key
-statement.
-If no
-.Fl y
-option is provided on the
-.Xr rndc
-command line, and no
-.Dv key
-clause is found in a matching
-.Dv server
-statement, this default key will be used to authenticate the server's
-commands and responses.
-The
-.Dv default-port clause is followed by the port to connect
-to on the remote name server.  If no
-.Fl p
-option is provided on the
-.Xr rndc
-command line, and no
-.Dv port
-clause is found in a matching
-.Dv server
-statement, this default port will be used to connect.
-.Pp
-After the keyword
-.Dv server ,
-the
-.Dv server
-statement is followed by a string which is the hostname or address for a
-name server.
-The statement has two possible clauses:
-.Dv key
-and
-.Dv port .
-The key name must match the name of a
-.Dv key
-statement in the file.  The port number specifies the port to connect to.
-.Pp
-The
-.Dv key
-statement begins with an identifying string, the name of the key.
-The statement has two clauses.
-.Dv algorithm
-identifies the encryption algorithm for
-.Nm rndc
-to use; currently only HMAC-MD5 is supported.
-This is followed by a
-.Dv secret
-clause which contains the base-64 encoding of the
-algorithm's encryption key.
-The base-64 string is enclosed in double quotes.
-.Pp
+.TH "RNDC.CONF" "5" "June 30, 2000" "BIND9" ""
+.SH NAME
+rndc.conf \- rndc configuration file
+.SH SYNOPSIS
+.sp
+\fBrndc.conf\fR
+.SH "DESCRIPTION"
+.PP
+\fIrndc.conf\fR is the configuration file
+for \fBrndc\fR, the BIND 9 name server control
+utility. This file has a similar structure and syntax to
+\fInamed.conf\fR. Statements are enclosed
+in braces and terminated with a semi-colon. Clauses in
+the statements are also semi-colon terminated. The usual
+comment styles are supported:
+.PP
+C style: /* */
+.PP
+C++ style: // to end of line
+.PP
+Unix style: # to end of line
+.PP
+\fIrndc.conf\fR is much simpler than
+\fInamed.conf\fR. The file uses three
+statements: an options statement, a server statement
+and a key statement.
+.PP
+The \fBoptions\fR statement contains three clauses.
+The \fBdefault-server\fR clause is followed by the
+name or address of a name server. This host will be used when
+no name server is given as an argument to
+\fBrndc\fR. The \fBdefault-key\fR
+clause is followed by the name of a key which is identified by
+a \fBkey\fR statement. If no
+\fBkeyid\fR is provided on the rndc command line,
+and no \fBkey\fR clause is found in a matching
+\fBserver\fR statement, this default key will be
+used to authenticate the server's commands and responses. The
+\fBdefault-port\fR clause is followed by the port
+to connect to on the remote name server. If no
+\fBport\fR option is provided on the rndc command
+line, and no \fBport\fR clause is found in a
+matching \fBserver\fR statement, this default port
+will be used to connect.
+.PP
+After the \fBserver\fR keyword, the server statement
+includes a string which is the hostname or address for a name
+server. The statement has two possible clauses:
+\fBkey\fR and \fBport\fR. The key name must
+match the name of a key statement in the file. The port number
+specifies the port to connect to.
+.PP
+The \fBkey\fR statement begins with an identifying
+string, the name of the key. The statement has two clauses.
+\fBalgorithm\fR identifies the encryption algorithm
+for \fBrndc\fR to use; currently only HMAC-MD5 is
+supported. This is followed by a secret clause which contains
+the base-64 encoding of the algorithm's encryption key. The
+base-64 string is enclosed in double quotes.
+.PP
 There are two common ways to generate the base-64 string for the
-.Dv secret .
-The BIND 9 program
-.Xr dnssec-keygen 8
-can be used to generate a random key, or the
-.Xr mmencode 1
-program, also known as
-.Xr mimencode 1 ,
-can be used to generate a base-64 string from known input.
-.Xr mmencode
-does not ship with BIND 9 but is available on many systems.
-See the
-.Sx EXAMPLES
-section for sample command lines for each.
-.Pp
-Host and key names must be quoted using double quotes if they
-match a keyword, such as having a key named "key".
-.Sh EXAMPLE
-.Bd -literal indent
-options {
-    default-server  localhost;
-    default-key     samplekey;
-};
+secret. The BIND 9 program \fBdnssec-keygen\fR can
+be used to generate a random key, or the
+\fBmmencode\fR program, also known as
+\fBmimencode\fR, can be used to generate a base-64
+string from known input. \fBmmencode\fR does not
+ship with BIND 9 but is available on many systems. See the
+EXAMPLE section for sample command lines for each.
+.SH "EXAMPLE"
+.sp
+.nf
+    options {
+        default-server  localhost;
+        default-key     samplekey;
+      };
 
-server localhost {
-    key     samplekey;
-};
+      server localhost {
+        key             samplekey;
+      };
 
-key samplekey {
-    algorithm hmac-md5;
-    secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-};
-.Ed
-.Pp
-In the above example,
-.Nm rndc
-will by default use the server at localhost (127.0.0.1) and the key called
-.Dv samplekey .
-Commands to the localhost server will use the
-.Dv samplekey
-key, which must also be defined in the server's configuration file with
-the same name and secret.
-The
-.Dv key
-statement indicates that
-.Dv samplekey
-uses the HMAC-MD5 algorithm and its
-.Dv secret
-clause contains the base-64 encoding of the HMAC-MD5 secret enclosed
-in double quotes.
-.Pp
-To generate a random secret with
-.Xr dnssec-keygen :
-.Bd -literal indent
-$ dnssec-keygen -a hmac-md5 -b 128 -n user rndc
-.Ed
-.Pp
+      key samplekey {
+        algorithm       hmac-md5;
+        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+      };
+    
+.sp
+.fi
+.PP
+In the above example, \fBrndc\fR will by default use
+the server at localhost (127.0.0.1) and the key called samplekey.
+Commands to the localhost server will use the samplekey key, which
+must also be defined in the server's configuration file with the
+same name and secret. The key statement indicates that samplekey
+uses the HMAC-MD5 algorithm and its secret clause contains the
+base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+.PP
+To generate a random secret with \fBdnssec-keygen\fR:
+.PP
+\fB$ dnssec-keygen -a hmac-md5 -b 128 -n user rndc\fR
+.PP
 The base-64 string will appear in two files,
-.Pa Krndc.+157.+{random}.key
-and
-.Pa Krndc.+157.+{random}.private .
-After extracting the key to be
-placed in the
-.Nm rndc.conf
-and
-.Xr named.conf
-.Dv key
-statements, the
-.Pa .key
-and
-.Pa .private
-files can be removed.
-.Pp
-To generate a secret from known input with
-.Xr mmenode :
-.Bd -literal indent
-$ echo "known plaintext for a secret" | mmencode
-.Ed
-.Sh NAME SERVER CONFIGURATION
-The name server must be configured to accept
-.Xr rndc
-connections and to recognize the key specified in
-the
-.Nm rndc.conf
-file, using the
-.Dv controls
-statement in
-.Nm named.conf .
-See the sections on the
-.Dv controls
-statement in the BIND 9 Administrator Reference Manual for
-details.
-.Sh SEE ALSO
-.Xr rndc 8 ,
-.Xr dnssec-keygen 8 ,
-.Xr mmencode 1 ,
-"BIND 9 Administrator Reference Manual".
+\fIKrndc.+157.+{random}.key\fR and
+\fIKrndc.+157.+{random}.private\fR. After
+extracting the key to be placed in the
+\fIrndc.conf\fR and 
+\fInamed.conf\fR key statements, the
+\&.key and .private files can be removed.
+.PP
+To generate a random secret with \fBmmencode\fR:
+.PP
+\fB$ echo "known plaintext for a secret" | mmencode\fR
+.SH "NAME SERVER CONFIGURATION"
+.PP
+The name server must be configured to accept rndc connections and
+to recognize the key specified in the \fIrndc.conf\fR
+file, using the controls statement in \fInamed.conf\fR.
+See the sections on the \fBcontrols\fR statement in the
+BIND 9 Administrator Reference Manual for details.
+.SH "SEE ALSO"
+.PP
+\fBrndc\fR(8),
+\fBdnssec-keygen\fR(8),
+\fBmmencode\fR(1),
+\fIBIND 9 Administrator Reference Manual\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
new file mode 100644
index 0000000000..4d56bf1eaf
--- /dev/null
+++ b/bin/rndc/rndc.conf.docbook
@@ -0,0 +1,194 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+
+<refentry>
+  <refentryinfo>
+    <date>June 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><filename>rndc.conf</filename></refentrytitle>
+    <manvolnum>5</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><filename>rndc.conf</filename></refname>
+    <refpurpose>rndc configuration file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>rndc.conf</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <filename>rndc.conf</filename> is the configuration file
+	for <command>rndc</command>, the BIND 9 name server control
+	utility.  This file has a similar structure and syntax to
+	<filename>named.conf</filename>.  Statements are enclosed
+	in braces and terminated with a semi-colon.  Clauses in
+	the statements are also semi-colon terminated.  The usual
+	comment styles are supported:
+    </para>
+    <para>
+        C style: /* */
+    </para>
+    <para>
+        C++ style: // to end of line
+    </para>
+    <para>
+        Unix style: # to end of line
+    </para>
+    <para>
+        <filename>rndc.conf</filename> is much simpler than
+	<filename>named.conf</filename>.  The file uses three
+	statements: an options statement, a server statement
+	and a key statement.
+    </para>
+    <para>
+        The <option>options</option> statement contains three clauses.
+	The <option>default-server</option> clause is followed by the
+	name or address of a name server.  This host will be used when
+	no name server is given as an argument to
+	<command>rndc</command>.  The <option>default-key</option>
+	clause is followed by the name of a key which is identified by
+	a <option>key</option> statement.  If no
+	<option>keyid</option> is provided on the rndc command line,
+	and no <option>key</option> clause is found in a matching
+	<option>server</option> statement, this default key will be
+	used to authenticate the server's commands and responses.  The
+	<option>default-port</option> clause is followed by the port
+	to connect to on the remote name server.  If no
+	<option>port</option> option is provided on the rndc command
+	line, and no <option>port</option> clause is found in a
+	matching <option>server</option> statement, this default port
+	will be used to connect.
+    </para>
+    <para>
+        After the <option>server</option> keyword, the server statement
+	includes a string which is the hostname or address for a name
+	server.  The statement has two possible clauses:
+	<option>key</option> and <option>port</option>. The key name must
+	match the name of a key statement in the file.  The port number
+	specifies the port to connect to.
+    </para>
+    <para>
+        The <option>key</option> statement begins with an identifying
+	string, the name of the key.  The statement has two clauses.
+	<option>algorithm</option> identifies the encryption algorithm
+	for <command>rndc</command> to use; currently only HMAC-MD5 is
+	supported.  This is followed by a secret clause which contains
+	the base-64 encoding of the algorithm's encryption key.  The
+	base-64 string is enclosed in double quotes.
+    </para>
+    <para>
+        There are two common ways to generate the base-64 string for the
+	secret.  The BIND 9 program <command>dnssec-keygen</command> can
+	be used to generate a random key, or the
+	<command>mmencode</command> program, also known as
+	<command>mimencode</command>, can be used to generate a base-64
+	string from known input.  <command>mmencode</command> does not
+	ship with BIND 9 but is available on many systems.  See the
+	EXAMPLE section for sample command lines for each.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLE</title>
+
+    <programlisting>
+    options {
+        default-server  localhost;
+        default-key     samplekey;
+      };
+
+      server localhost {
+        key             samplekey;
+      };
+
+      key samplekey {
+        algorithm       hmac-md5;
+        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+      };
+    </programlisting>
+
+    <para>
+        In the above example, <command>rndc</command> will by default use
+	the server at localhost (127.0.0.1) and the key called samplekey.
+	Commands to the localhost server will use the samplekey key, which
+	must also be defined in the server's configuration file with the
+	same name and secret.  The key statement indicates that samplekey
+	uses the HMAC-MD5 algorithm and its secret clause contains the
+	base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+    </para>
+    <para>
+        To generate a random secret with <command>dnssec-keygen</command>:
+    </para>
+    <para>
+        <userinput>$ dnssec-keygen -a hmac-md5 -b 128 -n user rndc</userinput>
+    </para>
+    <para>
+        The base-64 string will appear in two files,
+	<filename>Krndc.+157.+{random}.key</filename> and
+	<filename>Krndc.+157.+{random}.private</filename>. After
+	extracting the key to be placed in the
+	<filename>rndc.conf</filename> and 
+	<filename>named.conf</filename> key statements, the
+	.key and .private files can be removed.
+    </para>
+    <para>
+        To generate a random secret with <command>mmencode</command>:
+    </para>
+    <para>
+        <userinput>$ echo "known plaintext for a secret" | mmencode</userinput>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>NAME SERVER CONFIGURATION</title>
+    <para>
+        The name server must be configured to accept rndc connections and
+	to recognize the key specified in the <filename>rndc.conf</filename>
+	file, using the controls statement in <filename>named.conf</filename>.
+	See the sections on the <option>controls</option> statement in the
+	BIND 9 Administrator Reference Manual for details.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>rndc</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>mmencode</refentrytitle>
+	<manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Software Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
+
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
new file mode 100644
index 0000000000..1ce2ddd741
--- /dev/null
+++ b/bin/rndc/rndc.conf.html
@@ -0,0 +1,380 @@
+<!--
+ - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+<HTML
+><HEAD
+><TITLE
+>rndc.conf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.63
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><TT
+CLASS="FILENAME"
+>rndc.conf</TT
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><TT
+CLASS="FILENAME"
+>rndc.conf</TT
+>&nbsp;--&nbsp;rndc configuration file</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>rndc.conf</B
+> </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN16"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> is the configuration file
+	for <B
+CLASS="COMMAND"
+>rndc</B
+>, the BIND 9 name server control
+	utility.  This file has a similar structure and syntax to
+	<TT
+CLASS="FILENAME"
+>named.conf</TT
+>.  Statements are enclosed
+	in braces and terminated with a semi-colon.  Clauses in
+	the statements are also semi-colon terminated.  The usual
+	comment styles are supported:
+    </P
+><P
+>        C style: /* */
+    </P
+><P
+>        C++ style: // to end of line
+    </P
+><P
+>        Unix style: # to end of line
+    </P
+><P
+>        <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> is much simpler than
+	<TT
+CLASS="FILENAME"
+>named.conf</TT
+>.  The file uses three
+	statements: an options statement, a server statement
+	and a key statement.
+    </P
+><P
+>        The <TT
+CLASS="OPTION"
+>options</TT
+> statement contains three clauses.
+	The <TT
+CLASS="OPTION"
+>default-server</TT
+> clause is followed by the
+	name or address of a name server.  This host will be used when
+	no name server is given as an argument to
+	<B
+CLASS="COMMAND"
+>rndc</B
+>.  The <TT
+CLASS="OPTION"
+>default-key</TT
+>
+	clause is followed by the name of a key which is identified by
+	a <TT
+CLASS="OPTION"
+>key</TT
+> statement.  If no
+	<TT
+CLASS="OPTION"
+>keyid</TT
+> is provided on the rndc command line,
+	and no <TT
+CLASS="OPTION"
+>key</TT
+> clause is found in a matching
+	<TT
+CLASS="OPTION"
+>server</TT
+> statement, this default key will be
+	used to authenticate the server's commands and responses.  The
+	<TT
+CLASS="OPTION"
+>default-port</TT
+> clause is followed by the port
+	to connect to on the remote name server.  If no
+	<TT
+CLASS="OPTION"
+>port</TT
+> option is provided on the rndc command
+	line, and no <TT
+CLASS="OPTION"
+>port</TT
+> clause is found in a
+	matching <TT
+CLASS="OPTION"
+>server</TT
+> statement, this default port
+	will be used to connect.
+    </P
+><P
+>        After the <TT
+CLASS="OPTION"
+>server</TT
+> keyword, the server statement
+	includes a string which is the hostname or address for a name
+	server.  The statement has two possible clauses:
+	<TT
+CLASS="OPTION"
+>key</TT
+> and <TT
+CLASS="OPTION"
+>port</TT
+>. The key name must
+	match the name of a key statement in the file.  The port number
+	specifies the port to connect to.
+    </P
+><P
+>        The <TT
+CLASS="OPTION"
+>key</TT
+> statement begins with an identifying
+	string, the name of the key.  The statement has two clauses.
+	<TT
+CLASS="OPTION"
+>algorithm</TT
+> identifies the encryption algorithm
+	for <B
+CLASS="COMMAND"
+>rndc</B
+> to use; currently only HMAC-MD5 is
+	supported.  This is followed by a secret clause which contains
+	the base-64 encoding of the algorithm's encryption key.  The
+	base-64 string is enclosed in double quotes.
+    </P
+><P
+>        There are two common ways to generate the base-64 string for the
+	secret.  The BIND 9 program <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> can
+	be used to generate a random key, or the
+	<B
+CLASS="COMMAND"
+>mmencode</B
+> program, also known as
+	<B
+CLASS="COMMAND"
+>mimencode</B
+>, can be used to generate a base-64
+	string from known input.  <B
+CLASS="COMMAND"
+>mmencode</B
+> does not
+	ship with BIND 9 but is available on many systems.  See the
+	EXAMPLE section for sample command lines for each.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN54"
+></A
+><H2
+>EXAMPLE</H2
+><PRE
+CLASS="PROGRAMLISTING"
+>    options {
+        default-server  localhost;
+        default-key     samplekey;
+      };
+
+      server localhost {
+        key             samplekey;
+      };
+
+      key samplekey {
+        algorithm       hmac-md5;
+        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+      };
+    </PRE
+><P
+>        In the above example, <B
+CLASS="COMMAND"
+>rndc</B
+> will by default use
+	the server at localhost (127.0.0.1) and the key called samplekey.
+	Commands to the localhost server will use the samplekey key, which
+	must also be defined in the server's configuration file with the
+	same name and secret.  The key statement indicates that samplekey
+	uses the HMAC-MD5 algorithm and its secret clause contains the
+	base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+    </P
+><P
+>        To generate a random secret with <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>:
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>$ dnssec-keygen -a hmac-md5 -b 128 -n user rndc</B
+></TT
+>
+    </P
+><P
+>        The base-64 string will appear in two files,
+	<TT
+CLASS="FILENAME"
+>Krndc.+157.+{random}.key</TT
+> and
+	<TT
+CLASS="FILENAME"
+>Krndc.+157.+{random}.private</TT
+>. After
+	extracting the key to be placed in the
+	<TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> and 
+	<TT
+CLASS="FILENAME"
+>named.conf</TT
+> key statements, the
+	.key and .private files can be removed.
+    </P
+><P
+>        To generate a random secret with <B
+CLASS="COMMAND"
+>mmencode</B
+>:
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>$ echo "known plaintext for a secret" | mmencode</B
+></TT
+>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN72"
+></A
+><H2
+>NAME SERVER CONFIGURATION</H2
+><P
+>        The name server must be configured to accept rndc connections and
+	to recognize the key specified in the <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+>
+	file, using the controls statement in <TT
+CLASS="FILENAME"
+>named.conf</TT
+>.
+	See the sections on the <TT
+CLASS="OPTION"
+>controls</TT
+> statement in the
+	BIND 9 Administrator Reference Manual for details.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN78"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>mmencode</SPAN
+>(1)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN91"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file