fix: doc: Minor documentation fixes for the 'rndc dnssec' command

List 'rndc dnssec' arguments in alphabetic order.
The `-step` argument was erroneously omitted from the usage output.

Closes #5731

Merge branch '5731-rndc-documentation-corrections' into 'main'

See merge request isc-projects/bind9!11529

bin/rndc/rndc.c

@@ -111,6 +111,10 @@ command is one of the following:\n\
   dnssec -status zone [class [view]]\n\
 		Show the DNSSEC signing state for the specified zone.\n\
 		Requires the zone to have a dnssec-policy.\n\
+  dnssec -step zone [class [view]]\n\
+		Run the key manager for a zone configured with a\n\
+		dnssec-policy in manual mode, executing the operations that\n\
+		had previously been blocked (if any).\n\
   dnstap -reopen\n\
 		Close, truncate and re-open the DNSTAP output file.\n\
   dnstap -roll [count]\n\

bin/rndc/rndc.rst

@@ -185,6 +185,28 @@ Currently supported commands are:
    The following commands allow you to interact with the "dnssec-policy" of a
    given zone.
 
+   .. program:: rndc dnssec
+   .. option:: -checkds [-key id [-alg algorithm]] [-when time] (published | withdrawn) zone [class [view]]
+
+     This command informs :iscman:`named` that the DS for a specified zone's
+     key-signing key (KSK) has been confirmed to be published in, or withdrawn
+     from, the parent zone. This is required in order to complete a KSK
+     rollover.  The ``-key id`` and ``-alg algorithm`` arguments can be used to
+     specify a particular KSK, if necessary; if there is only one key acting
+     as a KSK for the zone, these arguments can be omitted. The time of
+     publication or withdrawal for the DS is set to the current time by
+     default, but can be overridden to a specific time with the argument
+     ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS notation.
+
+   .. program:: rndc dnssec
+   .. option:: -rollover -key id [-alg algorithm] [-when time] zone [class [view]]
+
+     This command allows you to schedule key rollover for a specific key
+     (overriding the original key lifetime).  The ``-key id`` and
+     ``-alg algorithm`` arguments specify which key to roll.  The time to start
+     the rollover can be set with ``-when time``, where ``time`` is expressed in
+     YYYYMMDDHHMMSS. If not set the rollover will start immediately.
+
    .. program:: rndc dnssec
    .. option:: -status [-v] zone [class [view]]
 
@@ -202,28 +224,6 @@ Currently supported commands are:
      understand what will happen next and then, using ``rndc dnssec -step``, to
      inform :iscman:`named` to proceed to the next stage.
 
-   .. program:: rndc dnssec
-   .. option:: -rollover -key id [-alg algorithm] [-when time] zone [class [view]]
-
-     This command allows you to schedule key rollover for a specific key
-     (overriding the original key lifetime).  The ``-key id`` and
-     ``-alg algorithm`` arguments specify which key to roll.  The time to start
-     the rollover can be set with ``-when time``, where ``time`` is expressed in
-     YYYYMMDDHHMMSS. If not set the rollover will start immediately.
-
-   .. program:: rndc dnssec
-   .. option:: -checkds [-key id [-alg algorithm]] [-when time] (published | withdrawn) zone [class [view]]
-
-     This command informs :iscman:`named` that the DS for a specified zone's
-     key-signing key (KSK) has been confirmed to be published in, or withdrawn
-     from, the parent zone. This is required in order to complete a KSK
-     rollover.  The ``-key id`` and ``-alg algorithm`` arguments can be used to
-     specify a particular KSK, if necessary; if there is only one key acting
-     as a KSK for the zone, these arguments can be omitted. The time of
-     publication or withdrawal for the DS is set to the current time by
-     default, but can be overridden to a specific time with the argument
-     ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS notation.
-
 .. program:: rndc
 
 .. option:: dnstap (-reopen | -roll [number])