summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/Makefile.am212
-rw-r--r--doc/Makefile.in887
-rw-r--r--doc/appendices.rst103
-rw-r--r--doc/conf.py258
-rw-r--r--doc/configuration.rst666
-rw-r--r--doc/index.rst19
-rw-r--r--doc/installation.rst92
-rw-r--r--doc/introduction.rst66
-rw-r--r--doc/logo.eps190
-rw-r--r--doc/logo.pngbin0 -> 7082 bytes
-rw-r--r--doc/man/kdig.1in378
-rw-r--r--doc/man/keymgr.8in286
-rw-r--r--doc/man/khost.1in152
-rw-r--r--doc/man/kjournalprint.8in92
-rw-r--r--doc/man/knot.conf.5in1401
-rw-r--r--doc/man/knotc.8in324
-rw-r--r--doc/man/knotd.8in76
-rw-r--r--doc/man/knsec3hash.1in87
-rw-r--r--doc/man/knsupdate.1in198
-rw-r--r--doc/man/kzonecheck.1in73
-rw-r--r--doc/man_kdig.rst324
-rw-r--r--doc/man_keymgr.rst216
-rw-r--r--doc/man_khost.rst102
-rw-r--r--doc/man_kjournalprint.rst58
-rw-r--r--doc/man_knotc.rst274
-rw-r--r--doc/man_knotd.rst48
-rw-r--r--doc/man_knsec3hash.rst49
-rw-r--r--doc/man_knsupdate.rst164
-rw-r--r--doc/man_kzonecheck.rst45
-rw-r--r--doc/migration.rst146
-rw-r--r--doc/modules.rst.in8
-rw-r--r--doc/operation.rst722
-rw-r--r--doc/reference.rst1558
-rw-r--r--doc/requirements.rst96
-rw-r--r--doc/theme_html/static/admon_caution_48.pngbin0 -> 1553 bytes
-rw-r--r--doc/theme_html/static/admon_important_48.pngbin0 -> 1985 bytes
-rw-r--r--doc/theme_html/static/admon_note_48.pngbin0 -> 2404 bytes
-rw-r--r--doc/theme_html/static/admon_tip_48.pngbin0 -> 2176 bytes
-rw-r--r--doc/theme_html/static/admon_warning_48.pngbin0 -> 1096 bytes
-rw-r--r--doc/theme_html/static/admons.css69
-rw-r--r--doc/theme_html/static/main.css6
-rw-r--r--doc/theme_html/theme.conf4
-rw-r--r--doc/troubleshooting.rst110
-rw-r--r--doc/utilities.rst21
44 files changed, 9580 insertions, 0 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am
new file mode 100644
index 0000000..bbb33a8
--- /dev/null
+++ b/doc/Makefile.am
@@ -0,0 +1,212 @@
+MANPAGES_IN = \
+ man/knot.conf.5in \
+ man/knotc.8in \
+ man/knotd.8in \
+ man/keymgr.8in \
+ man/kjournalprint.8in \
+ man/kdig.1in \
+ man/khost.1in \
+ man/knsupdate.1in \
+ man/knsec3hash.1in \
+ man/kzonecheck.1in
+
+MANPAGES_RST = \
+ man_knotc.rst \
+ man_knotd.rst \
+ man_keymgr.rst \
+ man_kjournalprint.rst \
+ man_kdig.rst \
+ man_khost.rst \
+ man_knsupdate.rst \
+ man_knsec3hash.rst \
+ man_kzonecheck.rst
+
+EXTRA_DIST = \
+ conf.py \
+ \
+ appendices.rst \
+ configuration.rst \
+ index.rst \
+ installation.rst \
+ introduction.rst \
+ migration.rst \
+ modules.rst.in \
+ operation.rst \
+ reference.rst \
+ requirements.rst \
+ troubleshooting.rst \
+ utilities.rst \
+ \
+ $(MANPAGES_IN) \
+ $(MANPAGES_RST) \
+ \
+ logo.eps \
+ logo.png \
+ \
+ theme_html
+
+SPHINX_V = $(SPHINX_V_@AM_V@)
+SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
+SPHINX_V_0 = -q
+SPHINX_V_1 = -n
+
+AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@)
+AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@)
+AM_V_SPHINX_0 = @echo " SPHINX $@";
+
+AM_V_ECHO = @sh -c 'if $(AM_V_P); then echo $$1; fi' --
+
+SPHINXBUILDDIR = $(builddir)/_build
+
+_SPHINXOPTS = -c $(srcdir) \
+ -a \
+ $(SPHINX_V)
+
+ALLSPHINXOPTS = $(_SPHINXOPTS) \
+ -D version="$(VERSION)" \
+ -D today="$(RELEASE_DATE)" \
+ -D release="$(VERSION)" \
+ $(SPHINXOPTS) \
+ $(srcdir)
+
+man_SPHINXOPTS = $(_SPHINXOPTS) \
+ -D version="@""VERSION@" \
+ -D today="@""RELEASE_DATE@" \
+ -D release="@""VERSION@" \
+ $(SPHINXOPTS) \
+ $(srcdir)
+
+.PHONY: html-local singlehtml pdf-local info-local man install-html-local install-singlehtml install-pdf-local install-info-local
+
+man_MANS =
+
+if HAVE_DAEMON
+man_MANS += \
+ man/knot.conf.5 \
+ man/knotc.8 \
+ man/knotd.8
+endif # HAVE_DAEMON
+
+if HAVE_UTILS
+if HAVE_DAEMON
+man_MANS += \
+ man/keymgr.8 \
+ man/kjournalprint.8 \
+ man/kzonecheck.1
+endif # HAVE_DAEMON
+
+man_MANS += \
+ man/kdig.1 \
+ man/khost.1 \
+ man/knsupdate.1 \
+ man/knsec3hash.1
+endif # HAVE_UTILS
+
+man/knot.conf.5: man/knot.conf.5in
+man/knotc.8: man/knotc.8in
+man/knotd.8: man/knotd.8in
+man/keymgr.8: man/keymgr.8in
+man/kjournalprint.8: man/kjournalprint.8in
+man/kdig.1: man/kdig.1in
+man/khost.1: man/khost.1in
+man/knsupdate.1: man/knsupdate.1in
+man/knsec3hash.1: man/knsec3hash.1in
+man/kzonecheck.1: man/kzonecheck.1in
+
+man_SUBST = $(AM_V_GEN)mkdir -p man; \
+ sed -e 's,[@]VERSION@,$(VERSION),' \
+ -e 's,[@]RELEASE_DATE@,$(RELEASE_DATE),' \
+ -e 's,[@]config_dir@,$(config_dir),' \
+ -e 's,[@]storage_dir@,$(storage_dir),' \
+ -e 's,[@]run_dir@,$(run_dir),' \
+ -e 's,[@]conf_mapsize@,$(conf_mapsize),' \
+ $< > $@
+
+.1in.1:
+ $(man_SUBST)
+
+.5in.5:
+ $(man_SUBST)
+
+.8in.8:
+ $(man_SUBST)
+
+if HAVE_DOCS
+
+if HAVE_SPHINXBUILD
+html-local:
+ $(AM_V_SPHINX)$(SPHINXBUILD) -b html -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/html
+ $(AM_V_ECHO)
+ $(AM_V_ECHO) "Build finished. The HTML pages are in $(SPHINXBUILDDIR)/html/."
+
+install-html-local:
+ $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static $(DESTDIR)/$(docdir)/_sources
+ $(INSTALL) -D $(SPHINXBUILDDIR)/html/*.html $(DESTDIR)/$(docdir)/
+ $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_sources/* $(DESTDIR)/$(docdir)/_sources/
+ $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_static/* $(DESTDIR)/$(docdir)/_static/
+
+singlehtml:
+ $(AM_V_SPHINX)$(SPHINXBUILD) -b singlehtml -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/singlehtml
+ $(AM_V_ECHO)
+ $(AM_V_ECHO) "Build finished. The HTML page is in $(SPHINXBUILDDIR)/singlehtml/."
+
+install-singlehtml: singlehtml
+ $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static
+ $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/*.html $(DESTDIR)/$(docdir)/
+ $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/_static/* $(DESTDIR)/$(docdir)/_static/
+
+if HAVE_PDFLATEX
+pdf-local:
+ $(AM_V_SPHINX)$(SPHINXBUILD) -b latex -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/latex
+ $(MAKE) -C $(SPHINXBUILDDIR)/latex all-pdf
+ $(AM_V_ECHO)
+ $(AM_V_ECHO) "Build finished. The PDF file is in $(SPHINXBUILDDIR)/latex/."
+
+install-pdf-local:
+ $(INSTALL) -d $(DESTDIR)/$(docdir)
+ $(INSTALL_DATA) $(SPHINXBUILDDIR)/latex/knot.pdf $(DESTDIR)/$(docdir)/
+
+else
+pdf-local install-pdf-local:
+ $(AM_V_ECHO) "You need to install pdflatex and re-run configure to be"
+ $(AM_V_ECHO) "able to generate PDF documentation."
+endif
+
+if HAVE_MAKEINFO
+info-local:
+ $(AM_V_SPHINX)$(SPHINXBUILD) -b texinfo -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/texinfo
+ $(MAKE) -C $(SPHINXBUILDDIR)/texinfo info
+ $(AM_V_ECHO)
+ $(AM_V_ECHO) "Build finished. The Info file is in $(SPHINXBUILDDIR)/texinfo/."
+
+install-info-local:
+ $(INSTALL) -d $(DESTDIR)/$(infodir)
+ $(INSTALL_DATA) $(SPHINXBUILDDIR)/texinfo/knot.info $(DESTDIR)/$(infodir)/
+
+else
+info-local install-info-local:
+ $(AM_V_ECHO) "You need to install GNU Texinfo and re-run configure to be"
+ $(AM_V_ECHO) "able to generate info pages."
+endif
+
+.NOTPARALLEL: man
+man: $(man_MANS)
+$(MANPAGES_IN): $(MANPAGES_RST)
+ $(AM_V_SPHINX)$(SPHINXBUILD) -b man -d $(SPHINXBUILDDIR)/doctrees $(man_SPHINXOPTS) $(SPHINXBUILDDIR)/man
+ @mkdir -p $(srcdir)/man
+ @for f in $(SPHINXBUILDDIR)/man/*; do \
+ sed -e '/^\.TP$$/ {' -e 'n' -e 's/^\.B //' -e '}' "$$f" > "$(srcdir)/man/$$(basename $$f)in"; \
+ done
+ $(AM_V_ECHO)
+ $(AM_V_ECHO) "Build finished. The man pages are in man/."
+
+else
+html-local singlehtml pdf-local info-local man install-html-local install-singlehtml install-pdf-local install-info-local:
+ $(AM_V_ECHO) "Please install sphinx (python-sphinx) to generate Knot DNS documentation."
+endif # HAVE_SPHINXBUILD
+
+endif # HAVE_DOCS
+
+clean-local:
+ -rm -rf $(SPHINXBUILDDIR)
+ -rm -f man/*.1 man/*.5 man/*.8
diff --git a/doc/Makefile.in b/doc/Makefile.in
new file mode 100644
index 0000000..e550de9
--- /dev/null
+++ b/doc/Makefile.in
@@ -0,0 +1,887 @@
+# Makefile.in generated by automake 1.15 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@HAVE_DAEMON_TRUE@am__append_1 = \
+@HAVE_DAEMON_TRUE@ man/knot.conf.5 \
+@HAVE_DAEMON_TRUE@ man/knotc.8 \
+@HAVE_DAEMON_TRUE@ man/knotd.8
+
+@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@am__append_2 = \
+@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/keymgr.8 \
+@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/kjournalprint.8 \
+@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/kzonecheck.1
+
+@HAVE_UTILS_TRUE@am__append_3 = \
+@HAVE_UTILS_TRUE@ man/kdig.1 \
+@HAVE_UTILS_TRUE@ man/khost.1 \
+@HAVE_UTILS_TRUE@ man/knsupdate.1 \
+@HAVE_UTILS_TRUE@ man/knsec3hash.1
+
+subdir = doc
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/ax_cc_clang.m4 \
+ $(top_srcdir)/m4/ax_check_compile_flag.m4 \
+ $(top_srcdir)/m4/ax_check_link_flag.m4 \
+ $(top_srcdir)/m4/ax_compare_version.m4 \
+ $(top_srcdir)/m4/code-coverage.m4 \
+ $(top_srcdir)/m4/knot-lib-version.m4 \
+ $(top_srcdir)/m4/knot-module.m4 $(top_srcdir)/m4/libtool.m4 \
+ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+ $(top_srcdir)/m4/sanitizer.m4 $(top_srcdir)/m4/visibility.m4 \
+ $(top_srcdir)/m4/knot-version.m4 $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/src/config.h
+CONFIG_CLEAN_FILES = modules.rst
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+man1dir = $(mandir)/man1
+am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)" \
+ "$(DESTDIR)$(man8dir)"
+man5dir = $(mandir)/man5
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(man_MANS)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/modules.rst.in
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CC_CLANG_VERSION = @CC_CLANG_VERSION@
+CFLAGS = @CFLAGS@
+CFLAG_VISIBILITY = @CFLAG_VISIBILITY@
+CODE_COVERAGE_ENABLED = @CODE_COVERAGE_ENABLED@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLTOOL = @DLLTOOL@
+DNSTAP_CFLAGS = @DNSTAP_CFLAGS@
+DNSTAP_LIBS = @DNSTAP_LIBS@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GREP = @GREP@
+HAVE_VISIBILITY = @HAVE_VISIBILITY@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+KNOT_VERSION_MAJOR = @KNOT_VERSION_MAJOR@
+KNOT_VERSION_MINOR = @KNOT_VERSION_MINOR@
+KNOT_VERSION_PATCH = @KNOT_VERSION_PATCH@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LDFLAG_EXCLUDE_LIBS = @LDFLAG_EXCLUDE_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PDFLATEX = @PDFLATEX@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PROTOC_C = @PROTOC_C@
+RANLIB = @RANLIB@
+RELEASE_DATE = @RELEASE_DATE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SPHINXBUILD = @SPHINXBUILD@
+STRIP = @STRIP@
+VERSION = @VERSION@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+cap_ng_CFLAGS = @cap_ng_CFLAGS@
+cap_ng_LIBS = @cap_ng_LIBS@
+conf_mapsize = @conf_mapsize@
+config_dir = @config_dir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dlopen_LIBS = @dlopen_LIBS@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+external_lmdb_LIBS = @external_lmdb_LIBS@
+fuzzer_CFLAGS = @fuzzer_CFLAGS@
+fuzzer_LDFLAGS = @fuzzer_LDFLAGS@
+gnutls_CFLAGS = @gnutls_CFLAGS@
+gnutls_LIBS = @gnutls_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libdnssec_SONAME = @libdnssec_SONAME@
+libdnssec_SOVERSION = @libdnssec_SOVERSION@
+libdnssec_VERSION_INFO = @libdnssec_VERSION_INFO@
+libedit_CFLAGS = @libedit_CFLAGS@
+libedit_LIBS = @libedit_LIBS@
+libexecdir = @libexecdir@
+libfstrm_CFLAGS = @libfstrm_CFLAGS@
+libfstrm_LIBS = @libfstrm_LIBS@
+libidn2_CFLAGS = @libidn2_CFLAGS@
+libidn2_LIBS = @libidn2_LIBS@
+libidn_CFLAGS = @libidn_CFLAGS@
+libidn_LIBS = @libidn_LIBS@
+libknot_SONAME = @libknot_SONAME@
+libknot_SOVERSION = @libknot_SOVERSION@
+libknot_VERSION_INFO = @libknot_VERSION_INFO@
+libmaxminddb_CFLAGS = @libmaxminddb_CFLAGS@
+libmaxminddb_LIBS = @libmaxminddb_LIBS@
+libprotobuf_c_CFLAGS = @libprotobuf_c_CFLAGS@
+libprotobuf_c_LIBS = @libprotobuf_c_LIBS@
+liburcu_CFLAGS = @liburcu_CFLAGS@
+liburcu_LIBS = @liburcu_LIBS@
+liburcu_PKGCONFIG = @liburcu_PKGCONFIG@
+libzscanner_SONAME = @libzscanner_SONAME@
+libzscanner_SOVERSION = @libzscanner_SOVERSION@
+libzscanner_VERSION_INFO = @libzscanner_VERSION_INFO@
+lmdb_CFLAGS = @lmdb_CFLAGS@
+lmdb_LIBS = @lmdb_LIBS@
+localedir = @localedir@
+localstatedir = @localstatedir@
+malloc_LIBS = @malloc_LIBS@
+mandir = @mandir@
+math_LIBS = @math_LIBS@
+mkdir_p = @mkdir_p@
+module_dir = @module_dir@
+module_instdir = @module_instdir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+pkgconfigdir = @pkgconfigdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pthread_LIBS = @pthread_LIBS@
+run_dir = @run_dir@
+runstatedir = @runstatedir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+storage_dir = @storage_dir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+MANPAGES_IN = \
+ man/knot.conf.5in \
+ man/knotc.8in \
+ man/knotd.8in \
+ man/keymgr.8in \
+ man/kjournalprint.8in \
+ man/kdig.1in \
+ man/khost.1in \
+ man/knsupdate.1in \
+ man/knsec3hash.1in \
+ man/kzonecheck.1in
+
+MANPAGES_RST = \
+ man_knotc.rst \
+ man_knotd.rst \
+ man_keymgr.rst \
+ man_kjournalprint.rst \
+ man_kdig.rst \
+ man_khost.rst \
+ man_knsupdate.rst \
+ man_knsec3hash.rst \
+ man_kzonecheck.rst
+
+EXTRA_DIST = \
+ conf.py \
+ \
+ appendices.rst \
+ configuration.rst \
+ index.rst \
+ installation.rst \
+ introduction.rst \
+ migration.rst \
+ modules.rst.in \
+ operation.rst \
+ reference.rst \
+ requirements.rst \
+ troubleshooting.rst \
+ utilities.rst \
+ \
+ $(MANPAGES_IN) \
+ $(MANPAGES_RST) \
+ \
+ logo.eps \
+ logo.png \
+ \
+ theme_html
+
+SPHINX_V = $(SPHINX_V_@AM_V@)
+SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
+SPHINX_V_0 = -q
+SPHINX_V_1 = -n
+AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@)
+AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@)
+AM_V_SPHINX_0 = @echo " SPHINX $@";
+AM_V_ECHO = @sh -c 'if $(AM_V_P); then echo $$1; fi' --
+SPHINXBUILDDIR = $(builddir)/_build
+_SPHINXOPTS = -c $(srcdir) \
+ -a \
+ $(SPHINX_V)
+
+ALLSPHINXOPTS = $(_SPHINXOPTS) \
+ -D version="$(VERSION)" \
+ -D today="$(RELEASE_DATE)" \
+ -D release="$(VERSION)" \
+ $(SPHINXOPTS) \
+ $(srcdir)
+
+man_SPHINXOPTS = $(_SPHINXOPTS) \
+ -D version="@""VERSION@" \
+ -D today="@""RELEASE_DATE@" \
+ -D release="@""VERSION@" \
+ $(SPHINXOPTS) \
+ $(srcdir)
+
+man_MANS = $(am__append_1) $(am__append_2) $(am__append_3)
+man_SUBST = $(AM_V_GEN)mkdir -p man; \
+ sed -e 's,[@]VERSION@,$(VERSION),' \
+ -e 's,[@]RELEASE_DATE@,$(RELEASE_DATE),' \
+ -e 's,[@]config_dir@,$(config_dir),' \
+ -e 's,[@]storage_dir@,$(storage_dir),' \
+ -e 's,[@]run_dir@,$(run_dir),' \
+ -e 's,[@]conf_mapsize@,$(conf_mapsize),' \
+ $< > $@
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .1 .1in .5 .5in .8 .8in
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --foreign doc/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+modules.rst: $(top_builddir)/config.status $(srcdir)/modules.rst.in
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+install-man1: $(man_MANS)
+ @$(NORMAL_INSTALL)
+ @list1=''; \
+ list2='$(man_MANS)'; \
+ test -n "$(man1dir)" \
+ && test -n "`echo $$list1$$list2`" \
+ || exit 0; \
+ echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \
+ { for i in $$list1; do echo "$$i"; done; \
+ if test -n "$$list2"; then \
+ for i in $$list2; do echo "$$i"; done \
+ | sed -n '/\.1[a-z]*$$/p'; \
+ fi; \
+ } | while read p; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; echo "$$p"; \
+ done | \
+ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+ sed 'N;N;s,\n, ,g' | { \
+ list=; while read file base inst; do \
+ if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \
+ fi; \
+ done; \
+ for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+ while read files; do \
+ test -z "$$files" || { \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \
+ done; }
+
+uninstall-man1:
+ @$(NORMAL_UNINSTALL)
+ @list=''; test -n "$(man1dir)" || exit 0; \
+ files=`{ for i in $$list; do echo "$$i"; done; \
+ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.1[a-z]*$$/p'; \
+ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+ dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir)
+install-man5: $(man_MANS)
+ @$(NORMAL_INSTALL)
+ @list1=''; \
+ list2='$(man_MANS)'; \
+ test -n "$(man5dir)" \
+ && test -n "`echo $$list1$$list2`" \
+ || exit 0; \
+ echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \
+ { for i in $$list1; do echo "$$i"; done; \
+ if test -n "$$list2"; then \
+ for i in $$list2; do echo "$$i"; done \
+ | sed -n '/\.5[a-z]*$$/p'; \
+ fi; \
+ } | while read p; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; echo "$$p"; \
+ done | \
+ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+ sed 'N;N;s,\n, ,g' | { \
+ list=; while read file base inst; do \
+ if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
+ fi; \
+ done; \
+ for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+ while read files; do \
+ test -z "$$files" || { \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
+ done; }
+
+uninstall-man5:
+ @$(NORMAL_UNINSTALL)
+ @list=''; test -n "$(man5dir)" || exit 0; \
+ files=`{ for i in $$list; do echo "$$i"; done; \
+ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.5[a-z]*$$/p'; \
+ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir)
+install-man8: $(man_MANS)
+ @$(NORMAL_INSTALL)
+ @list1=''; \
+ list2='$(man_MANS)'; \
+ test -n "$(man8dir)" \
+ && test -n "`echo $$list1$$list2`" \
+ || exit 0; \
+ echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+ { for i in $$list1; do echo "$$i"; done; \
+ if test -n "$$list2"; then \
+ for i in $$list2; do echo "$$i"; done \
+ | sed -n '/\.8[a-z]*$$/p'; \
+ fi; \
+ } | while read p; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; echo "$$p"; \
+ done | \
+ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+ sed 'N;N;s,\n, ,g' | { \
+ list=; while read file base inst; do \
+ if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+ fi; \
+ done; \
+ for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+ while read files; do \
+ test -z "$$files" || { \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+ done; }
+
+uninstall-man8:
+ @$(NORMAL_UNINSTALL)
+ @list=''; test -n "$(man8dir)" || exit 0; \
+ files=`{ for i in $$list; do echo "$$i"; done; \
+ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.8[a-z]*$$/p'; \
+ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(MANS)
+installdirs:
+ for dir in "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+@HAVE_DOCS_FALSE@install-pdf-local:
+@HAVE_PDFLATEX_FALSE@install-pdf-local:
+@HAVE_SPHINXBUILD_FALSE@install-pdf-local:
+@HAVE_DOCS_FALSE@html-local:
+@HAVE_SPHINXBUILD_FALSE@html-local:
+@HAVE_DOCS_FALSE@install-html-local:
+@HAVE_SPHINXBUILD_FALSE@install-html-local:
+@HAVE_DOCS_FALSE@pdf-local:
+@HAVE_PDFLATEX_FALSE@pdf-local:
+@HAVE_SPHINXBUILD_FALSE@pdf-local:
+@HAVE_DOCS_FALSE@install-info-local:
+@HAVE_MAKEINFO_FALSE@install-info-local:
+@HAVE_SPHINXBUILD_FALSE@install-info-local:
+@HAVE_DOCS_FALSE@info-local:
+@HAVE_MAKEINFO_FALSE@info-local:
+@HAVE_SPHINXBUILD_FALSE@info-local:
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-local mostlyclean-am
+
+distclean: distclean-am
+ -rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am: html-local
+
+info: info-am
+
+info-am: info-local
+
+install-data-am: install-man
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am: install-html-local
+
+install-info: install-info-am
+
+install-info-am: install-info-local
+
+install-man: install-man1 install-man5 install-man8
+
+install-pdf: install-pdf-am
+
+install-pdf-am: install-pdf-local
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am: pdf-local
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man
+
+uninstall-man: uninstall-man1 uninstall-man5 uninstall-man8
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+ clean-local cscopelist-am ctags-am distclean distclean-generic \
+ distclean-libtool distdir dvi dvi-am html html-am html-local \
+ info info-am info-local install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am \
+ install-html-local install-info install-info-am \
+ install-info-local install-man install-man1 install-man5 \
+ install-man8 install-pdf install-pdf-am install-pdf-local \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am pdf-local ps ps-am tags-am \
+ uninstall uninstall-am uninstall-man uninstall-man1 \
+ uninstall-man5 uninstall-man8
+
+.PRECIOUS: Makefile
+
+
+.PHONY: html-local singlehtml pdf-local info-local man install-html-local install-singlehtml install-pdf-local install-info-local
+
+man/knot.conf.5: man/knot.conf.5in
+man/knotc.8: man/knotc.8in
+man/knotd.8: man/knotd.8in
+man/keymgr.8: man/keymgr.8in
+man/kjournalprint.8: man/kjournalprint.8in
+man/kdig.1: man/kdig.1in
+man/khost.1: man/khost.1in
+man/knsupdate.1: man/knsupdate.1in
+man/knsec3hash.1: man/knsec3hash.1in
+man/kzonecheck.1: man/kzonecheck.1in
+
+.1in.1:
+ $(man_SUBST)
+
+.5in.5:
+ $(man_SUBST)
+
+.8in.8:
+ $(man_SUBST)
+
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@html-local:
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b html -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/html
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO)
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "Build finished. The HTML pages are in $(SPHINXBUILDDIR)/html/."
+
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@install-html-local:
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static $(DESTDIR)/$(docdir)/_sources
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -D $(SPHINXBUILDDIR)/html/*.html $(DESTDIR)/$(docdir)/
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_sources/* $(DESTDIR)/$(docdir)/_sources/
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_static/* $(DESTDIR)/$(docdir)/_static/
+
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@singlehtml:
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b singlehtml -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/singlehtml
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO)
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "Build finished. The HTML page is in $(SPHINXBUILDDIR)/singlehtml/."
+
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@install-singlehtml: singlehtml
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/*.html $(DESTDIR)/$(docdir)/
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/_static/* $(DESTDIR)/$(docdir)/_static/
+
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@pdf-local:
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b latex -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/latex
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(MAKE) -C $(SPHINXBUILDDIR)/latex all-pdf
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO)
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "Build finished. The PDF file is in $(SPHINXBUILDDIR)/latex/."
+
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@install-pdf-local:
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir)
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/latex/knot.pdf $(DESTDIR)/$(docdir)/
+
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_FALSE@@HAVE_SPHINXBUILD_TRUE@pdf-local install-pdf-local:
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_FALSE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "You need to install pdflatex and re-run configure to be"
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_FALSE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "able to generate PDF documentation."
+
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@info-local:
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b texinfo -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/texinfo
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(MAKE) -C $(SPHINXBUILDDIR)/texinfo info
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO)
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "Build finished. The Info file is in $(SPHINXBUILDDIR)/texinfo/."
+
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@install-info-local:
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(infodir)
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/texinfo/knot.info $(DESTDIR)/$(infodir)/
+
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_FALSE@@HAVE_SPHINXBUILD_TRUE@info-local install-info-local:
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_FALSE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "You need to install GNU Texinfo and re-run configure to be"
+@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_FALSE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "able to generate info pages."
+
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@.NOTPARALLEL: man
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@man: $(man_MANS)
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@$(MANPAGES_IN): $(MANPAGES_RST)
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b man -d $(SPHINXBUILDDIR)/doctrees $(man_SPHINXOPTS) $(SPHINXBUILDDIR)/man
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ @mkdir -p $(srcdir)/man
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ @for f in $(SPHINXBUILDDIR)/man/*; do \
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ sed -e '/^\.TP$$/ {' -e 'n' -e 's/^\.B //' -e '}' "$$f" > "$(srcdir)/man/$$(basename $$f)in"; \
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ done
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO)
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "Build finished. The man pages are in man/."
+
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_FALSE@html-local singlehtml pdf-local info-local man install-html-local install-singlehtml install-pdf-local install-info-local:
+@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_FALSE@ $(AM_V_ECHO) "Please install sphinx (python-sphinx) to generate Knot DNS documentation."
+
+clean-local:
+ -rm -rf $(SPHINXBUILDDIR)
+ -rm -f man/*.1 man/*.5 man/*.8
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/doc/appendices.rst b/doc/appendices.rst
new file mode 100644
index 0000000..6a3a40b
--- /dev/null
+++ b/doc/appendices.rst
@@ -0,0 +1,103 @@
+.. highlight:: none
+.. _Appendicies:
+
+**********
+Appendices
+**********
+
+.. _compatible_pkcs11_devices:
+
+Compatible PKCS #11 Devices
+===========================
+
+This section has informative character. Knot DNS has been tested with several
+devices which claim to support PKCS #11 interface. The following table
+indicates which algorithms and operations have been observed to work. Please
+notice minimal GnuTLS library version required for particular algorithm
+support.
+
+.. |yes| replace:: **yes**
+.. |no| replace:: no
+.. |unknown| replace:: ?
+
+.. list-table::
+ :header-rows: 1
+ :stub-columns: 1
+
+ * -
+ - Key generate
+ - Key import
+ - ED25519 256-bit
+ - ECDSA 256-bit
+ - ECDSA 384-bit
+ - RSA 1024-bit
+ - RSA 2048-bit
+ - RSA 4096-bit
+ * - `Feitian ePass 2003 <http://www.ftsafe.com/product/epass/epass2003>`_
+ - |yes|
+ - |no|
+ - |no|
+ - |no|
+ - |no|
+ - |yes|
+ - |yes|
+ - |no|
+ * - `SafeNet Network HSM (Luna SA 4) <http://www.safenet-inc.com/data-encryption/hardware-security-modules-hsms/luna-hsms-key-management/luna-sa-network-hsm/>`_
+ - |yes|
+ - |no|
+ - |no|
+ - |no|
+ - |no|
+ - |yes|
+ - |yes|
+ - |yes|
+ * - `SoftHSM 2.0 <https://www.opendnssec.org/softhsm/>`_
+ - |yes|
+ - |yes|
+ - |no|
+ - |yes|
+ - |yes|
+ - |yes|
+ - |yes|
+ - |yes|
+ * - `Trustway Proteccio NetHSM <http://www.bull.com/fr/cybers%C3%A9curit%C3%A9-trustway-proteccio-nethsm>`_
+ - |yes|
+ - ECDSA only
+ - |no|
+ - |yes|
+ - |yes|
+ - |yes|
+ - |yes|
+ - |yes|
+
+.. in progress: key ID checks have to be disabled in code
+ * - `Yubikey NEO <https://www.yubico.com/products/yubikey-hardware/yubikey-neo/>`_
+ - |no|
+ - |no|
+ - |no|
+ - |yes|
+ - |no|
+ - |yes|
+ - |yes|
+ - |no|
+
+The following table summarizes supported DNSSEC algorithm numbers and minimal
+GnuTLS library version required. Any algorithm may work with older library,
+however the supported operations may be limited (e.g. private key import).
+
+.. list-table::
+ :header-rows: 1
+ :stub-columns: 1
+
+ * -
+ - `Numbers <https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1>`_
+ - GnuTLS version
+ * - ED25519
+ - 15
+ - 3.6.0 or newer
+ * - ECDSA
+ - 13, 14
+ - 3.4.8 or newer
+ * - RSA
+ - 5, 7, 8, 10
+ - 3.4.6 or newer
diff --git a/doc/conf.py b/doc/conf.py
new file mode 100644
index 0000000..40b0344
--- /dev/null
+++ b/doc/conf.py
@@ -0,0 +1,258 @@
+# -*- coding: utf-8 -*-
+#
+# Knot DNS documentation build configuration file, created by
+# sphinx-quickstart on Tue Apr 15 13:48:28 2014.
+#
+# This file is execfile()d with the current directory set to its containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+import sys, os, time, logging
+
+sys.setrecursionlimit(1500)
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+sys.path.insert(0, os.path.abspath('.'))
+
+# -- General configuration -----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = []
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+#source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = 'Knot DNS'
+copyright_year = 2019
+current_year = time.localtime().tm_year
+if current_year > copyright_year:
+ logging.warning('Copyright year is %d, but current year is %d.'%(copyright_year, current_year))
+ logging.warning('Maybe you should update copyright_year in doc/conf.py?')
+copyright = u'Copyright 2010–%d, CZ.NIC, z.s.p.o.' % copyright_year
+author = 'CZ.NIC Labs <https://www.knot-dns.cz>'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+#version = ''
+# The full version, including alpha/beta/rc tags.
+#release = ''
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = False
+# Else, today_fmt is used as the format for a strftime call.
+#today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = ['_build', 'modules']
+
+# The reST default role (used for this markup: `text`) to use for all documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+#add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+#show_authors = False
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# A list of ignored prefixes for module index sorting.
+#modindex_common_prefix = []
+
+# -- Options for HTML output ---------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages. See the documentation for
+# a list of builtin themes.
+html_theme = 'theme_html'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further. For a list of options available for each theme, see the
+# documentation.
+#html_theme_options = {}
+
+# Add any paths that contain custom themes here, relative to this directory.
+html_theme_path = ['.']
+
+# The name for this set of Sphinx documents. If None, it defaults to
+# "<project> v<release> documentation".
+#html_title = None
+
+# A shorter title for the navigation bar. Default is the same as html_title.
+#html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+html_logo = 'logo.png'
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+#html_static_path = ['_static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+#html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#html_use_smartypants = False
+
+# Custom sidebar templates, maps document names to template names.
+#html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+html_domain_indices = False
+
+# If false, no index is generated.
+html_use_index = False
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+#html_show_sourcelink = True
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+#html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+#html_show_copyright = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it. The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+#html_file_suffix = None
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'KnotDNSdoc'
+
+# -- Options for LaTeX output --------------------------------------------------
+
+latex_elements = {
+# The paper size ('letterpaper' or 'a4paper').
+'papersize': 'a4paper',
+
+# The font size ('10pt', '11pt' or '12pt').
+#'pointsize': '10pt',
+
+# Additional stuff for the LaTeX preamble.
+#'preamble': '',
+
+# No empty pages between chapters
+'classoptions': ',openany,oneside',
+
+# Language preferences
+'babel': '\\usepackage[english]{babel}',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual]).
+latex_documents = [
+ ('index', 'knot.tex', 'Knot DNS Documentation', copyright, 'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+latex_logo = 'logo.eps'
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#latex_use_parts = False
+
+# If true, show page references after internal links.
+#latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+#latex_show_urls = False
+
+# Documents to append as an appendix to all manuals.
+#latex_appendices = []
+
+# If false, no module index is generated.
+latex_domain_indices = False
+
+# -- Options for manual page output --------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+ ('reference', 'knot.conf', 'Knot DNS configuration file', author, 5),
+ ('man_knotc', 'knotc', 'Knot DNS control utility', author, 8),
+ ('man_knotd', 'knotd', 'Knot DNS server daemon', author, 8),
+ ('man_keymgr', 'keymgr', 'Knot DNS key management utility', author, 8),
+ ('man_kjournalprint', 'kjournalprint', 'Knot DNS journal print utility', author, 8),
+ ('man_kdig', 'kdig', 'Advanced DNS lookup utility', author, 1),
+ ('man_khost', 'khost', 'Simple DNS lookup utility', author, 1),
+ ('man_knsec3hash', 'knsec3hash', 'Simple utility to compute NSEC3 hash', author, 1),
+ ('man_knsupdate', 'knsupdate', 'Dynamic DNS update utility', author, 1),
+ ('man_kzonecheck', 'kzonecheck', 'Knot DNS zone check tool', author, 1),
+]
+
+# If true, show URL addresses after external links.
+#man_show_urls = False
+
+# -- Options for Texinfo output ------------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+# dir menu entry, description, category)
+texinfo_documents = [
+ ('index', 'knot', 'Knot DNS Documentation', author,
+ 'KnotDNS', 'Knot Authoritative DNS Server', 'Miscellaneous')
+]
+
+# Documents to append as an appendix to all manuals.
+#texinfo_appendices = []
+
+# If false, no module index is generated.
+#texinfo_domain_indices = True
+
+# How to display URL addresses: 'footnote', 'no', or 'inline'.
+#texinfo_show_urls = 'footnote'
diff --git a/doc/configuration.rst b/doc/configuration.rst
new file mode 100644
index 0000000..1d69126
--- /dev/null
+++ b/doc/configuration.rst
@@ -0,0 +1,666 @@
+.. highlight:: none
+.. _Configuration:
+
+*************
+Configuration
+*************
+
+Simple configuration
+====================
+
+The following example presents a simple configuration file
+which can be used as a base for your Knot DNS setup::
+
+ # Example of a very simple Knot DNS configuration.
+
+ server:
+ listen: 0.0.0.0@53
+ listen: ::@53
+
+ zone:
+ - domain: example.com
+ storage: /var/lib/knot/zones/
+ file: example.com.zone
+
+ log:
+ - target: syslog
+ any: info
+
+Now let's walk through this configuration step by step:
+
+- The :ref:`server_listen` statement in the :ref:`server section<Server section>`
+ defines where the server will listen for incoming connections.
+ We have defined the server to listen on all available IPv4 and IPv6 addresses,
+ all on port 53.
+- The :ref:`zone section<Zone section>` defines the zones that the server will
+ serve. In this case, we defined one zone named *example.com* which is stored
+ in the zone file :file:`/var/lib/knot/zones/example.com.zone`.
+- The :ref:`log section<Logging section>` defines the log facilities for
+ the server. In this example, we told Knot DNS to send its log messages with
+ the severity ``info`` or more serious to the syslog.
+
+For detailed description of all configuration items see
+:ref:`Configuration Reference`.
+
+Zone templates
+==============
+
+A zone template allows a single zone configuration to be shared among several zones.
+The ``default`` template identifier is reserved for the default template::
+
+ template:
+ - id: default
+ storage: /var/lib/knot/master
+ semantic-checks: on
+
+ - id: signed
+ storage: /var/lib/knot/signed
+ dnssec-signing: on
+ semantic-checks: on
+ master: [master1, master2]
+
+ - id: slave
+ storage: /var/lib/knot/slave
+
+ zone:
+ - domain: example1.com # Uses default template
+
+ - domain: example2.com # Uses default template
+ semantic-checks: off # Override default settings
+
+ - domain: example.cz
+ template: signed
+ master: master3 # Override masters to just master3
+
+ - domain: example1.eu
+ template: slave
+ master: master1
+
+ - domain: example2.eu
+ template: slave
+ master: master2
+
+.. NOTE::
+ Each template option can be explicitly overridden in zone-specific configuration.
+
+.. _ACL:
+
+Access control list (ACL)
+=========================
+
+The Access control list is a list of rules specifying remotes which are allowed to send certain types of requests to the server.
+Remotes can be specified by a single IP address or a network subnet. A TSIG
+key can also be assigned (see :doc:`keymgr <man_keymgr>` on how to generate a TSIG key).
+
+Without any ACL rules, all the actions are denied for the zone. Each ACL rule
+can allow one or more actions for a given address/subnet/TSIG, or deny them.
+
+If there are multiple ACL rules for a single zone, they are applied in the order
+of appearance in the :ref:`zone_acl` configuration item of a zone or a template.
+The first one to match the given remote is applied, the rest is ignored.
+
+See the following examples and :ref:`ACL section`.
+
+::
+
+ acl:
+ - id: address_rule
+ address: [2001:db8::1, 192.168.2.0/24]
+ action: transfer
+
+ - id: deny_rule
+ address: 192.168.2.100
+ action: transfer
+ deny: on
+
+ zone:
+ - domain: acl1.example.com.
+ acl: [deny_rule, address_rule] # deny_rule first here to take precendence
+
+::
+
+ key:
+ - id: key1 # The real TSIG key name
+ algorithm: hmac-md5
+ secret: Wg==
+
+ acl:
+ - id: deny_all
+ address: 192.168.3.0/24
+ deny: on # no action specified and deny on implies denial of all actions
+
+ - id: key_rule
+ key: key1 # Access based just on TSIG key
+ action: [transfer, notify]
+
+ zone:
+ - domain: acl2.example.com
+ acl: [deny_all, key_rule]
+
+.. NOTE::
+ If more conditions (address ranges and/or a key)
+ are given in a single ACL rule, all of them have to be satisfied for the rule to match.
+
+Slave zone
+==========
+
+Knot DNS doesn't strictly differ between master and slave zones. The
+only requirement is to have a :ref:`master<zone_master>` statement set for
+the given zone. Also note that you need to explicitly allow incoming zone
+changed notifications via ``notify`` :ref:`acl_action` through zone's
+:ref:`zone_acl` list, otherwise the update will be rejected by the server.
+If the zone file doesn't exist it will be bootstrapped over AXFR::
+
+ remote:
+ - id: master
+ address: 192.168.1.1@53
+
+ acl:
+ - id: notify_from_master
+ address: 192.168.1.1
+ action: notify
+
+ zone:
+ - domain: example.com
+ storage: /var/lib/knot/zones/
+ # file: example.com.zone # Default value
+ master: master
+ acl: notify_from_master
+
+Note that the :ref:`zone_master` option accepts a list of multiple remotes.
+The remotes should be listed according to their preference. The first remote
+has the highest preference, the other remotes are used for failover. When the
+server receives a zone update notification from a listed remote, that remote
+will be the most preferred one for the subsequent transfer.
+
+To use TSIG for transfers and notification messages authentication, configure
+a TSIG key and assign the key both to the remote and the ACL rule. Notice that
+the :ref:`remote <Remote section>` and :ref:`ACL <ACL section>` definitions are
+independent::
+
+ key:
+ - id: slave1_key
+ algorithm: hmac-md5
+ secret: Wg==
+
+ remote:
+ - id: master
+ address: 192.168.1.1@53
+ key: slave1_key
+
+ acl:
+ - id: notify_from_master
+ address: 192.168.1.1
+ key: slave1_key
+ action: notify
+
+.. NOTE::
+ When transferring a lot of zones, the server may easily get into a state
+ when all available ports are in the TIME_WAIT state, thus the transfers
+ seize until the operating system closes the ports for good. There are
+ several ways to work around this:
+
+ * Allow reusing of ports in TIME_WAIT (sysctl -w net.ipv4.tcp_tw_reuse=1)
+ * Shorten TIME_WAIT timeout (tcp_fin_timeout)
+ * Increase available local port count
+
+Master zone
+===========
+
+An ACL with the ``transfer`` action must be configured to allow outgoing zone
+transfers. An ACL rule consists of a single address or a network subnet::
+
+ remote:
+ - id: slave1
+ address: 192.168.2.1@53
+
+ acl:
+ - id: slave1_acl
+ address: 192.168.2.1
+ action: transfer
+
+ - id: others_acl
+ address: 192.168.3.0/24
+ action: transfer
+
+ zone:
+ - domain: example.com
+ storage: /var/lib/knot/zones/
+ file: example.com.zone
+ notify: slave1
+ acl: [slave1_acl, others_acl]
+
+Optionally, a TSIG key can be specified::
+
+ key:
+ - id: slave1_key
+ algorithm: hmac-md5
+ secret: Wg==
+
+ remote:
+ - id: slave1
+ address: 192.168.2.1@53
+ key: slave1_key
+
+ acl:
+ - id: slave1_acl
+ address: 192.168.2.1
+ key: slave1_key
+ action: transfer
+
+ - id: others_acl
+ address: 192.168.3.0/24
+ action: transfer
+
+Note that a slave zone may serve as a master zone at the same time::
+
+ remote:
+ - id: master
+ address: 192.168.1.1@53
+ - id: slave1
+ address: 192.168.2.1@53
+
+ acl:
+ - id: notify_from_master
+ address: 192.168.1.1
+ action: notify
+
+ - id: slave1_acl
+ address: 192.168.2.1
+ action: transfer
+
+ - id: others_acl
+ address: 192.168.3.0/24
+ action: transfer
+
+ zone:
+ - domain: example.com
+ storage: /var/lib/knot/zones/
+ file: example.com.zone
+ master: master
+ notify: slave1
+ acl: [notify_from_master, slave1_acl, others_acl]
+
+Dynamic updates
+===============
+
+Dynamic updates for the zone are allowed via proper ACL rule with the
+``update`` action. If the zone is configured as a slave and a DNS update
+message is accepted, the server forwards the message to its primary master.
+The master's response is then forwarded back to the originator.
+
+However, if the zone is configured as a master, the update is accepted and
+processed::
+
+ acl:
+ - id: update_acl
+ address: 192.168.3.0/24
+ action: update
+
+ zone:
+ - domain: example.com
+ file: example.com.zone
+ acl: update_acl
+
+.. _dnssec:
+
+Automatic DNSSEC signing
+========================
+
+Knot DNS supports automatic DNSSEC signing for static zones. The signing
+can operate in two modes:
+
+1. :ref:`Automatic key management <dnssec-automatic-zsk-management>`.
+ In this mode, the server maintains signing keys. New keys are generated
+ according to assigned policy and are rolled automatically in a safe manner.
+ No zone operator intervention is necessary.
+
+2. :ref:`Manual key management <dnssec-manual-key-management>`.
+ In this mode, the server maintains zone signatures only. The signatures
+ are kept up-to-date and signing keys are rolled according to timing
+ parameters assigned to the keys. The keys must be generated and timing
+ parameters must be assigned by the zone operator.
+
+The DNSSEC signing process maintains some metadata which is stored in the
+:abbr:`KASP (Key And Signature Policy)` database. This database is backed
+by LMDB.
+
+.. WARNING::
+ Make sure to set the KASP database permissions correctly. For manual key
+ management, the database must be *readable* by the server process. For
+ automatic key management, it must be *writeable*. If no HSM is used,
+ the database also contains private key material – don't set the permissions
+ too weak.
+
+.. _dnssec-automatic-zsk-management:
+
+Automatic ZSK management
+------------------------
+
+For automatic ZSK management a signing :ref:`policy<Policy section>` has to
+be configured and assigned to the zone. The policy specifies how the zone
+is signed (i.e. signing algorithm, key size, key lifetime, signature lifetime,
+etc.). If no policy is specified or the ``default`` one is assigned, the
+default signing parameters are used.
+
+A minimal zone configuration may look as follows::
+
+ zone:
+ - domain: myzone.test
+ dnssec-signing: on
+
+With a custom signing policy, the policy section will be added::
+
+ policy:
+ - id: rsa
+ algorithm: RSASHA256
+ ksk-size: 2048
+ zsk-size: 1024
+
+ zone:
+ - domain: myzone.test
+ dnssec-signing: on
+ dnssec-policy: rsa
+
+After configuring the server, reload the changes:
+
+.. code-block:: console
+
+ $ knotc reload
+
+The server will generate initial signing keys and sign the zone properly. Check
+the server logs to see whether everything went well.
+
+.. WARNING::
+ This guide assumes that the zone *myzone.test* was not signed prior to
+ enabling the automatic key management. If the zone was already signed, all
+ existing keys must be imported using ``keymgr import-bind`` command
+ before enabling the automatic signing. Also the algorithm in the policy must
+ match the algorithm of all imported keys. Otherwise the zone will be re-signed
+ at all.
+
+.. _dnssec-automatic-ksk-management:
+
+Automatic KSK management
+------------------------
+
+For automatic KSK management, first configure ZSK management like above, and use
+additional options in :ref:`policy section <Policy section>`, mostly specifying
+desired (finite) lifetime for KSK: ::
+
+ remote:
+ - id: test_zone_server
+ address: 192.168.12.1@53
+
+ submission:
+ - id: test_zone_sbm
+ parent: [test_zone_server]
+
+ policy:
+ - id: rsa
+ algorithm: RSASHA256
+ ksk-size: 2048
+ zsk-size: 1024
+ zsk-lifetime: 30d
+ ksk-lifetime: 365d
+ ksk-submission: test_zone_sbm
+
+ zone:
+ - domain: myzone.test
+ dnssec-signing: on
+ dnssec-policy: rsa
+
+After the initially-generated KSK reaches its lifetime, new KSK is published and after
+convenience delay the submission is started. The server publishes CDS and CDNSKEY records
+and the user shall propagate them to the parent. The server periodically checks for
+DS at the master and when positive, finishes the rollover.
+
+To share KSKs among zones, set the ksk-shared policy parameter. It is strongly discouraged to
+change the policy ``id`` afterwards! The shared key's creation timestamp will be equal for all
+zones, but other timers (e.g. activate, retire) may get out of sync. ::
+
+ policy:
+ - id: shared
+ ...
+ ksk-shared: true
+
+ zone:
+ - domain: firstzone.test
+ dnssec-signing: on
+ dnssec-policy: shared
+
+ zone:
+ - domain: secondzone.test
+ dnssec-signing: on
+ dnssec-policy: shared
+
+.. _dnssec-manual-key-management:
+
+Manual key management
+---------------------
+
+For automatic DNSSEC signing with manual key management, a signing policy
+with manual key management flag has to be set::
+
+ policy:
+ - id: manual
+ manual: on
+
+ zone:
+ - domain: myzone.test
+ dnssec-signing: on
+ dnssec-policy: manual
+
+To generate signing keys, use the :doc:`keymgr <man_keymgr>` utility.
+Let's use the Single-Type Signing scheme with two algorithms. Run:
+
+.. code-block:: console
+
+ $ keymgr myzone.test. generate algorithm=ECDSAP256SHA256
+ $ keymgr myzone.test. generate algorithm=ED25519
+
+And reload the server. The zone will be signed.
+
+To perform a manual rollover of a key, the timing parameters of the key need
+to be set. Let's roll the RSA key. Generate a new RSA key, but do not activate
+it yet:
+
+.. code-block:: console
+
+ $ keymgr myzone.test. generate algorithm=RSASHA256 size=1024 active=+1d
+
+Take the key ID (or key tag) of the old RSA key and disable it the same time
+the new key gets activated:
+
+.. code-block:: console
+
+ $ keymgr myzone.test. set <old_key_id> retire=+1d remove=+1d
+
+Reload the server again. The new key will be published (i.e. the DNSKEY record
+will be added into the zone). Do not forget to update the DS record in the
+parent zone to include a reference to the new RSA key. This must happen in one
+day (in this case) including a delay required to propagate the new DS to
+caches.
+
+Note that as the ``+1d`` time specification is computed from the current time,
+the key replacement will not happen at once. First, a new key will be
+activated. A few moments later, the old key will be deactivated and removed.
+You can use exact time specification to make these two actions happen in one
+go.
+
+.. WARNING::
+ If you ever decide to switch from manual key management to automatic key management,
+ note that the automatic key management uses
+ :ref:`policy_zsk-lifetime` and :ref:`policy_ksk-lifetime` policy configuration
+ options to schedule key rollovers and it internally uses timestamps of keys differently
+ than in the manual case. As a consequence it might break if the ``retire`` or ``remove`` timestamps
+ are set for the manually generated keys currently in use. Make sure to set these timestamps
+ to zero using :doc:`keymgr <man_keymgr>`:
+
+ .. code-block:: console
+
+ $ keymgr myzone.test. set <key_id> retire=0 remove=0
+
+ and configure your policy suitably according to :ref:`dnssec-automatic-zsk-management`
+ and :ref:`dnssec-automatic-ksk-management`.
+
+.. _dnssec-signing:
+
+Zone signing
+------------
+
+The signing process consists of the following steps:
+
+#. Processing KASP database events. (e.g. performing a step of a rollover).
+#. Updating the DNSKEY records. The whole DNSKEY set in zone apex is replaced
+ by the keys from the KASP database. Note that keys added into the zone file
+ manually will be removed. To add an extra DNSKEY record into the set, the
+ key must be imported into the KASP database (possibly deactivated).
+#. Fixing the NSEC or NSEC3 chain.
+#. Removing expired signatures, invalid signatures, signatures expiring
+ in a short time, and signatures issued by an unknown key.
+#. Creating missing signatures. Unless the Single-Type Signing Scheme
+ is used, DNSKEY records in a zone apex are signed by KSK keys and
+ all other records are signed by ZSK keys.
+#. Updating and re-signing SOA record.
+
+The signing is initiated on the following occasions:
+
+- Start of the server
+- Zone reload
+- Reaching the signature refresh period
+- Key set changed due to rollover event
+- Received DDNS update
+- Forced zone re-sign via server control interface
+
+On a forced zone re-sign, all signatures in the zone are dropped and recreated.
+
+The ``knotc zone-status`` command can be used to see when the next scheduled
+DNSSEC re-sign will happen.
+
+.. _dnssec-on-slave-signing:
+
+On-slave signing
+----------------
+
+It is possible to enable automatic DNSSEC zone signing even on a slave
+server. If enabled, the zone is signed after every AXFR/IXFR transfer
+from master, so that the slave always serves a signed up-to-date version
+of the zone.
+
+It is strongly recommended to block any outside access to the master
+server, so that only the slave's signed version of the zone is served.
+
+Enabled on-slave signing introduces events when the slave zone changes
+while the master zone remains unchanged, such as a key rollover or
+refreshing of RRSIG records, which cause inequality of zone SOA serial
+between master and slave. The slave server handles this by saving the
+master's SOA serial in a special variable inside KASP DB and appropriately
+modifiying AXFR/IXFR queries/answers to keep the communication with
+master consistent while applying the changes with a different serial.
+
+It is recommended to use UNIX time serial policy on master and incremental
+serial policy on slave so that their SOA serials are equal most of the time.
+
+.. _query-modules:
+
+Query modules
+=============
+
+Knot DNS supports configurable query modules that can alter the way
+queries are processed. Each query requires a finite number of steps to
+be resolved. We call this set of steps a *query plan*, an abstraction
+that groups these steps into several stages.
+
+* Before-query processing
+* Answer, Authority, Additional records packet sections processing
+* After-query processing
+
+For example, processing an Internet-class query needs to find an
+answer. Then based on the previous state, it may also append an
+authority SOA or provide additional records. Each of these actions
+represents a 'processing step'. Now, if a query module is loaded for a
+zone, it is provided with an implicit query plan which can be extended
+by the module or even changed altogether.
+
+A module is active if its name, which includes the ``mod-`` prefix, is assigned
+to the zone/template :ref:`zone_module` option or to the ``default`` template
+:ref:`template_global-module` option if activating for all queries.
+If the module is configurable, a corresponding module section with
+an identifier must be created and then referenced in the form of
+``module_name/module_id``. See :ref:`Modules` for the list of available modules.
+
+.. NOTE::
+ Query modules are processed in the order they are specified in the
+ zone/template configuration. In most cases, the recommended order is::
+
+ mod-synthrecord, mod-onlinesign, mod-rrl, mod-dnstap, mod-stats
+
+Performance Tuning
+==================
+
+Numbers of Workers
+------------------
+
+There are three types of workers ready for parallel execution of performance-oriented tasks:
+UDP workers, TCP workers, and Background workers. The first two types handle all network requests
+coming through UDP and TCP protocol (respectively) and do all the response job for common
+queries. Background workers process changes to the zone.
+
+By default, Knot determines well-fitting number of workers based on the number of CPU cores.
+The user can specify the numbers of workers for each type with configuration/server section:
+:ref:`server_udp-workers`, :ref:`server_tcp-workers`, :ref:`server_background-workers`.
+
+An indication on when to increase number of workers is a situation when the server is lagging behind
+the expected performance, while the CPU usage is low. This is usually because of waiting for network
+or I/O response during the operation. It may be caused by Knot design not fitting well the usecase.
+The user should try increasing the number of workers (of the related type) slightly above 100 and if
+the performance gets better, he can decide about further exact setting.
+
+Sysctl and NIC optimizations
+----------------------------
+
+There are several recommendations based on Knot developers' experience with their specific HW and SW
+(mainstream Intel-based servers, Debian-based GNU/Linux distribution). They may or may not positively
+(or negatively) influence performance in common use cases.
+
+If your NIC driver allows it (see /proc/interrupts for hint), set CPU affinity (/proc/irq/$IRQ/smp_affinity)
+manually so that each NIC channel is served by unique CPU core(s). You must turn off irqbalance service
+before to avoid configuration override.
+
+Configure sysctl as follows: ::
+
+ socket_bufsize=1048576
+ busy_latency=0
+ backlog=40000
+ optmem_max=20480
+
+ net.core.wmem_max = $socket_bufsize
+ net.core.wmem_default = $socket_bufsize
+ net.core.rmem_max = $socket_bufsize
+ net.core.rmem_default = $socket_bufsize
+ net.core.busy_read = $busy_latency
+ net.core.busy_poll = $busy_latency
+ net.core.netdev_max_backlog = $backlog
+ net.core.optmem_max = $optmem_max
+
+Disable huge pages.
+
+Configure your CPU to "performance" mode. This can be achieved depending on architecture, e.g. in BIOS,
+or e.g. configuring /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor to "performance".
+
+Tune your NIC device with ethtool: ::
+
+ ethtool -A $dev autoneg off rx off tx off
+ ethtool -K $dev tso off gro off ufo off
+ ethtool -G $dev rx 4096 tx 4096
+ ethtool -C $dev rx-usecs 75
+ ethtool -C $dev tx-usecs 75
+ ethtool -N $dev rx-flow-hash udp4 sdfn
+ ethtool -N $dev rx-flow-hash udp6 sdfn
+
+On FreeBSD you can just: ::
+
+ ifconfig ${dev} -rxcsum -txcsum -lro -tso
+
+Knot developers are open to hear about users' further suggestions about network devices tuning/optimization.
diff --git a/doc/index.rst b/doc/index.rst
new file mode 100644
index 0000000..c2bd3dd
--- /dev/null
+++ b/doc/index.rst
@@ -0,0 +1,19 @@
+.. highlight:: none
+
+Welcome to Knot DNS's documentation!
+====================================
+
+.. toctree::
+ :maxdepth: 2
+
+ introduction
+ requirements
+ installation
+ configuration
+ operation
+ troubleshooting
+ reference
+ modules
+ utilities
+ migration
+ appendices
diff --git a/doc/installation.rst b/doc/installation.rst
new file mode 100644
index 0000000..b518810
--- /dev/null
+++ b/doc/installation.rst
@@ -0,0 +1,92 @@
+.. highlight:: console
+.. _Installation:
+
+************
+Installation
+************
+
+.. _Installation from a package_:
+
+Installation from a package
+===========================
+
+Knot DNS may already be included in your operating system distribution and
+therefore can be installed from packages (Linux), ports (BSD), or via
+Homebrew (macOS). This is always preferred unless you want to test the latest
+features, contribute to Knot development, or you just know what you are doing.
+
+See the project `download <https://www.knot-dns.cz/download>`_ page for
+the latest information.
+
+.. _Installation from source code:
+
+Installation from source code
+=============================
+
+Required build environment
+--------------------------
+
+The build process relies on these standard tools:
+
+* make
+* libtool
+* pkg-config
+* autoconf >= 2.65
+* python-sphinx (optional, for documentation building)
+
+GCC at least 4.1 is strictly required for atomic built-ins, but the latest
+available version is recommended. Another requirements ``_GNU_SOURCE``
+and C99 support, otherwise it adapts to the compiler available features.
+LLVM clang compiler since version 2.9 can be used as well.
+
+Getting the source code
+-----------------------
+
+You can find the source code for the latest release on `www.knot-dns.cz <https://www.knot-dns.cz>`_.
+Alternatively, you can fetch the whole project from the git repository
+`https://gitlab.labs.nic.cz/knot/knot-dns.git <https://gitlab.labs.nic.cz/knot/knot-dns>`_.
+
+After obtaining the source code, compilation and installation is a quite
+straightforward process using autotools.
+
+.. _Configuring and generating Makefiles:
+
+Configuring and generating Makefiles
+------------------------------------
+
+If compiling from the git source, you need to bootstrap the ``./configure`` file first::
+
+ $ autoreconf -i -f
+
+In most cases, you can just run configure without any options::
+
+ $ ./configure
+
+For all available configure options run::
+
+ $ ./configure --help
+
+Compilation
+-----------
+
+After running ``./configure`` you can compile Knot DNS by running
+``make`` command, which will produce binaries and other related
+files::
+
+ $ make
+
+.. NOTE::
+ The compilation with enabled optimizations may take a long time. In such
+ a case the ``--disable-fastparser`` configure option can help.
+
+Installation
+------------
+
+When you have finished building Knot DNS, it's time to install the
+binaries and configuration files into the operation system hierarchy.
+You can do so by executing::
+
+ $ make install
+
+When installing as a non-root user, you might have to gain elevated privileges by
+switching to root user, e.g. ``sudo make install`` or ``su -c 'make install'``.
diff --git a/doc/introduction.rst b/doc/introduction.rst
new file mode 100644
index 0000000..4b1982d
--- /dev/null
+++ b/doc/introduction.rst
@@ -0,0 +1,66 @@
+.. highlight:: none
+.. _Introduction:
+
+************
+Introduction
+************
+
+What is Knot DNS
+================
+
+Knot DNS is a high-performance open-source DNS server. It
+implements only the authoritative domain name service. Knot DNS
+can reliably serve TLD domains as well as any other zones.
+
+Knot DNS benefits from its multi-threaded and mostly lock-free
+implementation which allows it to scale well on SMP systems and
+operate non-stop even when adding or removing zones.
+
+For more info and downloads see `www.knot-dns.cz <https://www.knot-dns.cz>`_.
+
+Knot DNS features
+=================
+
+DNS features:
+
+* Master and slave operation
+* Internet class (IN)
+* DNS extension (EDNS0)
+* TCP and UDP protocols
+* Dynamic zone updates
+* DNSSEC with NSEC and NSEC3
+* Transaction signature using TSIG
+* Full and incremental zone transfers (AXFR, IXFR)
+* Name server identification using NSID or Chaos TXT records
+* Resource record types A, NS, CNAME, SOA, PTR, HINFO, MINFO, MX,
+ TXT, RP, AFSDB, RT, KEY, AAAA, LOC, SRV, NAPTR, KX, CERT, DNAME, APL, DS,
+ SSHFP, IPSECKEY, RRSIG, NSEC, DNSKEY, DHCID, NSEC3, NSEC3PARAM, TLSA, CDS,
+ CDNSKEY, SPF, NID, L32, L64, LP, EUI48, EUI64, URI, CAA, and Unknown
+
+Server features:
+
+* IPv4 and IPv6 support
+* Semantic zone checks
+* Server control interface
+* Zone journal storage
+* Persistent zone event timers
+* YAML-based or database-based configuration
+* Query processing modules with dynamic loading
+* On-the-fly zone management and server reconfiguration
+* Automatic DNSSEC signing with automatic key maganement and PKCS #11 interface
+
+Remarkable module extensions:
+
+* Response rate limiting
+* Forward and reverse records synthesis
+* DNS request traffic statistics
+* Dnstap traffic logging
+* Online DNSSEC signing
+* GeoIP response tailoring supporting ECS and DNSSEC
+
+License
+=======
+
+Knot DNS is licensed under the `GNU General Public License <https://www.gnu.org/copyleft/gpl.html>`_
+version 3 or (at your option) any later version. The full text of the license
+is available in the ``COPYING`` file distributed with source code.
diff --git a/doc/logo.eps b/doc/logo.eps
new file mode 100644
index 0000000..5ce62ad
--- /dev/null
+++ b/doc/logo.eps
@@ -0,0 +1,190 @@
+%!PS-Adobe-3.0 EPSF-3.0
+%%Creator: cairo 1.13.1 (http://cairographics.org)
+%%CreationDate: Wed Jul 2 14:36:20 2014
+%%Pages: 1
+%%DocumentData: Clean7Bit
+%%LanguageLevel: 2
+%%BoundingBox: 0 -1 285 116
+%%EndComments
+%%BeginProlog
+save
+50 dict begin
+/q { gsave } bind def
+/Q { grestore } bind def
+/cm { 6 array astore concat } bind def
+/w { setlinewidth } bind def
+/J { setlinecap } bind def
+/j { setlinejoin } bind def
+/M { setmiterlimit } bind def
+/d { setdash } bind def
+/m { moveto } bind def
+/l { lineto } bind def
+/c { curveto } bind def
+/h { closepath } bind def
+/re { exch dup neg 3 1 roll 5 3 roll moveto 0 rlineto
+ 0 exch rlineto 0 rlineto closepath } bind def
+/S { stroke } bind def
+/f { fill } bind def
+/f* { eofill } bind def
+/n { newpath } bind def
+/W { clip } bind def
+/W* { eoclip } bind def
+/BT { } bind def
+/ET { } bind def
+/pdfmark where { pop globaldict /?pdfmark /exec load put }
+ { globaldict begin /?pdfmark /pop load def /pdfmark
+ /cleartomark load def end } ifelse
+/BDC { mark 3 1 roll /BDC pdfmark } bind def
+/EMC { mark /EMC pdfmark } bind def
+/cairo_store_point { /cairo_point_y exch def /cairo_point_x exch def } def
+/Tj { show currentpoint cairo_store_point } bind def
+/TJ {
+ {
+ dup
+ type /stringtype eq
+ { show } { -0.001 mul 0 cairo_font_matrix dtransform rmoveto } ifelse
+ } forall
+ currentpoint cairo_store_point
+} bind def
+/cairo_selectfont { cairo_font_matrix aload pop pop pop 0 0 6 array astore
+ cairo_font exch selectfont cairo_point_x cairo_point_y moveto } bind def
+/Tf { pop /cairo_font exch def /cairo_font_matrix where
+ { pop cairo_selectfont } if } bind def
+/Td { matrix translate cairo_font_matrix matrix concatmatrix dup
+ /cairo_font_matrix exch def dup 4 get exch 5 get cairo_store_point
+ /cairo_font where { pop cairo_selectfont } if } bind def
+/Tm { 2 copy 8 2 roll 6 array astore /cairo_font_matrix exch def
+ cairo_store_point /cairo_font where { pop cairo_selectfont } if } bind def
+/g { setgray } bind def
+/rg { setrgbcolor } bind def
+/d1 { setcachedevice } bind def
+%%EndProlog
+%%BeginSetup
+%%EndSetup
+%%Page: 1 1
+%%BeginPageSetup
+%%PageBoundingBox: 0 -1 285 116
+%%EndPageSetup
+q 0 -1 285 117 rectclip q
+q
+0 115.13 285 -116 re W n
+[ 1 0 0 1 0 -0.870003 ] concat
+ q
+0 0.243137 0.517647 rg
+114.34 58.441 m 114.34 41.012 106.602 25.391 94.359 14.828 c 95.051 18.352
+ 95.41 21.98 95.41 25.699 c 95.41 37.102 92.039 47.73 86.262 56.648 c 83.98
+ 53.48 81.379 50.539 78.52 47.891 c 82.18 41.32 84.262 33.75 84.262 25.699
+ c 84.262 22.441 83.91 19.25 83.262 16.18 c 83.191 15.852 83.121 15.512
+83.039 15.18 c 82.961 14.859 82.879 14.52 82.801 14.199 c 82.469 14.289
+82.148 14.379 81.82 14.48 c 81.5 14.57 81.172 14.672 80.859 14.789 c 70.32
+ 18.219 61.441 25.379 55.781 34.711 c 55.602 35.012 55.422 35.32 55.25 35.621
+ c 55.07 35.922 54.91 36.219 54.738 36.52 c 52.961 39.77 51.57 43.27 50.621
+ 46.941 c 50.539 47.27 50.461 47.59 50.379 47.922 c 50.289 48.238 50.219
+ 48.578 50.148 48.91 c 49.5 51.98 49.16 55.18 49.16 58.441 c 49.16 61.699
+ 49.5 64.891 50.148 67.961 c 46.629 68.941 42.922 69.5 39.102 69.559 c 38.379
+ 65.961 38.012 62.238 38.012 58.441 c 38.012 54.629 38.379 50.91 39.102
+47.309 c 39.16 46.969 39.23 46.629 39.32 46.301 c 39.391 45.961 39.461 45.609
+ 39.539 45.281 c 40.441 41.48 41.73 37.82 43.359 34.34 c 43.5 34.02 43.648
+ 33.691 43.82 33.371 c 43.98 33.039 44.141 32.711 44.301 32.391 c 51.039
+ 19.34 62.641 9.199 76.699 4.41 c 70.488 2.121 63.781 0.871 56.781 0.871
+ c 28.219 0.871 4.512 21.68 0 48.969 c 0.25 48.738 0.5 48.52 0.762 48.301
+ c 10.809 39.469 23.969 34.121 38.352 34.121 c 39.309 34.121 40.25 34.141
+ 41.18 34.191 c 39.59 37.719 38.328 41.43 37.449 45.281 c 26.031 45.5 15.609
+ 49.91 7.699 57.039 c 7.441 57.262 7.191 57.5 6.949 57.73 c 6.699 57.961
+ 6.461 58.199 6.23 58.43 c 6.461 58.672 6.699 58.91 6.961 59.129 c 7.199
+ 59.359 7.441 59.602 7.699 59.82 c 15.609 66.961 26.031 71.359 37.449 71.59
+ c 37.75 71.602 38.051 71.602 38.352 71.602 c 38.488 71.602 l 38.84 71.602
+ 39.191 71.59 39.539 71.59 c 43.359 71.488 47.07 70.922 50.621 69.941 c
+50.941 69.84 51.27 69.75 51.59 69.648 c 51.922 69.551 52.238 69.449 52.559
+ 69.352 c 58.719 67.34 64.309 64.07 69.012 59.828 c 71.672 62.43 74.012
+65.371 75.941 68.578 c 70.379 73.469 63.859 77.281 56.699 79.719 c 56.379
+ 79.828 56.051 79.941 55.73 80.039 c 55.391 80.148 55.07 80.262 54.738 80.352
+ c 51.078 81.449 47.281 82.191 43.359 82.531 c 43.012 82.57 42.641 82.59
+ 42.281 82.621 c 41.91 82.641 41.551 82.66 41.18 82.68 c 40.25 82.73 39.309
+ 82.75 38.352 82.75 c 23.98 82.75 10.82 77.398 0.77 68.578 c 0.512 68.352
+ 0.25 68.129 0 67.898 c 4.512 95.191 28.211 116 56.781 116 c 63.781 116
+70.5 114.75 76.711 112.461 c 76.699 112.449 76.699 112.449 76.691 112.449
+ c 62.629 107.66 51.039 97.531 44.301 84.48 c 48.262 84.078 52.09 83.301
+ 55.77 82.148 c 61.43 91.48 70.309 98.648 80.852 102.078 c 81.16 102.18
+81.488 102.281 81.809 102.391 c 82.141 102.488 82.461 102.578 82.789 102.66
+ c 82.871 102.34 82.949 102.012 83.031 101.68 c 83.109 101.352 83.18 101.031
+ 83.25 100.691 c 83.898 97.621 84.25 94.43 84.25 91.16 c 84.25 83.121 82.172
+ 75.559 78.52 68.98 c 78.359 68.68 78.18 68.371 78 68.078 c 77.828 67.781
+ 77.66 67.48 77.469 67.191 c 75.512 64 73.16 61.039 70.488 58.43 c 70.262
+ 58.191 70.012 57.949 69.762 57.73 c 69.52 57.5 69.27 57.262 69.02 57.039
+ c 64.309 52.801 58.719 49.531 52.559 47.52 c 53.512 43.852 54.91 40.371
+ 56.711 37.148 c 63.859 39.578 70.379 43.398 75.941 48.301 c 76.211 48.52
+ 76.461 48.75 76.711 48.988 c 76.969 49.211 77.219 49.449 77.461 49.691
+c 80.281 52.328 82.828 55.27 85.051 58.441 c 85.262 58.73 85.461 59.031
+85.672 59.32 c 85.871 59.621 86.07 59.93 86.262 60.23 c 92.039 69.148 95.398
+ 79.781 95.398 91.16 c 95.398 94.891 95.039 98.531 94.352 102.051 c 106.59
+ 91.488 114.34 75.871 114.34 58.441 c f
+167.582 59.031 m 155.629 59.031 l 143.207 74.242 l 143.207 59.031 l 133.41
+ 59.031 l 133.41 91.512 l 143.207 91.512 l 143.207 76.98 l 154.973 91.512
+ l 165.609 91.512 l 153.516 76.301 l h
+167.582 59.031 m f
+207.121 59.031 m 198.398 59.031 l 181.551 77.125 l 181.551 59.031 l 171.848
+ 59.031 l 171.848 91.512 l 180.543 91.512 l 197.348 73.512 l 197.348 91.512
+ l 207.121 91.512 l h
+207.121 59.031 m f
+240.051 75.297 m 240.051 76.516 239.867 77.629 239.512 78.637 c 239.152
+ 79.645 238.609 80.52 237.883 81.262 c 237.152 82.004 236.27 82.578 235.223
+ 82.992 c 234.176 83.406 232.965 83.613 231.59 83.613 c 228.965 83.613 226.902
+ 82.852 225.402 81.316 c 223.902 79.785 223.152 77.777 223.152 75.297 c
+223.152 72.812 223.902 70.801 225.41 69.262 c 226.918 67.723 228.98 66.949
+ 231.59 66.949 c 233.387 66.949 234.914 67.309 236.184 68.02 c 237.445 68.73
+ 238.406 69.715 239.066 70.973 c 239.723 72.23 240.051 73.672 240.051 75.297
+ c 250.031 75.297 m 250.031 72.266 249.332 69.477 247.938 66.93 c 246.535
+ 64.383 244.453 62.355 241.691 60.855 c 238.926 59.355 235.559 58.605 231.59
+ 58.605 c 227.57 58.605 224.176 59.391 221.395 60.949 c 218.609 62.516 216.543
+ 64.566 215.195 67.113 c 213.844 69.66 213.164 72.391 213.164 75.297 c 213.164
+ 78.219 213.84 80.945 215.184 83.484 c 216.527 86.023 218.594 88.07 221.383
+ 89.629 c 224.168 91.184 227.57 91.961 231.59 91.961 c 234.59 91.961 237.266
+ 91.516 239.613 90.621 c 241.969 89.734 243.902 88.523 245.414 87.004 c
+246.934 85.48 248.078 83.703 248.863 81.684 c 249.645 79.656 250.031 77.527
+ 250.031 75.297 c f
+284.535 83.617 m 272.629 83.617 l 272.629 59.031 l 262.852 59.031 l 262.852
+ 83.617 l 250.949 83.617 l 250.949 91.512 l 284.535 91.512 l h
+284.535 83.617 m f
+156.848 38.824 m 156.848 41.465 156.344 43.523 155.336 45 c 154.328 46.477
+ 153.117 47.465 151.703 47.965 c 150.289 48.465 148.848 48.715 147.379 48.715
+ c 143.207 48.715 l 143.207 29.473 l 147.379 29.473 l 149.941 29.473 152.16
+ 30.082 154.035 31.301 c 155.91 32.52 156.848 35.027 156.848 38.824 c 166.809
+ 38.402 m 166.809 35.074 166.203 32.402 164.992 30.387 c 163.781 28.371
+162.355 26.738 160.715 25.488 c 158.387 23.66 155.129 22.746 150.941 22.746
+ c 133.41 22.746 l 133.41 55.23 l 146.91 55.23 l 148.941 55.23 150.68 55.125
+ 152.125 54.914 c 153.57 54.703 154.871 54.41 156.027 54.023 c 157.184 53.641
+ 158.168 53.211 158.98 52.734 c 159.793 52.258 160.52 51.746 161.16 51.199
+ c 162.27 50.293 163.242 49.223 164.078 47.992 c 164.914 46.754 165.578
+45.324 166.07 43.699 c 166.562 42.074 166.809 40.309 166.809 38.402 c f
+207.168 22.746 m 198.449 22.746 l 181.598 40.84 l 181.598 22.746 l 171.895
+ 22.746 l 171.895 55.23 l 180.59 55.23 l 197.395 37.23 l 197.395 55.23 l
+ 207.168 55.23 l h
+207.168 22.746 m f
+237.074 32.191 m 237.074 30.16 236.555 28.402 235.516 26.918 c 234.477
+25.434 233.027 24.297 231.168 23.508 c 229.309 22.719 227.176 22.324 224.77
+ 22.324 c 224.098 22.324 223.273 22.367 222.297 22.453 c 221.32 22.539 220.023
+ 22.777 218.406 23.168 c 216.789 23.559 215.105 24.137 213.355 24.902 c
+213.355 32.871 l 214.996 31.855 216.609 31.012 218.195 30.34 c 219.781 29.668
+ 221.48 29.332 223.293 29.332 c 224.965 29.332 226.047 29.609 226.539 30.164
+ c 227.031 30.719 227.277 31.238 227.277 31.723 c 227.277 32.598 226.855
+ 33.336 226.012 33.938 c 225.168 34.539 223.941 35.16 222.332 35.801 c 220.551
+ 36.551 218.988 37.367 217.645 38.25 c 216.301 39.133 215.203 40.238 214.352
+ 41.566 c 213.5 42.895 213.074 44.465 213.074 46.277 c 213.074 48.027 213.504
+ 49.609 214.363 51.027 c 215.223 52.438 216.535 53.566 218.301 54.41 c 220.066
+ 55.254 222.223 55.676 224.77 55.676 c 226.582 55.676 228.258 55.5 229.797
+ 55.152 c 231.336 54.797 232.605 54.402 233.605 53.965 c 234.605 53.527
+235.293 53.184 235.668 52.934 c 235.668 45.316 l 234.34 46.27 232.859 47.121
+ 231.227 47.871 c 229.594 48.621 227.848 48.996 225.988 48.996 c 224.77
+48.996 223.887 48.762 223.34 48.293 c 222.793 47.824 222.52 47.246 222.52
+ 46.559 c 222.52 45.918 222.793 45.363 223.34 44.895 c 223.887 44.426 224.863
+ 43.855 226.27 43.184 c 228.77 42.012 230.77 40.957 232.27 40.02 c 233.77
+ 39.082 234.945 38 235.797 36.773 c 236.648 35.547 237.074 34.02 237.074
+ 32.191 c f
+ Q
+Q
+Q Q
+showpage
+%%Trailer
+end restore
+%%EOF
diff --git a/doc/logo.png b/doc/logo.png
new file mode 100644
index 0000000..abdd9d5
--- /dev/null
+++ b/doc/logo.png
Binary files differ
diff --git a/doc/man/kdig.1in b/doc/man/kdig.1in
new file mode 100644
index 0000000..8bb2d01
--- /dev/null
+++ b/doc/man/kdig.1in
@@ -0,0 +1,378 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KDIG" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kdig \- Advanced DNS lookup utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+\fBkdig\fP [\fIcommon\-settings\fP] [\fIquery\fP [\fIsettings\fP]]...
+.sp
+\fBkdig\fP \fB\-h\fP
+.SH DESCRIPTION
+.sp
+This utility sends one or more DNS queries to a nameserver. Each query can have
+individual \fIsettings\fP, or it can be specified globally via \fIcommon\-settings\fP,
+which must precede \fIquery\fP specification.
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIquery\fP
+\fIname\fP | \fB\-q\fP \fIname\fP | \fB\-x\fP \fIaddress\fP | \fB\-G\fP \fItapfile\fP
+.TP
+\fIcommon\-settings\fP, \fIsettings\fP
+[\fIquery_class\fP] [\fIquery_type\fP] [\fB@\fP\fIserver\fP]... [\fIoptions\fP]
+.TP
+\fIname\fP
+Is a domain name that is to be looked up.
+.TP
+\fIserver\fP
+Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query
+to. An additional port can be specified using address:port ([address]:port
+for IPv6 address), address@port, or address#port notation. If no server is
+specified, the servers from \fB/etc/resolv.conf\fP are used.
+.UNINDENT
+.sp
+If no arguments are provided, \fBkdig\fP sends NS query for the root
+zone.
+.SS Query classes
+.sp
+A \fIquery_class\fP can be either a DNS class name (IN, CH) or generic class
+specification \fBCLASS\fP\fIXXXXX\fP where \fIXXXXX\fP is a corresponding decimal
+class number. The default query class is IN.
+.SS Query types
+.sp
+A \fIquery_type\fP can be either a DNS resource record type
+(A, AAAA, NS, SOA, DNSKEY, ANY, etc.) or one of the following:
+.INDENT 0.0
+.TP
+\fBTYPE\fP\fIXXXXX\fP
+Generic query type specification where \fIXXXXX\fP is a corresponding decimal
+type number.
+.TP
+\fBAXFR\fP
+Full zone transfer request.
+.TP
+\fBIXFR=\fP\fIserial\fP
+Incremental zone transfer request for specified starting SOA serial number.
+.TP
+\fBNOTIFY=\fP\fIserial\fP
+Notify message with a SOA serial hint specified.
+.TP
+\fBNOTIFY\fP
+Notify message with a SOA serial hint unspecified.
+.UNINDENT
+.sp
+The default query type is A.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-4\fP
+Use the IPv4 protocol only.
+.TP
+\fB\-6\fP
+Use the IPv6 protocol only.
+.TP
+\fB\-b\fP \fIaddress\fP
+Set the source IP address of the query to \fIaddress\fP\&. The address must be a
+valid address for local interface or :: or 0.0.0.0. An optional port
+can be specified in the same format as the \fIserver\fP value.
+.TP
+\fB\-c\fP \fIclass\fP
+An explicit \fIquery_class\fP specification. See possible values above.
+.TP
+\fB\-d\fP
+Enable debug messages.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-k\fP \fIkeyfile\fP
+Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file must contain the key in the same format as accepted by the
+\fB\-y\fP option.
+.TP
+\fB\-p\fP \fIport\fP
+Set the nameserver port number or service name to send a query to. The default
+port is 53.
+.TP
+\fB\-q\fP \fIname\fP
+Set the query name. An explicit variant of \fIname\fP specification. If no \fIname\fP
+is provided, empty question section is set.
+.TP
+\fB\-t\fP \fItype\fP
+An explicit \fIquery_type\fP specification. See possible values above.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.TP
+\fB\-x\fP \fIaddress\fP
+Send a reverse (PTR) query for IPv4 or IPv6 \fIaddress\fP\&. The correct name, class
+and type is set automatically.
+.TP
+\fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
+Use the TSIG key named \fIname\fP to authenticate the request. The \fIalg\fP
+part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies
+the shared secret encoded in Base64.
+.TP
+\fB\-E\fP \fItapfile\fP
+Export a dnstap trace of the query and response messages received to the
+file \fItapfile\fP\&.
+.TP
+\fB\-G\fP \fItapfile\fP
+Generate message output from a previously saved dnstap file \fItapfile\fP\&.
+.TP
+\fB+\fP[\fBno\fP]\fBmultiline\fP
+Wrap long records to more lines and improve human readability.
+.TP
+\fB+\fP[\fBno\fP]\fBshort\fP
+Show record data only.
+.TP
+\fB+\fP[\fBno\fP]\fBgeneric\fP
+Use the generic representation format when printing resource record types
+and data.
+.TP
+\fB+\fP[\fBno\fP]\fBcrypto\fP
+Display the DNSSEC keys and signatures values in hexdump, instead of omitting them.
+.TP
+\fB+\fP[\fBno\fP]\fBaaflag\fP
+Set the AA flag.
+.TP
+\fB+\fP[\fBno\fP]\fBtcflag\fP
+Set the TC flag.
+.TP
+\fB+\fP[\fBno\fP]\fBrdflag\fP
+Set the RD flag.
+.TP
+\fB+\fP[\fBno\fP]\fBrecurse\fP
+Same as \fB+\fP[\fBno\fP]\fBrdflag\fP
+.TP
+\fB+\fP[\fBno\fP]\fBraflag\fP
+Set the RA flag.
+.TP
+\fB+\fP[\fBno\fP]\fBzflag\fP
+Set the zero flag bit.
+.TP
+\fB+\fP[\fBno\fP]\fBadflag\fP
+Set the AD flag.
+.TP
+\fB+\fP[\fBno\fP]\fBcdflag\fP
+Set the CD flag.
+.TP
+\fB+\fP[\fBno\fP]\fBdnssec\fP
+Set the DO flag.
+.TP
+\fB+\fP[\fBno\fP]\fBall\fP
+Show all packet sections.
+.TP
+\fB+\fP[\fBno\fP]\fBqr\fP
+Show the query packet.
+.TP
+\fB+\fP[\fBno\fP]\fBheader\fP
+Show the packet header.
+.TP
+\fB+\fP[\fBno\fP]\fBcomments\fP
+Show commented section names.
+.TP
+\fB+\fP[\fBno\fP]\fBopt\fP
+Show the EDNS pseudosection.
+.TP
+\fB+\fP[\fBno\fP]\fBquestion\fP
+Show the question section.
+.TP
+\fB+\fP[\fBno\fP]\fBanswer\fP
+Show the answer section.
+.TP
+\fB+\fP[\fBno\fP]\fBauthority\fP
+Show the authority section.
+.TP
+\fB+\fP[\fBno\fP]\fBadditional\fP
+Show the additional section.
+.TP
+\fB+\fP[\fBno\fP]\fBtsig\fP
+Show the TSIG pseudosection.
+.TP
+\fB+\fP[\fBno\fP]\fBstats\fP
+Show trailing packet statistics.
+.TP
+\fB+\fP[\fBno\fP]\fBclass\fP
+Show the DNS class.
+.TP
+\fB+\fP[\fBno\fP]\fBttl\fP
+Show the TTL value.
+.TP
+\fB+\fP[\fBno\fP]\fBtcp\fP
+Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).
+.TP
+\fB+\fP[\fBno\fP]\fBfastopen\fP
+Use TCP Fast Open (default with TCP).
+.TP
+\fB+\fP[\fBno\fP]\fBignore\fP
+Don\(aqt use TCP automatically if a truncated reply is received.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\fP
+Use TLS with the Opportunistic privacy profile (\fI\%RFC 7858#section\-4.1\fP).
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-ca\fP[=\fIFILE\fP]
+Use TLS with a certificate validation. Certification authority certificates
+are loaded from the specified PEM file (default is system certificate storage
+if no argument is provided).
+Can be specified multiple times. If the +tls\-hostname option is not provided,
+the name of the target server (if specified) is used for strict authentication.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-pin\fP=\fIBASE64\fP
+Use TLS with the Out\-of\-Band key\-pinned privacy profile (\fI\%RFC 7858#section\-4.2\fP).
+The PIN must be a Base64 encoded SHA\-256 hash of the X.509 SubjectPublicKeyInfo.
+Can be specified multiple times.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-hostname\fP=\fISTR\fP
+Use TLS with a remote server hostname check.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-sni\fP=\fISTR\fP
+Use TLS with a Server Name Indication.
+.TP
+\fB+\fP[\fBno\fP]\fBnsid\fP
+Request the nameserver identifier (NSID).
+.TP
+\fB+\fP[\fBno\fP]\fBbufsize\fP=\fIB\fP
+Set EDNS buffer size in bytes (default is 512 bytes).
+.TP
+\fB+\fP[\fBno\fP]\fBpadding\fP[=\fIB\fP]
+Use EDNS(0) padding option to pad queries, optionally to a specific
+size. The default is to pad queries with a sensible amount when using
++tls, and not to pad at all when queries are sent without TLS. With
+no argument (i.e., just +padding) pad every query with a sensible
+amount regardless of the use of TLS. With +nopadding, never pad.
+.TP
+\fB+\fP[\fBno\fP]\fBalignment\fP[=\fIB\fP]
+Align the query to B\-byte\-block message using the EDNS(0) padding option
+(default is no or 128 if no argument is specified).
+.TP
+\fB+\fP[\fBno\fP]\fBsubnet\fP=\fISUBN\fP
+Set EDNS(0) client subnet SUBN=addr/prefix.
+.TP
+\fB+\fP[\fBno\fP]\fBedns\fP[=\fIN\fP]
+Use EDNS version (default is 0).
+.TP
+\fB+\fP[\fBno\fP]\fBtimeout\fP=\fIT\fP
+Set the wait\-for\-reply interval in seconds (default is 5 seconds). This timeout
+applies to each query attempt.
+.TP
+\fB+\fP[\fBno\fP]\fBretry\fP=\fIN\fP
+Set the number (>=0) of UDP retries (default is 2). This doesn\(aqt apply to
+AXFR/IXFR.
+.TP
+\fB+\fP[\fBno\fP]\fBcookie\fP=\fIHEX\fP
+Attach EDNS(0) cookie to the query.
+.TP
+\fB+\fP[\fBno\fP]\fBbadcookie\fP
+Repeat a query with the correct cookie.
+.TP
+\fB+\fP[\fBno\fP]\fBednsopt\fP[=\fICODE\fP[:\fIHEX\fP]]
+Send custom EDNS option. The \fICODE\fP is EDNS option code in decimal, \fIHEX\fP
+is an optional hex encoded string to use as EDNS option value. This argument
+can be used multiple times. +noednsopt clears all EDNS options specified by
++ednsopt.
+.TP
+\fB+noidn\fP
+Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends
+on libidn availability during project building!
+.UNINDENT
+.SH NOTES
+.sp
+Options \fB\-k\fP and \fB\-y\fP can not be used simultaneously.
+.sp
+Dnssec\-keygen keyfile format is not supported. Use \fBkeymgr(8)\fP instead.
+.SH EXAMPLES
+.INDENT 0.0
+.IP 1. 3
+Get A records for example.com:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdig example.com A
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+Perform AXFR for zone example.com from the server 192.0.2.1:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdig example.com \-t AXFR @192.0.2.1
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 3. 3
+Get A records for example.com from 192.0.2.1 and reverse lookup for address
+2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdig +tcp example.com \-t A @192.0.2.1 \-x 2001:DB8::1 @192.0.2.2
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 4. 3
+Get SOA record for example.com, use TLS, use system certificates, check
+for specified hostname, check for certificate pin, and print additional
+debug info:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdig \-d @185.49.141.38 +tls\-ca +tls\-host=getdnsapi.net \e
+ +tls\-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+\fB/etc/resolv.conf\fP
+.SH SEE ALSO
+.sp
+\fBkhost(1)\fP, \fBknsupdate(1)\fP, \fBkeymgr(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2019, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/keymgr.8in b/doc/man/keymgr.8in
new file mode 100644
index 0000000..78a322f
--- /dev/null
+++ b/doc/man/keymgr.8in
@@ -0,0 +1,286 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+keymgr \- Knot DNS key management utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+\fBkeymgr\fP \fIbasic_option\fP [\fIparameters\fP\&...]
+.sp
+\fBkeymgr\fP [\fIconfig_option\fP \fIconfig_storage\fP] \fIzone\fP \fIcommand\fP \fIargument\fP\&...
+.SH DESCRIPTION
+.sp
+The \fBkeymgr\fP utility serves for manual key management in Knot DNS server.
+.sp
+Functions for DNSSEC keys and KASP (Key And Signature Policy)
+management are provided.
+.sp
+The DNSSEC and KASP configuration is stored in a so called KASP database.
+The database is backed by LMDB.
+.SS Basic options
+.INDENT 0.0
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.TP
+\fB\-t\fP, \fB\-\-tsig\fP \fItsig_name\fP [\fItsig_algorithm\fP] [\fItsig_bits\fP]
+Generates a TSIG key. TSIG algorithm can be specified by string (default: hmac\-sha256),
+bit length of the key by number (default: optimal length given by algorithm). The generated
+TSIG key is only displayed on \fIstdout\fP: the command does not create a file, nor include the
+key in a keystore.
+.UNINDENT
+.SS Config options
+.INDENT 0.0
+.TP
+\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
+Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+.TP
+\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
+Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+The default configuration database, if exists, has a preference to the default
+configuration file.
+.TP
+\fB\-d\fP, \fB\-\-dir\fP \fIpath\fP
+Use specified KASP database path and default configuration.
+.UNINDENT
+.SS Commands
+.INDENT 0.0
+.TP
+\fBlist\fP [\fItimestamp_format\fP]
+Prints the list of key IDs and parameters of keys belonging to the zone.
+.TP
+\fBgenerate\fP [\fIarguments\fP\&...]
+Generates new DNSSEC key and stores it in KASP database. Prints the key ID.
+This action takes some number of arguments (see below). Values for unspecified arguments are taken
+from corresponding policy (if \fI\-c\fP or \fI\-C\fP options used) or from Knot policy defaults.
+.TP
+\fBimport\-bind\fP \fIBIND_key_file\fP
+Imports a BIND\-style key into KASP database (converting it to PEM format).
+Takes one argument: path to BIND key file (private or public, but both MUST exist).
+.TP
+\fBimport\-pub\fP \fIBIND_pubkey_file\fP
+Imports a public key into KASP database. This key won\(aqt be rollovered nor used for signing.
+Takes one argument: path to BIND public key file.
+.TP
+\fBimport\-pem\fP \fIPEM_file\fP [\fIarguments\fP\&...]
+Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be
+specified (mainly algorithm, timers...) because they are not contained in the PEM format.
+.TP
+\fBimport\-pkcs11\fP \fIkey_id\fP [\fIarguments\fP\&...]
+Imports a DNSSEC key from PKCS #11 storage. The key parameters (same as for the generate action) need to be
+specified (mainly algorithm, timers...) because they are not available. In fact, no key
+data is imported, only KASP database metadata is created.
+.TP
+\fBnsec3\-salt\fP [\fInew_salt\fP]
+Prints the current NSEC3 salt used for signing. If \fInew_salt\fP is specified, the salt is overwritten.
+The salt is printed and expected in hexadecimal, or dash if empty.
+.TP
+\fBset\fP \fIkey_spec\fP [\fIarguments\fP\&...]
+Changes a timing argument (or ksk/zsk) of an existing key to a new value. \fIKey_spec\fP is either the
+key tag or a prefix of the key ID; \fIarguments\fP are like for \fBgenerate\fP, but just the related ones.
+.TP
+\fBds\fP [\fIkey_spec\fP]
+Generate DS record (all digest algorithms together) for specified key. \fIKey_spec\fP
+is like for \fBset\fP, if unspecified, all KSKs are used.
+.TP
+\fBdnskey\fP [\fIkey_spec\fP]
+Generate DNSKEY record for specified key. \fIKey_spec\fP
+is like for \fBds\fP, if unspecified, all KSKs are used.
+.TP
+\fBdelete\fP \fIkey_spec\fP
+Remove the specified key from zone. If the key was not shared, it is also deleted from keystore.
+.TP
+\fBshare\fP \fIkey_ID\fP
+Import a key (specified by full key ID) from another zone as shared. After this, the key is
+owned by both zones equally.
+.UNINDENT
+.SS Generate arguments
+.sp
+Arguments are separated by space, each of them is in format \(aqname=value\(aq.
+.INDENT 0.0
+.TP
+\fBalgorithm\fP
+Either an algorithm number (e.g. 14), or text name without dashes (e.g. ECDSAP384SHA384).
+.TP
+\fBsize\fP
+Key length in bits.
+.TP
+\fBksk\fP
+If set to \fByes\fP, the key will be used for signing DNSKEY rrset. The generated key will also
+have the Secure Entry Point flag set to 1.
+.TP
+\fBzsk\fP
+If set to \fByes\fP, the key will be used for signing zone (except DNSKEY rrset). This flag can
+be set concurrently with the \fBksk\fP flag.
+.TP
+\fBsep\fP
+Overrides the standard setting of the Secure Entry Point flag for the generated key.
+.UNINDENT
+.sp
+The following arguments are timestamps of key lifetime:
+.INDENT 0.0
+.TP
+\fBcreated\fP
+Key created.
+.TP
+\fBpre_active\fP
+Key started to be used for signing, not published (only for algorithm rollover).
+.TP
+\fBpublish\fP
+Key published.
+.TP
+\fBready\fP
+Key used for signing and submitted to the parent zone (only for KSK).
+.TP
+\fBactive\fP
+Key used for signing.
+.TP
+\fBpost_active\fP
+Key still used for singing, but another key is active (only for KSK).
+.TP
+\fBretire_active\fP
+Key no longer published, but still used for signing (only for algorithm rollover).
+.TP
+\fBretire\fP
+Key still published, but no longer used for signing.
+.TP
+\fBremove\fP
+Key deleted.
+.UNINDENT
+.SS Timestamps
+.INDENT 0.0
+.TP
+0
+Zero timestamp means infinite future.
+.TP
+\fIUNIX_time\fP
+Positive number of seconds since 1970 UTC.
+.TP
+\fIYYYYMMDDHHMMSS\fP
+Date and time in this format without any punctuation.
+.TP
+\fIrelative_timestamp\fP
+A sign character (\fB+\fP, \fB\-\fP), a number, and an optional time unit
+(\fBy\fP, \fBmo\fP, \fBd\fP, \fBh\fP, \fBmi\fP, \fBs\fP). The default unit is one second.
+E.g. +1mi, \-2mo.
+.UNINDENT
+.SS Output timestamp formats
+.INDENT 0.0
+.TP
+(none)
+The timestamps are printed as UNIX timestamp.
+.TP
+\fBhuman\fP
+The timestamps are printed relatively to now using time units (e.g. \-2y5mo, +1h13s).
+.TP
+\fBiso\fP
+The timestamps are printed in the ISO8601 format (e.g. 2016\-12\-31T23:59:00).
+.UNINDENT
+.SH EXAMPLES
+.INDENT 0.0
+.IP 1. 3
+Generate new TSIG key:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr \-t my_name hmac\-sha384
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+Generate new DNSSEC key:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \e
+ ksk=true created=1488034625 publish=20170223205611 retire=+10mo remove=+1y
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 3. 3
+Import a DNSSEC key from BIND:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. import\-bind ~/bind/Kharbinge4d5.+007+63089.key
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 4. 3
+Configure key timing:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. set 4208 active=+2mi retire=+4mi remove=+5mi
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 5. 3
+Share a KSK from another zone:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%RFC 6781\fP \- DNSSEC Operational Practices.
+\fI\%RFC 7583\fP \- DNSSEC Key Rollover Timing Considerations.
+.sp
+\fBknot.conf(5)\fP,
+\fBknotc(8)\fP,
+\fBknotd(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2019, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/khost.1in b/doc/man/khost.1in
new file mode 100644
index 0000000..d102136
--- /dev/null
+++ b/doc/man/khost.1in
@@ -0,0 +1,152 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KHOST" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+khost \- Simple DNS lookup utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+\fBkhost\fP [\fIoptions\fP] \fIname\fP [\fIserver\fP]
+.SH DESCRIPTION
+.sp
+This utility sends a DNS query for the \fIname\fP to the \fIserver\fP and prints a reply
+in more user\-readable form. For more advanced DNS queries use \fBkdig\fP
+instead.
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIname\fP
+Is a domain name that is to be looked up. If the \fIname\fP is IPv4 or IPv6
+address the PTR query type is used.
+.TP
+\fIserver\fP
+Is a name or an address of the nameserver to send a query to. The address
+can be specified using [address]:port notation. If no server is specified,
+the servers from \fB/etc/resolv.conf\fP are used.
+.UNINDENT
+.sp
+If no arguments are provided, \fBkhost\fP prints a short help.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-4\fP
+Use the IPv4 protocol only.
+.TP
+\fB\-6\fP
+Use the IPv6 protocol only.
+.TP
+\fB\-a\fP
+Send ANY query with verbose mode.
+.TP
+\fB\-d\fP
+Enable debug messages.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-r\fP
+Disable recursion.
+.TP
+\fB\-T\fP
+Use the TCP protocol.
+.TP
+\fB\-v\fP
+Enable verbose output.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.TP
+\fB\-w\fP
+Wait forever for the reply.
+.TP
+\fB\-c\fP \fIclass\fP
+Set the query class (e.g. CH, CLASS4). The default class is IN.
+.TP
+\fB\-t\fP \fItype\fP
+Set the query type (e.g. NS, IXFR=12345, TYPE65535). The default is to send 3
+queries (A, AAAA and MX).
+.TP
+\fB\-R\fP \fIretries\fP
+The number (>=0) of UDP retries to query a nameserver. The default is 1.
+.TP
+\fB\-W\fP \fIwait\fP
+The time to wait for a reply in seconds. This timeout applies to each query
+try. The default is 2 seconds.
+.UNINDENT
+.SH EXAMPLES
+.INDENT 0.0
+.IP 1. 3
+Get the A, AAAA and MX records for example.com:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ khost example.com
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+Get the reverse record for address 192.0.2.1:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ khost 192.0.2.1
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 3. 3
+Perform a verbose zone transfer for zone example.com:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ khost \-t AXFR \-v example.com
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+\fB/etc/resolv.conf\fP
+.SH SEE ALSO
+.sp
+\fBkdig(1)\fP, \fBknsupdate(1)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2019, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/kjournalprint.8in b/doc/man/kjournalprint.8in
new file mode 100644
index 0000000..796e54f
--- /dev/null
+++ b/doc/man/kjournalprint.8in
@@ -0,0 +1,92 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KJOURNALPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kjournalprint \- Knot DNS journal print utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+\fBkjournalprint\fP [\fIoptions\fP] \fIjournal_db\fP \fIzone_name\fP
+.SH DESCRIPTION
+.sp
+The program prints zone history stored in a journal database. As default,
+changes are colored for terminal.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-l\fP, \fB\-\-limit\fP \fIlimit\fP
+Limits the number of displayed changes.
+.TP
+\fB\-d\fP, \fB\-\-debug\fP
+Debug mode brief output.
+.TP
+\fB\-n\fP, \fB\-\-no\-color\fP
+Removes changes coloring.
+.TP
+\fB\-z\fP, \fB\-\-zone\-list\fP
+Instead of reading jurnal, display the list of zones in the DB.
+(\fIzone_name\fP not needed)
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIjournal_db\fP
+A path to the journal database.
+.TP
+\fIzone_name\fP
+A name of the zone to print the history for.
+.UNINDENT
+.SH EXAMPLES
+.sp
+Last (most recent) 5 changes without colors:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kjournalprint \-nl 5 /var/lib/knot/journal example.com.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBknotd(8)\fP, \fBknot.conf(5)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2019, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
new file mode 100644
index 0000000..9eac7bc
--- /dev/null
+++ b/doc/man/knot.conf.5in
@@ -0,0 +1,1401 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KNOT.CONF" "5" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knot.conf \- Knot DNS configuration file
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+Configuration files for Knot DNS use simplified YAML format. Simplified means
+that not all of the features are supported.
+.sp
+For the description of configuration items, we have to declare a meaning of
+the following symbols:
+.INDENT 0.0
+.IP \(bu 2
+\fIINT\fP – Integer
+.IP \(bu 2
+\fISTR\fP – Textual string
+.IP \(bu 2
+\fIHEXSTR\fP – Hexadecimal string (with \fB0x\fP prefix)
+.IP \(bu 2
+\fIBOOL\fP – Boolean value (\fBon\fP/\fBoff\fP or \fBtrue\fP/\fBfalse\fP)
+.IP \(bu 2
+\fITIME\fP – Number of seconds, an integer with possible time multiplier suffix
+(\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600 or \fBd\fP ~ 24 * 3600)
+.IP \(bu 2
+\fISIZE\fP – Number of bytes, an integer with possible size multiplier suffix
+(\fBB\fP ~ 1, \fBK\fP ~ 1024, \fBM\fP ~ 1024^2 or \fBG\fP ~ 1024^3)
+.IP \(bu 2
+\fIBASE64\fP – Base64 encoded string
+.IP \(bu 2
+\fIADDR\fP – IPv4 or IPv6 address
+.IP \(bu 2
+\fIDNAME\fP – Domain name
+.IP \(bu 2
+\&... – Multi\-valued item, order of the values is preserved
+.IP \(bu 2
+[ ] – Optional value
+.IP \(bu 2
+| – Choice
+.UNINDENT
+.sp
+There are 12 main sections (\fBmodule\fP, \fBserver\fP, \fBcontrol\fP, \fBlog\fP,
+\fBstatistics\fP, \fBkeystore\fP, \fBpolicy\fP, \fBkey\fP, \fBacl\fP, \fBremote\fP,
+\fBtemplate\fP, and \fBzone\fP) and module sections with the \fBmod\-\fP prefix.
+Most of the sections (excluding \fBserver\fP, \fBcontrol\fP, and \fBstatistics\fP)
+are sequences of settings blocks. Each settings block begins with a unique identifier,
+which can be used as a reference from other sections (such identifier
+must be defined in advance).
+.sp
+A multi\-valued item can be specified either as a YAML sequence:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+address: [10.0.0.1, 10.0.0.2]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+or as more single\-valued items each on an extra line:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+address: 10.0.0.1
+address: 10.0.0.2
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If an item value contains spaces or other special characters, it is necessary
+to enclose such value within double quotes \fB"\fP \fB"\fP\&.
+.SH COMMENTS
+.sp
+A comment begins with a \fB#\fP character and is ignored during processing.
+Also each configuration section or sequence block allows a permanent
+comment using the \fBcomment\fP item which is stored in the server beside the
+configuration.
+.SH INCLUDES
+.sp
+Another configuration file or files, matching a pattern, can be included at
+the top level in the current file. If the path is not absolute, then it
+is considered to be relative to the current file. The pattern can be
+an arbitrary string meeting POSIX \fIglob\fP requirements, e.g. dir/*.conf.
+Matching files are processed in sorted order.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+include: STR
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH MODULE SECTION
+.sp
+Dynamic modules loading configuration.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+If configured with non\-empty \fB\(ga\-\-with\-moduledir=path\(ga\fP parameter, all
+shared modules in this directory will be automatically loaded.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+module:
+ \- id: STR
+ file: STR
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A module identifier in the form of the \fBmod\-\fP prefix and module name suffix.
+.SS file
+.sp
+A path to a shared library file with the module implementation.
+.sp
+\fIDefault:\fP \fB${libdir}/knot/modules\-${version}\fP/module_name.so
+(or \fB${path}\fP/module_name.so if configured with \fB\-\-with\-moduledir=path\fP)
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+If the path is not absolute, the library is searched in the set of
+system directories. See \fBman dlopen\fP for more details.
+.UNINDENT
+.UNINDENT
+.SH SERVER SECTION
+.sp
+General options related to the server.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+server:
+ identity: [STR]
+ version: [STR]
+ nsid: [STR|HEXSTR]
+ rundir: STR
+ user: STR[:STR]
+ pidfile: STR
+ udp\-workers: INT
+ tcp\-workers: INT
+ background\-workers: INT
+ async\-start: BOOL
+ tcp\-handshake\-timeout: TIME
+ tcp\-idle\-timeout: TIME
+ tcp\-reply\-timeout: TIME
+ max\-tcp\-clients: INT
+ max\-udp\-payload: SIZE
+ max\-ipv4\-udp\-payload: SIZE
+ max\-ipv6\-udp\-payload: SIZE
+ edns\-client\-subnet: BOOL
+ answer\-rotation: BOOL
+ listen: ADDR[@INT] ...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS identity
+.sp
+An identity of the server returned in the response to the query for TXT
+record \fBid.server.\fP or \fBhostname.bind.\fP in the CHAOS class (\fI\%RFC 4892\fP).
+Set empty value to disable.
+.sp
+\fIDefault:\fP FQDN hostname
+.SS version
+.sp
+A version of the server software returned in the response to the query
+for TXT record \fBversion.server.\fP or \fBversion.bind.\fP in the CHAOS
+class (\fI\%RFC 4892\fP). Set empty value to disable.
+.sp
+\fIDefault:\fP server version
+.SS nsid
+.sp
+A DNS name server identifier (\fI\%RFC 5001\fP). Set empty value to disable.
+.sp
+\fIDefault:\fP FQDN hostname
+.SS rundir
+.sp
+A path for storing run\-time data (PID file, unix sockets, etc.).
+.sp
+\fIDefault:\fP \fB${localstatedir}/run/knot\fP (configured with \fB\-\-with\-rundir=path\fP)
+.SS user
+.sp
+A system user with an optional system group (\fBuser:group\fP) under which the
+server is run after starting and binding to interfaces. Linux capabilities
+are employed if supported.
+.sp
+\fIDefault:\fP root:root
+.SS pidfile
+.sp
+A PID file location.
+.sp
+\fIDefault:\fP \fI\%rundir\fP/knot.pid
+.SS udp\-workers
+.sp
+A number of UDP workers (threads) used to process incoming queries
+over UDP.
+.sp
+\fIDefault:\fP auto\-estimated optimal value based on the number of online CPUs
+.SS tcp\-workers
+.sp
+A number of TCP workers (threads) used to process incoming queries
+over TCP.
+.sp
+\fIDefault:\fP auto\-estimated optimal value based on the number of online CPUs
+.SS background\-workers
+.sp
+A number of workers (threads) used to execute background operations (zone
+loading, zone updates, etc.).
+.sp
+\fIDefault:\fP auto\-estimated optimal value based on the number of online CPUs
+.SS async\-start
+.sp
+If enabled, server doesn\(aqt wait for the zones to be loaded and starts
+responding immediately with SERVFAIL answers until the zone loads.
+.sp
+\fIDefault:\fP off
+.SS tcp\-handshake\-timeout
+.sp
+Maximum time between newly accepted TCP connection and the first query.
+This is useful to disconnect inactive connections faster than connections
+that already made at least 1 meaningful query.
+.sp
+\fIDefault:\fP 5
+.SS tcp\-idle\-timeout
+.sp
+Maximum idle time between requests on a TCP connection. This also limits
+receiving of a single query, each query must be received in this time limit.
+.sp
+\fIDefault:\fP 20
+.SS tcp\-reply\-timeout
+.sp
+Maximum time to wait for an outgoing connection or for a reply to an issued
+request (SOA, NOTIFY, AXFR...).
+.sp
+\fIDefault:\fP 10
+.SS max\-tcp\-clients
+.sp
+A maximum number of TCP clients connected in parallel, set this below the file
+descriptor limit to avoid resource exhaustion.
+.sp
+\fIDefault:\fP 100
+.SS max\-udp\-payload
+.sp
+Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
+.sp
+\fIDefault:\fP 4096
+.SS max\-ipv4\-udp\-payload
+.sp
+Maximum EDNS0 UDP payload size for IPv4.
+.sp
+\fIDefault:\fP 4096
+.SS max\-ipv6\-udp\-payload
+.sp
+Maximum EDNS0 UDP payload size for IPv6.
+.sp
+\fIDefault:\fP 4096
+.SS edns\-client\-subnet
+.sp
+Enable or disable EDNS Client Subnet support. If enabled, responses to queries
+containing the EDNS Client Subnet option
+always contain a valid EDNS Client Subnet option according to \fI\%RFC 7871\fP\&.
+.sp
+\fIDefault:\fP off
+.SS answer\-rotation
+.sp
+Enable or disable sorted\-rrset rotation in the answer section of normal replies.
+The rotation shift is simply determined by a query ID.
+.sp
+\fIDefault:\fP off
+.SS listen
+.sp
+One or more IP addresses where the server listens for incoming queries.
+Optional port specification (default is 53) can be appended to each address
+using \fB@\fP separator. Use \fB0.0.0.0\fP for all configured IPv4 addresses or
+\fB::\fP for all configured IPv6 addresses.
+.sp
+\fIDefault:\fP not set
+.SH KEY SECTION
+.sp
+Shared TSIG keys used to authenticate communication with the server.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+key:
+ \- id: DNAME
+ algorithm: hmac\-md5 | hmac\-sha1 | hmac\-sha224 | hmac\-sha256 | hmac\-sha384 | hmac\-sha512
+ secret: BASE64
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A key name identifier.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This value MUST be exactly the same as the name of the TSIG key on the
+opposite master/slave server(s).
+.UNINDENT
+.UNINDENT
+.SS algorithm
+.sp
+A TSIG key algorithm. See
+\fI\%TSIG Algorithm Numbers\fP\&.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBhmac\-md5\fP
+.IP \(bu 2
+\fBhmac\-sha1\fP
+.IP \(bu 2
+\fBhmac\-sha224\fP
+.IP \(bu 2
+\fBhmac\-sha256\fP
+.IP \(bu 2
+\fBhmac\-sha384\fP
+.IP \(bu 2
+\fBhmac\-sha512\fP
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS secret
+.sp
+Shared key secret.
+.sp
+\fIDefault:\fP not set
+.SH ACL SECTION
+.sp
+Access control list rule definitions. The ACLs are used to match incoming
+connections to allow or deny requested operation (zone transfer request, DDNS
+update, etc.).
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+acl:
+ \- id: STR
+ address: ADDR[/INT] | ADDR\-ADDR ...
+ key: key_id ...
+ action: notify | transfer | update ...
+ deny: BOOL
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+An ACL rule identifier.
+.SS address
+.sp
+An ordered list of IP addresses, network subnets, or network ranges. The query
+must match one of them. Empty value means that address match is not required.
+.sp
+\fIDefault:\fP not set
+.SS key
+.sp
+An ordered list of \fI\%reference\fPs to TSIG keys. The query must
+match one of them. Empty value means that transaction authentication is not used.
+.sp
+\fIDefault:\fP not set
+.SS action
+.sp
+An ordered list of allowed (or denied) actions.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnotify\fP – Allow incoming notify.
+.IP \(bu 2
+\fBtransfer\fP – Allow zone transfer.
+.IP \(bu 2
+\fBupdate\fP – Allow zone updates.
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS deny
+.sp
+If enabled, instead of allowing, deny the specified \fI\%action\fP,
+\fI\%address\fP, \fI\%key\fP, or combination if these
+items. If no action is specified, deny all actions.
+.sp
+\fIDefault:\fP off
+.SH CONTROL SECTION
+.sp
+Configuration of the server control interface.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+control:
+ listen: STR
+ timeout: TIME
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS listen
+.sp
+A UNIX socket path where the server listens for control commands.
+.sp
+\fIDefault:\fP \fI\%rundir\fP/knot.sock
+.SS timeout
+.sp
+Maximum time the control socket operations can take. Set 0 for infinity.
+.sp
+\fIDefault:\fP 5
+.SH STATISTICS SECTION
+.sp
+Periodic server statistics dumping.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+statistics:
+ timer: TIME
+ file: STR
+ append: BOOL
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS timer
+.sp
+A period after which all available statistics metrics will by written to the
+\fI\%file\fP\&.
+.sp
+\fIDefault:\fP not set
+.SS file
+.sp
+A file path of statistics output in the YAML format.
+.sp
+\fIDefault:\fP \fI\%rundir\fP/stats.yaml
+.SS append
+.sp
+If enabled, the output will be appended to the \fI\%file\fP
+instead of file replacement.
+.sp
+\fIDefault:\fP off
+.SH KEYSTORE SECTION
+.sp
+DNSSEC keystore configuration.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+keystore:
+ \- id: STR
+ backend: pem | pkcs11
+ config: STR
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A keystore identifier.
+.SS backend
+.sp
+A key storage backend type.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBpem\fP – PEM files.
+.IP \(bu 2
+\fBpkcs11\fP – PKCS #11 storage.
+.UNINDENT
+.sp
+\fIDefault:\fP pem
+.SS config
+.sp
+A backend specific configuration. A directory with PEM files (the path can
+be specified as a relative path to \fI\%kasp\-db\fP) or
+a configuration string for PKCS #11 storage (\fI<pkcs11\-url> <module\-path>\fP).
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Example configuration string for PKCS #11:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+"pkcs11:token=knot;pin\-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fI\%kasp\-db\fP/keys
+.SH SUBMISSION SECTION
+.sp
+Parameters of KSK submission checks.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+submission:
+ \- id: STR
+ parent: remote_id ...
+ check\-interval: TIME
+ timeout: TIME
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A submission identifier.
+.SS parent
+.sp
+A list of \fI\%references\fP to parent\(aqs DNS servers to be checked for
+presence of corresponding DS records in the case of KSK submission. All of them must
+have a corresponding DS for the rollover to continue. If none is specified, the
+rollover must be pushed forward manually.
+.sp
+\fIDefault:\fP not set
+.sp
+\fBTIP:\fP
+.INDENT 0.0
+.INDENT 3.5
+A DNSSEC\-validating resolver can be set as a parent.
+.UNINDENT
+.UNINDENT
+.SS check\-interval
+.sp
+Interval for periodic checks of DS presence on parent\(aqs DNS servers, in the
+case of the KSK submission.
+.sp
+\fIDefault:\fP 1 hour
+.SS timeout
+.sp
+After this period, the KSK submission is automatically considered successful, even
+if all the checks were negative or no parents are configured. Set 0 for infinity.
+.sp
+\fIDefault:\fP 0
+.SH POLICY SECTION
+.sp
+DNSSEC policy configuration.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+policy:
+ \- id: STR
+ keystore: STR
+ manual: BOOL
+ single\-type\-signing: BOOL
+ algorithm: rsasha1 | rsasha1\-nsec3\-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519
+ ksk\-size: SIZE
+ zsk\-size: SIZE
+ ksk\-shared: BOOL
+ dnskey\-ttl: TIME
+ zsk\-lifetime: TIME
+ ksk\-lifetime: TIME
+ propagation\-delay: TIME
+ rrsig\-lifetime: TIME
+ rrsig\-refresh: TIME
+ nsec3: BOOL
+ nsec3\-iterations: INT
+ nsec3\-opt\-out: BOOL
+ nsec3\-salt\-length: INT
+ nsec3\-salt\-lifetime: TIME
+ ksk\-submission: submission_id
+ cds\-cdnskey\-publish: none | delete\-dnssec | rollover | always
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A policy identifier.
+.SS keystore
+.sp
+A \fI\%reference\fP to a keystore holding private key material
+for zones. A special \fIdefault\fP value can be used for the default keystore settings.
+.sp
+\fIDefault:\fP default
+.SS manual
+.sp
+If enabled, automatic key management is not used.
+.sp
+\fIDefault:\fP off
+.SS single\-type\-signing
+.sp
+If enabled, Single\-Type Signing Scheme is used in the automatic key management
+mode.
+.sp
+\fIDefault:\fP off
+.SS algorithm
+.sp
+An algorithm of signing keys and issued signatures. See
+\fI\%DNSSEC Algorithm Numbers\fP\&.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBrsasha1\fP
+.IP \(bu 2
+\fBrsasha1\-nsec3\-sha1\fP
+.IP \(bu 2
+\fBrsasha256\fP
+.IP \(bu 2
+\fBrsasha512\fP
+.IP \(bu 2
+\fBecdsap256sha256\fP
+.IP \(bu 2
+\fBecdsap384sha384\fP
+.IP \(bu 2
+\fBed25519\fP
+.UNINDENT
+.sp
+\fIDefault:\fP ecdsap256sha256
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Ed25519 algorithm is only available when compiled with GnuTLS 3.6.0+.
+.UNINDENT
+.UNINDENT
+.SS ksk\-size
+.sp
+A length of newly generated KSK or
+CSK keys.
+.sp
+\fIDefault:\fP 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519)
+.SS zsk\-size
+.sp
+A length of newly generated ZSK keys.
+.sp
+\fIDefault:\fP see default for \fI\%ksk\-size\fP
+.SS ksk\-shared
+.sp
+If enabled, all zones with this policy assigned will share one KSK.
+.sp
+\fIDefault:\fP off
+.SS dnskey\-ttl
+.sp
+A TTL value for DNSKEY records added into zone apex.
+.sp
+\fIDefault:\fP zone SOA TTL
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Has infuence over ZSK key lifetime.
+.UNINDENT
+.UNINDENT
+.SS zsk\-lifetime
+.sp
+A period between ZSK publication and the next rollover initiation.
+.sp
+\fIDefault:\fP 30 days
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+ZSK key lifetime is also infuenced by propagation\-delay and dnskey\-ttl
+.sp
+Zero (aka infinity) value causes no ZSK rollover as a result.
+.UNINDENT
+.UNINDENT
+.SS ksk\-lifetime
+.sp
+A period between KSK publication and the next rollover initiation.
+.sp
+\fIDefault:\fP 0
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+KSK key lifetime is also infuenced by propagation\-delay, dnskey\-ttl,
+and KSK submission delay.
+.sp
+Zero (aka infinity) value causes no KSK rollover as a result.
+.sp
+This applies for CSK lifetime if single\-type\-signing is enabled.
+.UNINDENT
+.UNINDENT
+.SS propagation\-delay
+.sp
+An extra delay added for each key rollover step. This value should be high
+enough to cover propagation of data from the master server to all slaves.
+.sp
+\fIDefault:\fP 1 hour
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Has infuence over ZSK key lifetime.
+.UNINDENT
+.UNINDENT
+.SS rrsig\-lifetime
+.sp
+A validity period of newly issued signatures.
+.sp
+\fIDefault:\fP 14 days
+.SS rrsig\-refresh
+.sp
+A period how long before a signature expiration the signature will be refreshed.
+.sp
+\fIDefault:\fP 7 days
+.SS nsec3
+.sp
+Specifies if NSEC3 will be used instead of NSEC.
+.sp
+\fIDefault:\fP off
+.SS nsec3\-iterations
+.sp
+A number of additional times the hashing is performed.
+.sp
+\fIDefault:\fP 5
+.SS nsec3\-opt\-out
+.sp
+If set, NSEC3 records won\(aqt be created for insecure delegations.
+This speeds up the zone signing and reduces overall zone size.
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+NSEC3 with the Opt\-Out bit set no longer works as a proof of non\-existence
+in this zone.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP off
+.SS nsec3\-salt\-length
+.sp
+A length of a salt field in octets, which is appended to the original owner
+name before hashing.
+.sp
+\fIDefault:\fP 8
+.SS nsec3\-salt\-lifetime
+.sp
+A validity period of newly issued salt field.
+.sp
+\fIDefault:\fP 30 days
+.SS ksk\-submission
+.sp
+A reference to \fI\%submission\fP section holding parameters of
+KSK submittion checks.
+.sp
+\fIDefault:\fP not set
+.SS cds\-cdnskey\-publish
+.sp
+Controls if and how shall the CDS and CDNSKEY be published in the zone.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This only applies if the zone keys are automatically managed by the server.
+.UNINDENT
+.UNINDENT
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnone\fP – Never publish any CDS or CDNSKEY records in the zone.
+.IP \(bu 2
+\fBdelete\-dnssec\fP – Publish special CDS and CDNSKEY records indicating turning off DNSSEC.
+.IP \(bu 2
+\fBrollover\fP – Publish CDS and CDNSKEY records only in the submission phase of KSK rollover.
+.IP \(bu 2
+\fBalways\fP – Always publish CDS and CDNSKEY records for the current KSK.
+.UNINDENT
+.sp
+\fIDefault:\fP always
+.SH REMOTE SECTION
+.sp
+Definitions of remote servers for outgoing connections (source of a zone
+transfer, target for a notification, etc.).
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+remote:
+ \- id: STR
+ address: ADDR[@INT] ...
+ via: ADDR[@INT] ...
+ key: key_id
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A remote identifier.
+.SS address
+.sp
+An ordered list of destination IP addresses which are used for communication
+with the remote server. The addresses are tried in sequence unless the
+operation is successful. Optional destination port (default is 53)
+can be appended to the address using \fB@\fP separator.
+.sp
+\fIDefault:\fP not set
+.SS via
+.sp
+An ordered list of source IP addresses. The first address with the same family
+as the destination address is used. Optional source port (default is random)
+can be appended to the address using \fB@\fP separator.
+.sp
+\fIDefault:\fP not set
+.SS key
+.sp
+A \fI\%reference\fP to the TSIG key which is used to authenticate
+the communication with the remote server.
+.sp
+\fIDefault:\fP not set
+.SH TEMPLATE SECTION
+.sp
+A template is a shareable zone setting which can be used for configuration of
+many zones in one place. A special default template (with the \fIdefault\fP identifier)
+can be used for global querying configuration or as an implicit configuration
+if a zone doesn\(aqt have another template specified.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+template:
+ \- id: STR
+ timer\-db: STR
+ max\-timer\-db\-size: SIZE
+ journal\-db: STR
+ journal\-db\-mode: robust | asynchronous
+ max\-journal\-db\-size: SIZE
+ kasp\-db: STR
+ max\-kasp\-db\-size: SIZE
+ global\-module: STR/STR ...
+ # All zone options (excluding \(aqtemplate\(aq item)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A template identifier.
+.SS timer\-db
+.sp
+Specifies a path of the persistent timer database. The path can be specified
+as a relative path to the \fIdefault\fP template \fI\%storage\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option is only available in the \fIdefault\fP template.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fI\%storage\fP/timers
+.SS max\-timer\-db\-size
+.sp
+Hard limit for the timer database maximum size.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option is only available in the \fIdefault\fP template.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP 100 MiB
+.SS journal\-db
+.sp
+Specifies a path of the persistent journal database. The path can be specified
+as a relative path to the \fIdefault\fP template \fI\%storage\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option is only available in the \fIdefault\fP template.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fI\%storage\fP/journal
+.SS journal\-db\-mode
+.sp
+Specifies journal LMDB backend configuration, which influences performance
+and durability.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBrobust\fP – The journal DB disk sychronization ensures DB durability but is
+generally slower.
+.IP \(bu 2
+\fBasynchronous\fP – The journal DB disk synchronization is optimized for
+better performance at the expense of lower DB durability; this mode is
+recommended only on slave nodes with many zones.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option is only available in the \fIdefault\fP template.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP robust
+.SS max\-journal\-db\-size
+.sp
+Hard limit for the common journal DB. There is no cleanup logic in journal
+to recover from reaching this limit: journal simply starts refusing changes
+across all zones. Decreasing this value has no effect if lower than actual
+DB file size.
+.sp
+It is recommended to limit \fI\%max\-journal\-usage\fP
+per\-zone instead of max\-journal\-size in most cases. Please keep this value
+larger than the sum of all zones\(aq journal usage limits. See more details
+regarding journal behaviour\&.
+.sp
+This value also influences server\(aqs usage of virtual memory.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option is only available in the \fIdefault\fP template.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP 20 GiB (1 GiB for 32\-bit)
+.SS kasp\-db
+.sp
+A KASP database path. Non\-absolute path is relative to
+\fI\%storage\fP\&.
+.sp
+\fIDefault:\fP \fI\%storage\fP/keys
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option is only available in the \fIdefault\fP template.
+.UNINDENT
+.UNINDENT
+.SS max\-kasp\-db\-size
+.sp
+Hard limit for the KASP database maximum size.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option is only available in the \fIdefault\fP template.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP 500 MiB
+.SS global\-module
+.sp
+An ordered list of references to query modules in the form of \fImodule_name\fP or
+\fImodule_name/module_id\fP\&. These modules apply to all queries.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option is only available in the \fIdefault\fP template.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SH ZONE SECTION
+.sp
+Definition of zones served by the server.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+zone:
+ \- domain: DNAME
+ template: template_id
+ storage: STR
+ file: STR
+ master: remote_id ...
+ ddns\-master: remote_id
+ notify: remote_id ...
+ acl: acl_id ...
+ semantic\-checks: BOOL
+ disable\-any: BOOL
+ zonefile\-sync: TIME
+ zonefile\-load: none | difference | difference\-no\-serial | whole
+ journal\-content: none | changes | all
+ max\-journal\-usage: SIZE
+ max\-journal\-depth: INT
+ max\-zone\-size : SIZE
+ dnssec\-signing: BOOL
+ dnssec\-policy: STR
+ request\-edns\-option: INT:[HEXSTR]
+ serial\-policy: increment | unixtime | dateserial
+ min\-refresh\-interval: TIME
+ max\-refresh\-interval: TIME
+ module: STR/STR ...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS domain
+.sp
+A zone name identifier.
+.SS template
+.sp
+A \fI\%reference\fP to a configuration template.
+.sp
+\fIDefault:\fP not set or \fIdefault\fP (if the template exists)
+.SS storage
+.sp
+A data directory for storing zone files, journal database, and timers database.
+.sp
+\fIDefault:\fP \fB${localstatedir}/lib/knot\fP (configured with \fB\-\-with\-storage=path\fP)
+.SS file
+.sp
+A path to the zone file. Non\-absolute path is relative to
+\fI\%storage\fP\&. It is also possible to use the following formatters:
+.INDENT 0.0
+.IP \(bu 2
+\fB%c[\fP\fIN\fP\fB]\fP or \fB%c[\fP\fIN\fP\fB\-\fP\fIM\fP\fB]\fP – Means the \fIN\fPth
+character or a sequence of characters beginning from the \fIN\fPth and ending
+with the \fIM\fPth character of the textual zone name (see \fB%s\fP). The
+indexes are counted from 0 from the left. All dots (including the terminal
+one) are considered. If the character is not available, the formatter has no effect.
+.IP \(bu 2
+\fB%l[\fP\fIN\fP\fB]\fP – Means the \fIN\fPth label of the textual zone name
+(see \fB%s\fP). The index is counted from 0 from the right (0 ~ TLD).
+If the label is not available, the formatter has no effect.
+.IP \(bu 2
+\fB%s\fP – Means the current zone name in the textual representation.
+The zone name doesn\(aqt include the terminating dot (the result for the root
+zone is the empty string!).
+.IP \(bu 2
+\fB%%\fP – Means the \fB%\fP character.
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+Beware of special characters which are escaped or encoded in the \eDDD form
+where DDD is corresponding decimal ASCII code.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fI\%storage\fP/\fB%s\fP\&.zone
+.SS master
+.sp
+An ordered list of \fI\%references\fP to zone master servers.
+.sp
+\fIDefault:\fP not set
+.SS ddns\-master
+.sp
+A \fI\%reference\fP to zone primary master server.
+If not specified, the first \fI\%master\fP server is used.
+.sp
+\fIDefault:\fP not set
+.SS notify
+.sp
+An ordered list of \fI\%references\fP to remotes to which notify
+message is sent if the zone changes.
+.sp
+\fIDefault:\fP not set
+.SS acl
+.sp
+An ordered list of \fI\%references\fP to ACL rules which can allow
+or disallow zone transfers, updates or incoming notifies.
+.sp
+\fIDefault:\fP not set
+.SS semantic\-checks
+.sp
+If enabled, extra zone semantic checks are turned on.
+.sp
+Several checks are enabled by default and cannot be turned off. An error in
+mandatory checks causes zone not to be loaded. An error in extra checks is
+logged only.
+.sp
+Mandatory checks:
+.INDENT 0.0
+.IP \(bu 2
+SOA record missing in the zone (\fI\%RFC 1034\fP)
+.IP \(bu 2
+An extra record together with CNAME record except for RRSIG and DS (\fI\%RFC 1034\fP)
+.IP \(bu 2
+Multiple CNAME record with the same owner
+.IP \(bu 2
+DNAME record having a record under it (\fI\%RFC 2672\fP)
+.UNINDENT
+.sp
+Extra checks:
+.INDENT 0.0
+.IP \(bu 2
+Missing NS record at the zone apex
+.IP \(bu 2
+Missing glue A or AAAA record
+.IP \(bu 2
+Invalid DNSKEY, DS, or NSEC3PARAM record
+.IP \(bu 2
+CDS or CDNSKEY inconsistency
+.IP \(bu 2
+Missing, invalid, or unverifiable RRSIG record
+.IP \(bu 2
+Invalid NSEC(3) record
+.IP \(bu 2
+Broken or non\-cyclic NSEC(3) chain
+.UNINDENT
+.sp
+\fIDefault:\fP off
+.SS disable\-any
+.sp
+If enabled, all authoritative ANY queries sent over UDP will be answered
+with an empty response and with the TC bit set. Use this option to minimize
+the risk of DNS reflection attack.
+.sp
+\fIDefault:\fP off
+.SS zonefile\-sync
+.sp
+The time after which the current zone in memory will be synced with a zone file
+on the disk (see \fI\%file\fP). The server will serve the latest
+zone even after a restart using zone journal, but the zone file on the disk will
+only be synced after \fBzonefile\-sync\fP time has expired (or after manual zone
+flush). This is applicable when the zone is updated via IXFR, DDNS or automatic
+DNSSEC signing. In order to completely disable automatic zone file synchronization,
+set the value to \-1. In that case, it is still possible to force a manual zone flush
+using the \fB\-f\fP option.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+If you are serving large zones with frequent updates where
+the immediate sync with a zone file is not desirable, increase the value.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP 0 (immediate)
+.SS zonefile\-load
+.sp
+Selects how the zone file contents are applied during zone load.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnone\fP – The zone file is not used at all.
+.IP \(bu 2
+\fBdifference\fP – If the zone contents are already available during server start or reload,
+the difference is computed between them and the contents of the zone file. This difference
+is then checked for semantic errors and
+applied to the current zone contents.
+.IP \(bu 2
+\fBdifference\-no\-serial\fP – Same as \fBdifference\fP, but the SOA serial in the zone file is
+ignored, the server takes care of incrementing the serial automatically.
+.IP \(bu 2
+\fBwhole\fP – Zone contents are loaded from the zone file.
+.UNINDENT
+.sp
+When \fBdifference\fP is configured and there are no zone contents yet (cold start of Knot
+and no zone contents in journal), it behaves the same way like \fBwhole\fP\&.
+.sp
+\fIDefault:\fP whole
+.SS journal\-content
+.sp
+Selects how the journal shall be used to store zone and its changes.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnone\fP – The journal is not used at all.
+.IP \(bu 2
+\fBchanges\fP – Zone changes history is stored in journal.
+.IP \(bu 2
+\fBall\fP – Zone contents and history is stored in journal.
+.UNINDENT
+.sp
+\fIDefault:\fP changes
+.SS max\-journal\-usage
+.sp
+Policy how much space in journal DB will the zone\(aqs journal occupy.
+.sp
+\fIDefault:\fP 100 MiB
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Journal DB may grow far above the sum of max\-journal\-usage across
+all zones, because of DB free space fragmentation.
+.UNINDENT
+.UNINDENT
+.SS max\-journal\-depth
+.sp
+Maximum history length of journal.
+.sp
+\fIMinimum:\fP 2
+.sp
+\fIDefault:\fP 2^64
+.SS max\-zone\-size
+.sp
+Maximum size of the zone. The size is measured as size of the zone records
+in wire format without compression. The limit is enforced for incoming zone
+transfers and dynamic updates.
+.sp
+For incremental transfers (IXFR), the effective limit for the total size of
+the records in the transfer is twice the configured value. However the final
+size of the zone must satisfy the configured value.
+.sp
+\fIDefault:\fP 2^64
+.SS dnssec\-signing
+.sp
+If enabled, automatic DNSSEC signing for the zone is turned on.
+.sp
+\fIDefault:\fP off
+.SS dnssec\-policy
+.sp
+A \fI\%reference\fP to DNSSEC signing policy. A special \fIdefault\fP
+value can be used for the default policy settings.
+.sp
+\fIRequired\fP
+.SS request\-edns\-option
+.sp
+An arbitrary EDNS0 option which is included into a server request (AXFR, IXFR,
+SOA, or NOTIFY). The value is in the option_code:option_data format.
+.sp
+\fIDefault:\fP not set
+.SS serial\-policy
+.sp
+Specifies how the zone serial is updated after a dynamic update or
+automatic DNSSEC signing. If the serial is changed by the dynamic update,
+no change is made.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBincrement\fP – The serial is incremented according to serial number arithmetic.
+.IP \(bu 2
+\fBunixtime\fP – The serial is set to the current unix time.
+.IP \(bu 2
+\fBdateserial\fP – The 10\-digit serial (YYYYMMDDnn) is incremented, the first
+8 digits match the current iso\-date.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+In case of \fBunixtime\fP, if the resulting serial is lower or equal than current zone
+(this happens e.g. in case of migrating from other policy or frequent updates)
+the serial is incremented instead.
+.sp
+Use dateserial only if you expect less than 100 updates per day per zone.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP increment
+.SS min\-refresh\-interval
+.sp
+Forced minimum zone refresh interval to avoid flooding master.
+.sp
+\fIDefault:\fP 2
+.SS max\-refresh\-interval
+.sp
+Forced maximum zone refresh interval.
+.sp
+\fIDefault:\fP not set
+.SS module
+.sp
+An ordered list of references to query modules in the form of \fImodule_name\fP or
+\fImodule_name/module_id\fP\&. These modules apply only to the current zone queries.
+.sp
+\fIDefault:\fP not set
+.SH LOGGING SECTION
+.sp
+Server can be configured to log to the standard output, standard error
+output, syslog (or systemd journal if systemd is enabled) or into an arbitrary
+file.
+.sp
+There are 6 logging severity levels:
+.INDENT 0.0
+.IP \(bu 2
+\fBcritical\fP – Non\-recoverable error resulting in server shutdown.
+.IP \(bu 2
+\fBerror\fP – Recoverable error, action should be taken.
+.IP \(bu 2
+\fBwarning\fP – Warning that might require user action.
+.IP \(bu 2
+\fBnotice\fP – Server notice or hint.
+.IP \(bu 2
+\fBinfo\fP – Informational message.
+.IP \(bu 2
+\fBdebug\fP – Debug messages (must be turned on at compile time).
+.UNINDENT
+.sp
+In the case of missing log section, \fBwarning\fP or more serious messages
+will be logged to both standard error output and syslog. The \fBinfo\fP and
+\fBnotice\fP messages will be logged to standard output.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+log:
+ \- target: stdout | stderr | syslog | STR
+ server: critical | error | warning | notice | info | debug
+ control: critical | error | warning | notice | info | debug
+ zone: critical | error | warning | notice | info | debug
+ any: critical | error | warning | notice | info | debug
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS target
+.sp
+A logging output.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBstdout\fP – Standard output.
+.IP \(bu 2
+\fBstderr\fP – Standard error output.
+.IP \(bu 2
+\fBsyslog\fP – Syslog.
+.IP \(bu 2
+\fIfile_name\fP – A specific file.
+.UNINDENT
+.SS server
+.sp
+Minimum severity level for messages related to general operation of the server
+that are logged.
+.sp
+\fIDefault:\fP not set
+.SS control
+.sp
+Minimum severity level for messages related to server control that are logged.
+.sp
+\fIDefault:\fP not set
+.SS zone
+.sp
+Minimum severity level for messages related to zones that are logged.
+.sp
+\fIDefault:\fP not set
+.SS any
+.sp
+Minimum severity level for all message types that are logged.
+.sp
+\fIDefault:\fP not set
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2019, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/knotc.8in b/doc/man/knotc.8in
new file mode 100644
index 0000000..88fedb9
--- /dev/null
+++ b/doc/man/knotc.8in
@@ -0,0 +1,324 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KNOTC" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knotc \- Knot DNS control utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+\fBknotc\fP [\fIparameters\fP] \fIaction\fP [\fIaction_args\fP]
+.SH DESCRIPTION
+.sp
+If no \fIaction\fP is specified, the program is executed in interactive mode.
+.SS Parameters
+.INDENT 0.0
+.TP
+\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
+Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+.TP
+\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
+Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+The default configuration database, if exists, has a preference to the default
+configuration file.
+.TP
+\fB\-m\fP, \fB\-\-max\-conf\-size\fP \fIMiB\fP
+Set maximum configuration size (default is @conf_mapsize@ MiB, maximum 10000 MiB).
+.TP
+\fB\-s\fP, \fB\-\-socket\fP \fIpath\fP
+Use a control UNIX socket path (default is \fB@run_dir@/knot.sock\fP).
+.TP
+\fB\-t\fP, \fB\-\-timeout\fP \fIseconds\fP
+Use a control timeout in seconds. Set 0 for infinity (default is 10).
+.TP
+\fB\-f\fP, \fB\-\-force\fP
+Forced operation. Overrides some checks.
+.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Enable debug output.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SS Actions
+.INDENT 0.0
+.TP
+\fBstatus\fP [\fIdetail\fP]
+Check if the server is running. Details are \fBversion\fP for the running
+server version, \fBworkers\fP for the numbers of worker threads,
+or \fBconfigure\fP for the configure summary.
+.TP
+\fBstop\fP
+Stop the server if running.
+.TP
+\fBreload\fP
+Reload the server configuration and modified zone files. All open zone
+transactions will be aborted!
+.TP
+\fBstats\fP [\fImodule\fP[\fB\&.\fP\fIcounter\fP]]
+Show global statistics counter(s). To print also counters with value 0, use
+force option.
+.TP
+\fBzone\-status\fP \fIzone\fP [\fIfilter\fP]
+Show the zone status. Filters are \fB+role\fP, \fB+serial\fP, \fB+transaction\fP,
+\fB+events\fP, and \fB+freeze\fP\&.
+.TP
+\fBzone\-check\fP [\fIzone\fP\&...]
+Test if the server can load the zone. Semantic checks are executed if enabled
+in the configuration. (*)
+.TP
+\fBzone\-memstats\fP [\fIzone\fP\&...]
+Estimate memory use for the zone. (*)
+.TP
+\fBzone\-reload\fP [\fIzone\fP\&...]
+Trigger a zone reload from a disk without checking its modification time. For
+slave zone, the refresh from a master server is scheduled; for master zone,
+the notification of slave servers is scheduled. An open zone transaction
+will be aborted!
+.TP
+\fBzone\-refresh\fP [\fIzone\fP\&...]
+Trigger a check for the zone serial on the zone\(aqs master. If the master has a
+newer zone, a transfer is scheduled. This command is valid for slave zones.
+.TP
+\fBzone\-retransfer\fP [\fIzone\fP\&...]
+Trigger a zone transfer from the zone\(aqs master. The server doesn\(aqt check the
+serial of the master\(aqs zone. This command is valid for slave zones.
+.TP
+\fBzone\-notify\fP [\fIzone\fP\&...]
+Trigger a NOTIFY message to all configured remotes. This can help in cases
+when previous NOTIFY had been lost or the slaves offline.
+.TP
+\fBzone\-flush\fP [\fIzone\fP\&...] [\fB+outdir\fP \fIdirectory\fP]
+Trigger a zone journal flush into the zone file. If output dir is specified,
+instead of flushing the zonefile, the zone is dumped to a file in the specified
+directory.
+.TP
+\fBzone\-sign\fP [\fIzone\fP\&...]
+Trigger a DNSSEC re\-sign of the zone. Existing signatures will be dropped.
+This command is valid for zones with DNSSEC signing enabled.
+.TP
+\fBzone\-ksk\-submitted\fP \fIzone\fP\&...
+Use when the zone\(aqs KSK rollover is in submittion phase. By calling this command
+the user confirms manually that the parent zone contains DS record for the new
+KSK in submission phase and the old KSK can be retired.
+.TP
+\fBzone\-freeze\fP [\fIzone\fP\&...]
+Temporarily postpone zone\-changing events (load, refresh, update, flush, and
+DNSSEC signing).
+.TP
+\fBzone\-thaw\fP [\fIzone\fP\&...]
+Dismiss zone freeze.
+.TP
+\fBzone\-read\fP \fIzone\fP [\fIowner\fP [\fItype\fP]]
+Get zone data that are currently being presented.
+.TP
+\fBzone\-begin\fP \fIzone\fP\&...
+Begin a zone transaction.
+.TP
+\fBzone\-commit\fP \fIzone\fP\&...
+Commit the zone transaction. All changes are applied to the zone.
+.TP
+\fBzone\-abort\fP \fIzone\fP\&...
+Abort the zone transaction. All changes are discarded.
+.TP
+\fBzone\-diff\fP \fIzone\fP
+Get zone changes within the transaction.
+.TP
+\fBzone\-get\fP \fIzone\fP [\fIowner\fP [\fItype\fP]]
+Get zone data within the transaction.
+.TP
+\fBzone\-set\fP \fIzone\fP \fIowner\fP [\fIttl\fP] \fItype\fP \fIrdata\fP
+Add zone record within the transaction. The first record in a rrset
+requires a ttl value specified.
+.TP
+\fBzone\-unset\fP \fIzone\fP \fIowner\fP [\fItype\fP [\fIrdata\fP]]
+Remove zone data within the transaction.
+.TP
+\fBzone\-purge\fP \fIzone\fP\&... [\fIfilter\fP\&...]
+Purge zone data, zone file, journal, timers, and/or KASP data of specified zones.
+Available filters are \fB+expire\fP, \fB+zonefile\fP, \fB+journal\fP, \fB+timers\fP,
+and \fB+kaspdb\fP\&. If no filter is specified, all filters are enabled.
+If the zone is no longer configured, add \fB+orphan\fP filter (zone file cannot
+be purged in this case).
+.TP
+\fBzone\-stats\fP \fIzone\fP [\fImodule\fP[\fB\&.\fP\fIcounter\fP]]
+Show zone statistics counter(s). To print also counters with value 0, use
+force option.
+.TP
+\fBconf\-init\fP
+Initialize the configuration database. (*)
+.TP
+\fBconf\-check\fP
+Check the server configuration. (*)
+.TP
+\fBconf\-import\fP \fIfilename\fP
+Import a configuration file into the configuration database. Ensure the
+server is not using the configuration database! (*)
+.TP
+\fBconf\-export\fP [\fIfilename\fP]
+Export the configuration database into a config file or stdout. (*)
+.TP
+\fBconf\-list\fP [\fIitem\fP]
+List the configuration database sections or section items.
+.TP
+\fBconf\-read\fP [\fIitem\fP]
+Read the item from the active configuration database.
+.TP
+\fBconf\-begin\fP
+Begin a writing configuration database transaction. Only one transaction
+can be opened at a time.
+.TP
+\fBconf\-commit\fP
+Commit the configuration database transaction.
+.TP
+\fBconf\-abort\fP
+Rollback the configuration database transaction.
+.TP
+\fBconf\-diff\fP [\fIitem\fP]
+Get the item difference in the transaction.
+.TP
+\fBconf\-get\fP [\fIitem\fP]
+Get the item data from the transaction.
+.TP
+\fBconf\-set\fP \fIitem\fP [\fIdata\fP\&...]
+Set the item data in the transaction.
+.TP
+\fBconf\-unset\fP [\fIitem\fP] [\fIdata\fP\&...]
+Unset the item data in the transaction.
+.UNINDENT
+.SS Note
+.sp
+Empty or \fB\-\-\fP \fIzone\fP parameter means all zones or all zones with a transaction.
+.sp
+Use \fB@\fP \fIowner\fP to denote the zone name.
+.sp
+Type \fIitem\fP parameter in the form of \fIsection\fP[\fB[\fP\fIid\fP\fB]\fP][\fB\&.\fP\fIname\fP].
+.sp
+(*) indicates a local operation which requires a configuration.
+.SS Interactive mode
+.sp
+The utility provides interactive mode with basic line editing functionality,
+command completion, and command history.
+.sp
+Interactive mode behavior can be customized in \fI~/.editrc\fP\&. Refer to
+\fBeditrc(5)\fP for details.
+.sp
+Command history is saved in \fI~/.knotc_history\fP\&.
+.SH EXAMPLES
+.SS Reload the whole server configuration
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc reload
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Flush the example.com and example.org zones
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc zone\-flush example.com example.org
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Get the current server configuration
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc conf\-read server
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Get the list of the current zones
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc conf\-read zone.domain
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Get the master remotes for the example.com zone
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc conf\-read \(aqzone[example.com].master\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Add example.org zone with a zonefile location
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc conf\-begin
+$ knotc conf\-set \(aqzone[example.org]\(aq
+$ knotc conf\-set \(aqzone[example.org].file\(aq \(aq/var/zones/example.org.zone\(aq
+$ knotc conf\-commit
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Get the SOA record for each configured zone
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc zone\-read \-\- @ SOA
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBknotd(8)\fP, \fBknot.conf(5)\fP, \fBeditrc(5)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2019, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/knotd.8in b/doc/man/knotd.8in
new file mode 100644
index 0000000..2ae6450
--- /dev/null
+++ b/doc/man/knotd.8in
@@ -0,0 +1,76 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KNOTD" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knotd \- Knot DNS server daemon
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+\fBknotd\fP [\fIparameters\fP]
+.SH DESCRIPTION
+.SS Parameters
+.INDENT 0.0
+.TP
+\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
+Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+.TP
+\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
+Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+The default configuration database, if exists, has a preference to the default
+configuration file.
+.TP
+\fB\-m\fP, \fB\-\-max\-conf\-size\fP \fIMiB\fP
+Set maximum configuration size (default is @conf_mapsize@ MiB, maximum 10000 MiB).
+.TP
+\fB\-s\fP, \fB\-\-socket\fP \fIpath\fP
+Use a remote control UNIX socket path (default is \fB@run_dir@/knot.sock\fP).
+.TP
+\fB\-d\fP, \fB\-\-daemonize\fP [\fIdirectory\fP]
+Run the server as a daemon. New root directory may be specified
+(default is \fB/\fP).
+.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Enable debug output.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBknot.conf(5)\fP, \fBknotc(8)\fP, \fBkeymgr(8)\fP,
+\fBkjournalprint(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2019, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/knsec3hash.1in b/doc/man/knsec3hash.1in
new file mode 100644
index 0000000..a450097
--- /dev/null
+++ b/doc/man/knsec3hash.1in
@@ -0,0 +1,87 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KNSEC3HASH" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knsec3hash \- Simple utility to compute NSEC3 hash
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+\fBknsec3hash\fP \fIsalt\fP \fIalgorithm\fP \fIiterations\fP \fIname\fP
+.SH DESCRIPTION
+.sp
+This utility generates a NSEC3 hash for a given domain name and parameters of NSEC3 hash.
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIsalt\fP
+Specifies a binary salt encoded as a hexadecimal string.
+.TP
+\fIalgorithm\fP
+Specifies a hashing algorithm by number. Currently, the only supported algorithm is SHA\-1 (number 1).
+.TP
+\fIiterations\fP
+Specifies the number of additional iterations of the hashing algorithm.
+.TP
+\fIname\fP
+Specifies the domain name to be hashed.
+.UNINDENT
+.SH EXAMPLES
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knsec3hash c01dcafe 1 10 knot\-dns.cz
+7PTVGE7QV67EM61ROS9238P5RAKR2DM7 (salt=c01dcafe, hash=1, iterations=10)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knsec3hash \- 1 0 net
+A1RT98BS5QGC9NFI51S9HCI47ULJG6JH (salt=\-, hash=1, iterations=0)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%RFC 5155\fP – DNS Security (DNSSEC) Hashed Authenticated Denial of Existence.
+.sp
+\fBknotc(8)\fP, \fBknotd(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2019, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/knsupdate.1in b/doc/man/knsupdate.1in
new file mode 100644
index 0000000..10c0b87
--- /dev/null
+++ b/doc/man/knsupdate.1in
@@ -0,0 +1,198 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KNSUPDATE" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knsupdate \- Dynamic DNS update utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+\fBknsupdate\fP [\fIoptions\fP] [\fIfilename\fP]
+.SH DESCRIPTION
+.sp
+This utility sends Dynamic DNS update messages to a DNS server. Update content
+is read from a file (if the parameter \fIfilename\fP is given) or from the standard
+input.
+.sp
+The format of updates is textual and is made up of commands. Every command is
+placed on the separate line of the input. Lines starting with a semicolon are
+comments and are not processed.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-d\fP
+Enable debug messages.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-k\fP \fIkeyfile\fP
+Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file should contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
+.TP
+\fB\-p\fP \fIport\fP
+Set the port to use for connections to the server (if not explicitly specified
+in the update). The default is 53.
+.TP
+\fB\-r\fP \fIretries\fP
+The number of retries for UDP requests. The default is 3.
+.TP
+\fB\-t\fP \fItimeout\fP
+The total timeout (for all UDP update tries) of the update request in seconds.
+The default is 12. If set to zero, the timeout is infinite.
+.TP
+\fB\-v\fP
+Use a TCP connection.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.TP
+\fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
+Use the TSIG key with a name \fIname\fP to authenticate the request. The \fIalg\fP
+part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies
+the shared secret encoded in Base64.
+.UNINDENT
+.SS Commands
+.INDENT 0.0
+.TP
+\fBserver\fP \fIname\fP [\fIport\fP]
+Specifies a receiving server of the dynamic update message. The \fIname\fP parameter
+can be either a host name or an IP address. If the \fIport\fP is not specified,
+the default port is used. The default port value can be controlled using
+the \fB\-p\fP program option.
+.TP
+\fBlocal\fP \fIaddress\fP [\fIport\fP]
+Specifies outgoing \fIaddress\fP and \fIport\fP\&. If no local is specified, the
+address and port are set by the system automatically. The default port number
+is 0.
+.TP
+\fBzone\fP \fIname\fP
+Specifies that all updates are done within a zone \fIname\fP\&. If not used,
+the default zone is the root zone.
+.TP
+\fBorigin\fP \fIname\fP
+Specifies fully qualified domain name suffix which is appended to non\-fqd
+owners in update commands. The default origin is the root zone.
+.TP
+\fBclass\fP \fIname\fP
+Sets \fIname\fP as the default class for all updates. If not used, the default
+class is IN.
+.TP
+\fBttl\fP \fIvalue\fP
+Sets \fIvalue\fP as the default TTL (in seconds). If not used, the default value
+is 0.
+.TP
+\fBkey\fP [\fIalg\fP:]\fIname\fP \fIkey\fP
+Specifies the TSIG \fIkey\fP named \fIname\fP to authenticate the request. An optional
+\fIalg\fP algorithm can be specified. This command has the same effect as
+the program option \fB\-y\fP\&.
+.TP
+[\fBprereq\fP] \fBnxdomain\fP \fIname\fP
+Adds a prerequisite for a non\-existing record owned by \fIname\fP\&.
+.TP
+[\fBprereq\fP] \fByxdomain\fP \fIname\fP
+Adds a prerequisite for an existing record owned by \fIname\fP\&.
+.TP
+[\fBprereq\fP] \fBnxrrset\fP \fIname\fP [\fIclass\fP] \fItype\fP
+Adds a prerequisite for a non\-existing record of the \fItype\fP owned by \fIname\fP\&.
+Internet \fIclass\fP is expected.
+.TP
+[\fBprereq\fP] \fByxrrset\fP \fIname\fP [\fIclass\fP] \fItype\fP [\fIdata\fP]
+Adds a prerequisite for an existing record of the \fItype\fP owned by \fIname\fP
+with optional \fIdata\fP\&. Internet \fIclass\fP is expected.
+.TP
+[\fBupdate\fP] \fBadd\fP \fIname\fP [\fIttl\fP] [\fIclass\fP] \fItype\fP \fIdata\fP
+Adds a request to add a new resource record into the zone.
+Please note that if the \fIname\fP is not fully qualified domain name, the
+current origin name is appended to it.
+.TP
+[\fBupdate\fP] \fBdel\fP[\fBete\fP] \fIname\fP [\fIttl\fP] [\fIclass\fP] [\fItype\fP] [\fIdata\fP]
+Adds a request to remove all (or matching \fIclass\fP, \fItype\fP or \fIdata\fP)
+resource records from the zone. There is the same requirement for the \fIname\fP
+parameter as in \fBupdate add\fP command. The \fIttl\fP item is ignored.
+.TP
+\fBshow\fP
+Displays current content of the update message.
+.TP
+\fBsend\fP
+Sends the current update message and cleans the list of updates.
+.TP
+\fBanswer\fP
+Displays the last answer from the server.
+.TP
+\fBdebug\fP
+Enable debugging. This command has the same meaning as the \fB\-d\fP program option.
+.TP
+\fBquit\fP
+Quit the program.
+.UNINDENT
+.SH NOTES
+.sp
+Options \fB\-k\fP and \fB\-y\fP can not be used simultaneously.
+.sp
+Dnssec\-keygen keyfile format is not supported. Use \fBkeymgr(8)\fP instead.
+.sp
+Zone name/server guessing is not supported if the zone name/server is not specified.
+.sp
+Empty line doesn\(aqt send the update.
+.SH EXAMPLES
+.INDENT 0.0
+.IP 1. 3
+Send one update of the zone example.com to the server 192.168.1.1. The update
+contains two new records:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knsupdate
+> server 192.168.1.1
+> zone example.com.
+> origin example.com.
+> ttl 3600
+> add test1.example.com. 7200 A 192.168.2.2
+> add test2 TXT "hello"
+> show
+> send
+> answer
+> quit
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBkdig(1)\fP, \fBkhost(1)\fP, \fBkeymgr(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2019, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/kzonecheck.1in b/doc/man/kzonecheck.1in
new file mode 100644
index 0000000..cb8fe22
--- /dev/null
+++ b/doc/man/kzonecheck.1in
@@ -0,0 +1,73 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KZONECHECK" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kzonecheck \- Knot DNS zone check tool
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+\fBkzonecheck\fP [\fIoptions\fP] \fIfilename\fP
+.SH DESCRIPTION
+.sp
+The utility checks zone file syntax and runs semantic checks on the zone
+content. The executed checks are the same as the checks run by the Knot
+DNS server.
+.sp
+Please, refer to the \fBsemantic\-checks\fP configuration option in
+\fBknot.conf(5)\fP for the full list of available semantic checks.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-o\fP, \fB\-\-origin\fP \fIorigin\fP
+Zone origin. If not specified, the origin is determined from the file name
+(possibly removing the \fB\&.zone\fP suffix).
+.TP
+\fB\-t\fP, \fB\-\-time\fP \fItime\fP
+Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS
+format, or [+/\-]\fItime\fP[unit] format, where unit can be \fBY\fP, \fBM\fP,
+\fBD\fP, \fBh\fP, \fBm\fP, or \fBs\fP\&. Default is current UNIX timestamp.
+.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Enable debug output.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBknotd(8)\fP, \fBknot.conf(5)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2019, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man_kdig.rst b/doc/man_kdig.rst
new file mode 100644
index 0000000..c1b3961
--- /dev/null
+++ b/doc/man_kdig.rst
@@ -0,0 +1,324 @@
+.. highlight:: console
+
+kdig – Advanced DNS lookup utility
+==================================
+
+Synopsis
+--------
+
+:program:`kdig` [*common-settings*] [*query* [*settings*]]...
+
+:program:`kdig` **-h**
+
+Description
+-----------
+
+This utility sends one or more DNS queries to a nameserver. Each query can have
+individual *settings*, or it can be specified globally via *common-settings*,
+which must precede *query* specification.
+
+Parameters
+..........
+
+*query*
+ *name* | **-q** *name* | **-x** *address* | **-G** *tapfile*
+
+*common-settings*, *settings*
+ [*query_class*] [*query_type*] [**@**\ *server*]... [*options*]
+
+*name*
+ Is a domain name that is to be looked up.
+
+*server*
+ Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query
+ to. An additional port can be specified using address:port ([address]:port
+ for IPv6 address), address@port, or address#port notation. If no server is
+ specified, the servers from :file:`/etc/resolv.conf` are used.
+
+If no arguments are provided, :program:`kdig` sends NS query for the root
+zone.
+
+Query classes
+.............
+
+A *query_class* can be either a DNS class name (IN, CH) or generic class
+specification **CLASS**\ *XXXXX* where *XXXXX* is a corresponding decimal
+class number. The default query class is IN.
+
+Query types
+...........
+
+A *query_type* can be either a DNS resource record type
+(A, AAAA, NS, SOA, DNSKEY, ANY, etc.) or one of the following:
+
+**TYPE**\ *XXXXX*
+ Generic query type specification where *XXXXX* is a corresponding decimal
+ type number.
+
+**AXFR**
+ Full zone transfer request.
+
+**IXFR=**\ *serial*
+ Incremental zone transfer request for specified starting SOA serial number.
+
+**NOTIFY=**\ *serial*
+ Notify message with a SOA serial hint specified.
+
+**NOTIFY**
+ Notify message with a SOA serial hint unspecified.
+
+The default query type is A.
+
+Options
+.......
+
+**-4**
+ Use the IPv4 protocol only.
+
+**-6**
+ Use the IPv6 protocol only.
+
+**-b** *address*
+ Set the source IP address of the query to *address*. The address must be a
+ valid address for local interface or :: or 0.0.0.0. An optional port
+ can be specified in the same format as the *server* value.
+
+**-c** *class*
+ An explicit *query_class* specification. See possible values above.
+
+**-d**
+ Enable debug messages.
+
+**-h**, **--help**
+ Print the program help.
+
+**-k** *keyfile*
+ Use the TSIG key stored in a file *keyfile* to authenticate the request. The
+ file must contain the key in the same format as accepted by the
+ **-y** option.
+
+**-p** *port*
+ Set the nameserver port number or service name to send a query to. The default
+ port is 53.
+
+**-q** *name*
+ Set the query name. An explicit variant of *name* specification. If no *name*
+ is provided, empty question section is set.
+
+**-t** *type*
+ An explicit *query_type* specification. See possible values above.
+
+**-V**, **--version**
+ Print the program version.
+
+**-x** *address*
+ Send a reverse (PTR) query for IPv4 or IPv6 *address*. The correct name, class
+ and type is set automatically.
+
+**-y** [*alg*:]\ *name*:*key*
+ Use the TSIG key named *name* to authenticate the request. The *alg*
+ part specifies the algorithm (the default is hmac-sha256) and *key* specifies
+ the shared secret encoded in Base64.
+
+**-E** *tapfile*
+ Export a dnstap trace of the query and response messages received to the
+ file *tapfile*.
+
+**-G** *tapfile*
+ Generate message output from a previously saved dnstap file *tapfile*.
+
+**+**\ [\ **no**\ ]\ **multiline**
+ Wrap long records to more lines and improve human readability.
+
+**+**\ [\ **no**\ ]\ **short**
+ Show record data only.
+
+**+**\ [\ **no**\ ]\ **generic**
+ Use the generic representation format when printing resource record types
+ and data.
+
+**+**\ [\ **no**\ ]\ **crypto**
+ Display the DNSSEC keys and signatures values in hexdump, instead of omitting them.
+
+**+**\ [\ **no**\ ]\ **aaflag**
+ Set the AA flag.
+
+**+**\ [\ **no**\ ]\ **tcflag**
+ Set the TC flag.
+
+**+**\ [\ **no**\ ]\ **rdflag**
+ Set the RD flag.
+
+**+**\ [\ **no**\ ]\ **recurse**
+ Same as **+**\ [\ **no**\ ]\ **rdflag**
+
+**+**\ [\ **no**\ ]\ **raflag**
+ Set the RA flag.
+
+**+**\ [\ **no**\ ]\ **zflag**
+ Set the zero flag bit.
+
+**+**\ [\ **no**\ ]\ **adflag**
+ Set the AD flag.
+
+**+**\ [\ **no**\ ]\ **cdflag**
+ Set the CD flag.
+
+**+**\ [\ **no**\ ]\ **dnssec**
+ Set the DO flag.
+
+**+**\ [\ **no**\ ]\ **all**
+ Show all packet sections.
+
+**+**\ [\ **no**\ ]\ **qr**
+ Show the query packet.
+
+**+**\ [\ **no**\ ]\ **header**
+ Show the packet header.
+
+**+**\ [\ **no**\ ]\ **comments**
+ Show commented section names.
+
+**+**\ [\ **no**\ ]\ **opt**
+ Show the EDNS pseudosection.
+
+**+**\ [\ **no**\ ]\ **question**
+ Show the question section.
+
+**+**\ [\ **no**\ ]\ **answer**
+ Show the answer section.
+
+**+**\ [\ **no**\ ]\ **authority**
+ Show the authority section.
+
+**+**\ [\ **no**\ ]\ **additional**
+ Show the additional section.
+
+**+**\ [\ **no**\ ]\ **tsig**
+ Show the TSIG pseudosection.
+
+**+**\ [\ **no**\ ]\ **stats**
+ Show trailing packet statistics.
+
+**+**\ [\ **no**\ ]\ **class**
+ Show the DNS class.
+
+**+**\ [\ **no**\ ]\ **ttl**
+ Show the TTL value.
+
+**+**\ [\ **no**\ ]\ **tcp**
+ Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).
+
+**+**\ [\ **no**\ ]\ **fastopen**
+ Use TCP Fast Open (default with TCP).
+
+**+**\ [\ **no**\ ]\ **ignore**
+ Don't use TCP automatically if a truncated reply is received.
+
+**+**\ [\ **no**\ ]\ **tls**
+ Use TLS with the Opportunistic privacy profile (:rfc:`7858#section-4.1`).
+
+**+**\ [\ **no**\ ]\ **tls-ca**\[\ =\ *FILE*\]
+ Use TLS with a certificate validation. Certification authority certificates
+ are loaded from the specified PEM file (default is system certificate storage
+ if no argument is provided).
+ Can be specified multiple times. If the +tls-hostname option is not provided,
+ the name of the target server (if specified) is used for strict authentication.
+
+**+**\ [\ **no**\ ]\ **tls-pin**\ =\ *BASE64*
+ Use TLS with the Out-of-Band key-pinned privacy profile (:rfc:`7858#section-4.2`).
+ The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo.
+ Can be specified multiple times.
+
+**+**\ [\ **no**\ ]\ **tls-hostname**\ =\ *STR*
+ Use TLS with a remote server hostname check.
+
+**+**\ [\ **no**\ ]\ **tls-sni**\ =\ *STR*
+ Use TLS with a Server Name Indication.
+
+**+**\ [\ **no**\ ]\ **nsid**
+ Request the nameserver identifier (NSID).
+
+**+**\ [\ **no**\ ]\ **bufsize**\ =\ *B*
+ Set EDNS buffer size in bytes (default is 512 bytes).
+
+**+**\ [\ **no**\ ]\ **padding**\[\ =\ *B*\]
+ Use EDNS(0) padding option to pad queries, optionally to a specific
+ size. The default is to pad queries with a sensible amount when using
+ +tls, and not to pad at all when queries are sent without TLS. With
+ no argument (i.e., just +padding) pad every query with a sensible
+ amount regardless of the use of TLS. With +nopadding, never pad.
+
+**+**\ [\ **no**\ ]\ **alignment**\[\ =\ *B*\]
+ Align the query to B\-byte-block message using the EDNS(0) padding option
+ (default is no or 128 if no argument is specified).
+
+**+**\ [\ **no**\ ]\ **subnet**\ =\ *SUBN*
+ Set EDNS(0) client subnet SUBN=addr/prefix.
+
+**+**\ [\ **no**\ ]\ **edns**\[\ =\ *N*\]
+ Use EDNS version (default is 0).
+
+**+**\ [\ **no**\ ]\ **timeout**\ =\ *T*
+ Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout
+ applies to each query attempt.
+
+**+**\ [\ **no**\ ]\ **retry**\ =\ *N*
+ Set the number (>=0) of UDP retries (default is 2). This doesn't apply to
+ AXFR/IXFR.
+
+**+**\ [\ **no**\ ]\ **cookie**\ =\ *HEX*
+ Attach EDNS(0) cookie to the query.
+
+**+**\ [\ **no**\ ]\ **badcookie**
+ Repeat a query with the correct cookie.
+
+**+**\ [\ **no**\ ]\ **ednsopt**\[\ =\ *CODE*\[:*HEX*\]\]
+ Send custom EDNS option. The *CODE* is EDNS option code in decimal, *HEX*
+ is an optional hex encoded string to use as EDNS option value. This argument
+ can be used multiple times. +noednsopt clears all EDNS options specified by
+ +ednsopt.
+
+**+noidn**
+ Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends
+ on libidn availability during project building!
+
+Notes
+-----
+
+Options **-k** and **-y** can not be used simultaneously.
+
+Dnssec-keygen keyfile format is not supported. Use :manpage:`keymgr(8)` instead.
+
+Examples
+--------
+
+1. Get A records for example.com::
+
+ $ kdig example.com A
+
+2. Perform AXFR for zone example.com from the server 192.0.2.1::
+
+ $ kdig example.com -t AXFR @192.0.2.1
+
+3. Get A records for example.com from 192.0.2.1 and reverse lookup for address
+ 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol::
+
+ $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
+
+4. Get SOA record for example.com, use TLS, use system certificates, check
+ for specified hostname, check for certificate pin, and print additional
+ debug info::
+
+ $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
+ +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
+
+Files
+-----
+
+:file:`/etc/resolv.conf`
+
+See Also
+--------
+
+:manpage:`khost(1)`, :manpage:`knsupdate(1)`, :manpage:`keymgr(8)`.
diff --git a/doc/man_keymgr.rst b/doc/man_keymgr.rst
new file mode 100644
index 0000000..03409b6
--- /dev/null
+++ b/doc/man_keymgr.rst
@@ -0,0 +1,216 @@
+.. highlight:: console
+
+keymgr – Key management utility
+===============================
+
+Synopsis
+--------
+
+:program:`keymgr` *basic_option* [*parameters*...]
+
+:program:`keymgr` [*config_option* *config_storage*] *zone* *command* *argument*...
+
+Description
+-----------
+
+The :program:`keymgr` utility serves for manual key management in Knot DNS server.
+
+Functions for DNSSEC keys and KASP (Key And Signature Policy)
+management are provided.
+
+The DNSSEC and KASP configuration is stored in a so called KASP database.
+The database is backed by LMDB.
+
+Basic options
+.............
+
+**-h**, **--help**
+ Print the program help.
+
+**-V**, **--version**
+ Print the program version.
+
+**-t**, **--tsig** *tsig_name* [*tsig_algorithm*] [*tsig_bits*]
+ Generates a TSIG key. TSIG algorithm can be specified by string (default: hmac-sha256),
+ bit length of the key by number (default: optimal length given by algorithm). The generated
+ TSIG key is only displayed on `stdout`: the command does not create a file, nor include the
+ key in a keystore.
+
+Config options
+..............
+
+**-c**, **--config** *file*
+ Use a textual configuration file (default is :file:`@config_dir@/knot.conf`).
+
+**-C**, **--confdb** *directory*
+ Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`).
+ The default configuration database, if exists, has a preference to the default
+ configuration file.
+
+**-d**, **--dir** *path*
+ Use specified KASP database path and default configuration.
+
+Commands
+........
+
+**list** [*timestamp_format*]
+ Prints the list of key IDs and parameters of keys belonging to the zone.
+
+**generate** [*arguments*...]
+ Generates new DNSSEC key and stores it in KASP database. Prints the key ID.
+ This action takes some number of arguments (see below). Values for unspecified arguments are taken
+ from corresponding policy (if *-c* or *-C* options used) or from Knot policy defaults.
+
+**import-bind** *BIND_key_file*
+ Imports a BIND-style key into KASP database (converting it to PEM format).
+ Takes one argument: path to BIND key file (private or public, but both MUST exist).
+
+**import-pub** *BIND_pubkey_file*
+ Imports a public key into KASP database. This key won't be rollovered nor used for signing.
+ Takes one argument: path to BIND public key file.
+
+**import-pem** *PEM_file* [*arguments*...]
+ Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be
+ specified (mainly algorithm, timers...) because they are not contained in the PEM format.
+
+**import-pkcs11** *key_id* [*arguments*...]
+ Imports a DNSSEC key from PKCS #11 storage. The key parameters (same as for the generate action) need to be
+ specified (mainly algorithm, timers...) because they are not available. In fact, no key
+ data is imported, only KASP database metadata is created.
+
+**nsec3-salt** [*new_salt*]
+ Prints the current NSEC3 salt used for signing. If *new_salt* is specified, the salt is overwritten.
+ The salt is printed and expected in hexadecimal, or dash if empty.
+
+**set** *key_spec* [*arguments*...]
+ Changes a timing argument (or ksk/zsk) of an existing key to a new value. *Key_spec* is either the
+ key tag or a prefix of the key ID; *arguments* are like for **generate**, but just the related ones.
+
+**ds** [*key_spec*]
+ Generate DS record (all digest algorithms together) for specified key. *Key_spec*
+ is like for **set**, if unspecified, all KSKs are used.
+
+**dnskey** [*key_spec*]
+ Generate DNSKEY record for specified key. *Key_spec*
+ is like for **ds**, if unspecified, all KSKs are used.
+
+**delete** *key_spec*
+ Remove the specified key from zone. If the key was not shared, it is also deleted from keystore.
+
+**share** *key_ID*
+ Import a key (specified by full key ID) from another zone as shared. After this, the key is
+ owned by both zones equally.
+
+Generate arguments
+..................
+
+Arguments are separated by space, each of them is in format 'name=value'.
+
+**algorithm**
+ Either an algorithm number (e.g. 14), or text name without dashes (e.g. ECDSAP384SHA384).
+
+**size**
+ Key length in bits.
+
+**ksk**
+ If set to **yes**, the key will be used for signing DNSKEY rrset. The generated key will also
+ have the Secure Entry Point flag set to 1.
+
+**zsk**
+ If set to **yes**, the key will be used for signing zone (except DNSKEY rrset). This flag can
+ be set concurrently with the **ksk** flag.
+
+**sep**
+ Overrides the standard setting of the Secure Entry Point flag for the generated key.
+
+The following arguments are timestamps of key lifetime:
+
+**created**
+ Key created.
+
+**pre_active**
+ Key started to be used for signing, not published (only for algorithm rollover).
+
+**publish**
+ Key published.
+
+**ready**
+ Key used for signing and submitted to the parent zone (only for KSK).
+
+**active**
+ Key used for signing.
+
+**post_active**
+ Key still used for singing, but another key is active (only for KSK).
+
+**retire_active**
+ Key no longer published, but still used for signing (only for algorithm rollover).
+
+**retire**
+ Key still published, but no longer used for signing.
+
+**remove**
+ Key deleted.
+
+Timestamps
+..........
+
+0
+ Zero timestamp means infinite future.
+
+*UNIX_time*
+ Positive number of seconds since 1970 UTC.
+
+*YYYYMMDDHHMMSS*
+ Date and time in this format without any punctuation.
+
+*relative_timestamp*
+ A sign character (**+**, **-**), a number, and an optional time unit
+ (**y**, **mo**, **d**, **h**, **mi**, **s**). The default unit is one second.
+ E.g. +1mi, -2mo.
+
+Output timestamp formats
+........................
+
+(none)
+ The timestamps are printed as UNIX timestamp.
+
+**human**
+ The timestamps are printed relatively to now using time units (e.g. -2y5mo, +1h13s).
+
+**iso**
+ The timestamps are printed in the ISO8601 format (e.g. 2016-12-31T23:59:00).
+
+Examples
+--------
+
+1. Generate new TSIG key::
+
+ $ keymgr -t my_name hmac-sha384
+
+2. Generate new DNSSEC key::
+
+ $ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \
+ ksk=true created=1488034625 publish=20170223205611 retire=+10mo remove=+1y
+
+3. Import a DNSSEC key from BIND::
+
+ $ keymgr example.com. import-bind ~/bind/Kharbinge4d5.+007+63089.key
+
+4. Configure key timing::
+
+ $ keymgr example.com. set 4208 active=+2mi retire=+4mi remove=+5mi
+
+5. Share a KSK from another zone::
+
+ $ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
+
+See Also
+--------
+
+:rfc:`6781` - DNSSEC Operational Practices.
+:rfc:`7583` - DNSSEC Key Rollover Timing Considerations.
+
+:manpage:`knot.conf(5)`,
+:manpage:`knotc(8)`,
+:manpage:`knotd(8)`.
diff --git a/doc/man_khost.rst b/doc/man_khost.rst
new file mode 100644
index 0000000..b6e2d6b
--- /dev/null
+++ b/doc/man_khost.rst
@@ -0,0 +1,102 @@
+.. highlight:: console
+
+khost – Simple DNS lookup utility
+=================================
+
+Synopsis
+--------
+
+:program:`khost` [*options*] *name* [*server*]
+
+Description
+-----------
+
+This utility sends a DNS query for the *name* to the *server* and prints a reply
+in more user-readable form. For more advanced DNS queries use :program:`kdig`
+instead.
+
+Parameters
+..........
+
+*name*
+ Is a domain name that is to be looked up. If the *name* is IPv4 or IPv6
+ address the PTR query type is used.
+
+*server*
+ Is a name or an address of the nameserver to send a query to. The address
+ can be specified using [address]:port notation. If no server is specified,
+ the servers from :file:`/etc/resolv.conf` are used.
+
+If no arguments are provided, :program:`khost` prints a short help.
+
+Options
+.......
+
+**-4**
+ Use the IPv4 protocol only.
+
+**-6**
+ Use the IPv6 protocol only.
+
+**-a**
+ Send ANY query with verbose mode.
+
+**-d**
+ Enable debug messages.
+
+**-h**, **--help**
+ Print the program help.
+
+**-r**
+ Disable recursion.
+
+**-T**
+ Use the TCP protocol.
+
+**-v**
+ Enable verbose output.
+
+**-V**, **--version**
+ Print the program version.
+
+**-w**
+ Wait forever for the reply.
+
+**-c** *class*
+ Set the query class (e.g. CH, CLASS4). The default class is IN.
+
+**-t** *type*
+ Set the query type (e.g. NS, IXFR=12345, TYPE65535). The default is to send 3
+ queries (A, AAAA and MX).
+
+**-R** *retries*
+ The number (>=0) of UDP retries to query a nameserver. The default is 1.
+
+**-W** *wait*
+ The time to wait for a reply in seconds. This timeout applies to each query
+ try. The default is 2 seconds.
+
+Examples
+--------
+
+1. Get the A, AAAA and MX records for example.com::
+
+ $ khost example.com
+
+2. Get the reverse record for address 192.0.2.1::
+
+ $ khost 192.0.2.1
+
+3. Perform a verbose zone transfer for zone example.com::
+
+ $ khost -t AXFR -v example.com
+
+Files
+-----
+
+:file:`/etc/resolv.conf`
+
+See Also
+--------
+
+:manpage:`kdig(1)`, :manpage:`knsupdate(1)`.
diff --git a/doc/man_kjournalprint.rst b/doc/man_kjournalprint.rst
new file mode 100644
index 0000000..f8868dd
--- /dev/null
+++ b/doc/man_kjournalprint.rst
@@ -0,0 +1,58 @@
+.. highlight:: console
+
+kjournalprint – Knot DNS journal print utility
+==============================================
+
+Synopsis
+--------
+
+:program:`kjournalprint` [*options*] *journal_db* *zone_name*
+
+Description
+-----------
+
+The program prints zone history stored in a journal database. As default,
+changes are colored for terminal.
+
+Options
+.......
+
+**-l**, **--limit** *limit*
+ Limits the number of displayed changes.
+
+**-d**, **--debug**
+ Debug mode brief output.
+
+**-n**, **--no-color**
+ Removes changes coloring.
+
+**-z**, **--zone-list**
+ Instead of reading jurnal, display the list of zones in the DB.
+ (*zone_name* not needed)
+
+**-h**, **--help**
+ Print the program help.
+
+**-V**, **--version**
+ Print the program version.
+
+Parameters
+..........
+
+*journal_db*
+ A path to the journal database.
+
+*zone_name*
+ A name of the zone to print the history for.
+
+Examples
+--------
+
+Last (most recent) 5 changes without colors::
+
+ $ kjournalprint -nl 5 /var/lib/knot/journal example.com.
+
+See Also
+--------
+
+:manpage:`knotd(8)`, :manpage:`knot.conf(5)`.
diff --git a/doc/man_knotc.rst b/doc/man_knotc.rst
new file mode 100644
index 0000000..ebfe4f1
--- /dev/null
+++ b/doc/man_knotc.rst
@@ -0,0 +1,274 @@
+.. highlight:: console
+
+knotc – Knot DNS control utility
+================================
+
+Synopsis
+--------
+
+:program:`knotc` [*parameters*] *action* [*action_args*]
+
+Description
+-----------
+
+If no *action* is specified, the program is executed in interactive mode.
+
+Parameters
+..........
+
+**-c**, **--config** *file*
+ Use a textual configuration file (default is :file:`@config_dir@/knot.conf`).
+
+**-C**, **--confdb** *directory*
+ Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`).
+ The default configuration database, if exists, has a preference to the default
+ configuration file.
+
+**-m**, **--max-conf-size** *MiB*
+ Set maximum configuration size (default is @conf_mapsize@ MiB, maximum 10000 MiB).
+
+**-s**, **--socket** *path*
+ Use a control UNIX socket path (default is :file:`@run_dir@/knot.sock`).
+
+**-t**, **--timeout** *seconds*
+ Use a control timeout in seconds. Set 0 for infinity (default is 10).
+
+**-f**, **--force**
+ Forced operation. Overrides some checks.
+
+**-v**, **--verbose**
+ Enable debug output.
+
+**-h**, **--help**
+ Print the program help.
+
+**-V**, **--version**
+ Print the program version.
+
+Actions
+.......
+
+**status** [*detail*]
+ Check if the server is running. Details are **version** for the running
+ server version, **workers** for the numbers of worker threads,
+ or **configure** for the configure summary.
+
+**stop**
+ Stop the server if running.
+
+**reload**
+ Reload the server configuration and modified zone files. All open zone
+ transactions will be aborted!
+
+**stats** [*module*\ [\ **.**\ *counter*\ ]]
+ Show global statistics counter(s). To print also counters with value 0, use
+ force option.
+
+**zone-status** *zone* [*filter*]
+ Show the zone status. Filters are **+role**, **+serial**, **+transaction**,
+ **+events**, and **+freeze**.
+
+**zone-check** [*zone*...]
+ Test if the server can load the zone. Semantic checks are executed if enabled
+ in the configuration. (*)
+
+**zone-memstats** [*zone*...]
+ Estimate memory use for the zone. (*)
+
+**zone-reload** [*zone*...]
+ Trigger a zone reload from a disk without checking its modification time. For
+ slave zone, the refresh from a master server is scheduled; for master zone,
+ the notification of slave servers is scheduled. An open zone transaction
+ will be aborted!
+
+**zone-refresh** [*zone*...]
+ Trigger a check for the zone serial on the zone's master. If the master has a
+ newer zone, a transfer is scheduled. This command is valid for slave zones.
+
+**zone-retransfer** [*zone*...]
+ Trigger a zone transfer from the zone's master. The server doesn't check the
+ serial of the master's zone. This command is valid for slave zones.
+
+**zone-notify** [*zone*...]
+ Trigger a NOTIFY message to all configured remotes. This can help in cases
+ when previous NOTIFY had been lost or the slaves offline.
+
+**zone-flush** [*zone*...] [**+outdir** *directory*]
+ Trigger a zone journal flush into the zone file. If output dir is specified,
+ instead of flushing the zonefile, the zone is dumped to a file in the specified
+ directory.
+
+**zone-sign** [*zone*...]
+ Trigger a DNSSEC re-sign of the zone. Existing signatures will be dropped.
+ This command is valid for zones with DNSSEC signing enabled.
+
+**zone-ksk-submitted** *zone*...
+ Use when the zone's KSK rollover is in submittion phase. By calling this command
+ the user confirms manually that the parent zone contains DS record for the new
+ KSK in submission phase and the old KSK can be retired.
+
+**zone-freeze** [*zone*...]
+ Temporarily postpone zone-changing events (load, refresh, update, flush, and
+ DNSSEC signing).
+
+**zone-thaw** [*zone*...]
+ Dismiss zone freeze.
+
+**zone-read** *zone* [*owner* [*type*]]
+ Get zone data that are currently being presented.
+
+**zone-begin** *zone*...
+ Begin a zone transaction.
+
+**zone-commit** *zone*...
+ Commit the zone transaction. All changes are applied to the zone.
+
+**zone-abort** *zone*...
+ Abort the zone transaction. All changes are discarded.
+
+**zone-diff** *zone*
+ Get zone changes within the transaction.
+
+**zone-get** *zone* [*owner* [*type*]]
+ Get zone data within the transaction.
+
+**zone-set** *zone* *owner* [*ttl*] *type* *rdata*
+ Add zone record within the transaction. The first record in a rrset
+ requires a ttl value specified.
+
+**zone-unset** *zone* *owner* [*type* [*rdata*]]
+ Remove zone data within the transaction.
+
+**zone-purge** *zone*... [*filter*...]
+ Purge zone data, zone file, journal, timers, and/or KASP data of specified zones.
+ Available filters are **+expire**, **+zonefile**, **+journal**, **+timers**,
+ and **+kaspdb**. If no filter is specified, all filters are enabled.
+ If the zone is no longer configured, add **+orphan** filter (zone file cannot
+ be purged in this case).
+
+**zone-stats** *zone* [*module*\ [\ **.**\ *counter*\ ]]
+ Show zone statistics counter(s). To print also counters with value 0, use
+ force option.
+
+**conf-init**
+ Initialize the configuration database. (*)
+
+**conf-check**
+ Check the server configuration. (*)
+
+**conf-import** *filename*
+ Import a configuration file into the configuration database. Ensure the
+ server is not using the configuration database! (*)
+
+**conf-export** [*filename*]
+ Export the configuration database into a config file or stdout. (*)
+
+**conf-list** [*item*]
+ List the configuration database sections or section items.
+
+**conf-read** [*item*]
+ Read the item from the active configuration database.
+
+**conf-begin**
+ Begin a writing configuration database transaction. Only one transaction
+ can be opened at a time.
+
+**conf-commit**
+ Commit the configuration database transaction.
+
+**conf-abort**
+ Rollback the configuration database transaction.
+
+**conf-diff** [*item*]
+ Get the item difference in the transaction.
+
+**conf-get** [*item*]
+ Get the item data from the transaction.
+
+**conf-set** *item* [*data*...]
+ Set the item data in the transaction.
+
+**conf-unset** [*item*] [*data*...]
+ Unset the item data in the transaction.
+
+Note
+....
+
+Empty or **--** *zone* parameter means all zones or all zones with a transaction.
+
+Use **@** *owner* to denote the zone name.
+
+Type *item* parameter in the form of *section*\ [**[**\ *id*\ **]**\ ][**.**\ *name*].
+
+(*) indicates a local operation which requires a configuration.
+
+Interactive mode
+................
+
+The utility provides interactive mode with basic line editing functionality,
+command completion, and command history.
+
+Interactive mode behavior can be customized in `~/.editrc`. Refer to
+:manpage:`editrc(5)` for details.
+
+Command history is saved in `~/.knotc_history`.
+
+Examples
+--------
+
+Reload the whole server configuration
+.....................................
+
+::
+
+ $ knotc reload
+
+Flush the example.com and example.org zones
+...........................................
+
+::
+
+ $ knotc zone-flush example.com example.org
+
+Get the current server configuration
+....................................
+
+::
+
+ $ knotc conf-read server
+
+Get the list of the current zones
+.................................
+
+::
+
+ $ knotc conf-read zone.domain
+
+Get the master remotes for the example.com zone
+...............................................
+
+::
+
+ $ knotc conf-read 'zone[example.com].master'
+
+Add example.org zone with a zonefile location
+.............................................
+
+::
+
+ $ knotc conf-begin
+ $ knotc conf-set 'zone[example.org]'
+ $ knotc conf-set 'zone[example.org].file' '/var/zones/example.org.zone'
+ $ knotc conf-commit
+
+Get the SOA record for each configured zone
+...........................................
+
+::
+
+ $ knotc zone-read -- @ SOA
+
+See Also
+--------
+
+:manpage:`knotd(8)`, :manpage:`knot.conf(5)`, :manpage:`editrc(5)`.
diff --git a/doc/man_knotd.rst b/doc/man_knotd.rst
new file mode 100644
index 0000000..8adce89
--- /dev/null
+++ b/doc/man_knotd.rst
@@ -0,0 +1,48 @@
+.. highlight:: console
+
+knotd – Knot DNS server daemon
+==============================
+
+Synopsis
+--------
+
+:program:`knotd` [*parameters*]
+
+Description
+-----------
+
+Parameters
+..........
+
+**-c**, **--config** *file*
+ Use a textual configuration file (default is :file:`@config_dir@/knot.conf`).
+
+**-C**, **--confdb** *directory*
+ Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`).
+ The default configuration database, if exists, has a preference to the default
+ configuration file.
+
+**-m**, **--max-conf-size** *MiB*
+ Set maximum configuration size (default is @conf_mapsize@ MiB, maximum 10000 MiB).
+
+**-s**, **--socket** *path*
+ Use a remote control UNIX socket path (default is :file:`@run_dir@/knot.sock`).
+
+**-d**, **--daemonize** [*directory*]
+ Run the server as a daemon. New root directory may be specified
+ (default is :file:`/`).
+
+**-v**, **--verbose**
+ Enable debug output.
+
+**-h**, **--help**
+ Print the program help.
+
+**-V**, **--version**
+ Print the program version.
+
+See Also
+--------
+
+:manpage:`knot.conf(5)`, :manpage:`knotc(8)`, :manpage:`keymgr(8)`,
+:manpage:`kjournalprint(8)`.
diff --git a/doc/man_knsec3hash.rst b/doc/man_knsec3hash.rst
new file mode 100644
index 0000000..1c2c95b
--- /dev/null
+++ b/doc/man_knsec3hash.rst
@@ -0,0 +1,49 @@
+.. highlight:: console
+
+knsec3hash – NSEC hash computation utility
+==========================================
+
+Synopsis
+--------
+
+:program:`knsec3hash` *salt* *algorithm* *iterations* *name*
+
+Description
+-----------
+
+This utility generates a NSEC3 hash for a given domain name and parameters of NSEC3 hash.
+
+Parameters
+..........
+
+*salt*
+ Specifies a binary salt encoded as a hexadecimal string.
+
+*algorithm*
+ Specifies a hashing algorithm by number. Currently, the only supported algorithm is SHA-1 (number 1).
+
+*iterations*
+ Specifies the number of additional iterations of the hashing algorithm.
+
+*name*
+ Specifies the domain name to be hashed.
+
+Examples
+--------
+
+::
+
+ $ knsec3hash c01dcafe 1 10 knot-dns.cz
+ 7PTVGE7QV67EM61ROS9238P5RAKR2DM7 (salt=c01dcafe, hash=1, iterations=10)
+
+::
+
+ $ knsec3hash - 1 0 net
+ A1RT98BS5QGC9NFI51S9HCI47ULJG6JH (salt=-, hash=1, iterations=0)
+
+See Also
+--------
+
+:rfc:`5155` – DNS Security (DNSSEC) Hashed Authenticated Denial of Existence.
+
+:manpage:`knotc(8)`, :manpage:`knotd(8)`.
diff --git a/doc/man_knsupdate.rst b/doc/man_knsupdate.rst
new file mode 100644
index 0000000..c93f48f
--- /dev/null
+++ b/doc/man_knsupdate.rst
@@ -0,0 +1,164 @@
+.. highlight:: console
+
+knsupdate – Dynamic DNS update utility
+======================================
+
+Synopsis
+--------
+
+:program:`knsupdate` [*options*] [*filename*]
+
+Description
+-----------
+
+This utility sends Dynamic DNS update messages to a DNS server. Update content
+is read from a file (if the parameter *filename* is given) or from the standard
+input.
+
+The format of updates is textual and is made up of commands. Every command is
+placed on the separate line of the input. Lines starting with a semicolon are
+comments and are not processed.
+
+Options
+.......
+
+**-d**
+ Enable debug messages.
+
+**-h**, **--help**
+ Print the program help.
+
+**-k** *keyfile*
+ Use the TSIG key stored in a file *keyfile* to authenticate the request. The
+ file should contain the key in the same format, which is accepted by the
+ **-y** option.
+
+**-p** *port*
+ Set the port to use for connections to the server (if not explicitly specified
+ in the update). The default is 53.
+
+**-r** *retries*
+ The number of retries for UDP requests. The default is 3.
+
+**-t** *timeout*
+ The total timeout (for all UDP update tries) of the update request in seconds.
+ The default is 12. If set to zero, the timeout is infinite.
+
+**-v**
+ Use a TCP connection.
+
+**-V**, **--version**
+ Print the program version.
+
+**-y** [*alg*:]\ *name*:*key*
+ Use the TSIG key with a name *name* to authenticate the request. The *alg*
+ part specifies the algorithm (the default is hmac-sha256) and *key* specifies
+ the shared secret encoded in Base64.
+
+Commands
+........
+
+**server** *name* [*port*]
+ Specifies a receiving server of the dynamic update message. The *name* parameter
+ can be either a host name or an IP address. If the *port* is not specified,
+ the default port is used. The default port value can be controlled using
+ the **-p** program option.
+
+**local** *address* [*port*]
+ Specifies outgoing *address* and *port*. If no local is specified, the
+ address and port are set by the system automatically. The default port number
+ is 0.
+
+**zone** *name*
+ Specifies that all updates are done within a zone *name*. If not used,
+ the default zone is the root zone.
+
+**origin** *name*
+ Specifies fully qualified domain name suffix which is appended to non-fqd
+ owners in update commands. The default origin is the root zone.
+
+**class** *name*
+ Sets *name* as the default class for all updates. If not used, the default
+ class is IN.
+
+**ttl** *value*
+ Sets *value* as the default TTL (in seconds). If not used, the default value
+ is 0.
+
+**key** [*alg*:]\ *name* *key*
+ Specifies the TSIG *key* named *name* to authenticate the request. An optional
+ *alg* algorithm can be specified. This command has the same effect as
+ the program option **-y**.
+
+[**prereq**] **nxdomain** *name*
+ Adds a prerequisite for a non-existing record owned by *name*.
+
+[**prereq**] **yxdomain** *name*
+ Adds a prerequisite for an existing record owned by *name*.
+
+[**prereq**] **nxrrset** *name* [*class*] *type*
+ Adds a prerequisite for a non-existing record of the *type* owned by *name*.
+ Internet *class* is expected.
+
+[**prereq**] **yxrrset** *name* [*class*] *type* [*data*]
+ Adds a prerequisite for an existing record of the *type* owned by *name*
+ with optional *data*. Internet *class* is expected.
+
+[**update**] **add** *name* [*ttl*] [*class*] *type* *data*
+ Adds a request to add a new resource record into the zone.
+ Please note that if the *name* is not fully qualified domain name, the
+ current origin name is appended to it.
+
+[**update**] **del**\[**ete**] *name* [*ttl*] [*class*] [*type*] [*data*]
+ Adds a request to remove all (or matching *class*, *type* or *data*)
+ resource records from the zone. There is the same requirement for the *name*
+ parameter as in **update add** command. The *ttl* item is ignored.
+
+**show**
+ Displays current content of the update message.
+
+**send**
+ Sends the current update message and cleans the list of updates.
+
+**answer**
+ Displays the last answer from the server.
+
+**debug**
+ Enable debugging. This command has the same meaning as the **-d** program option.
+
+**quit**
+ Quit the program.
+
+Notes
+-----
+
+Options **-k** and **-y** can not be used simultaneously.
+
+Dnssec-keygen keyfile format is not supported. Use :manpage:`keymgr(8)` instead.
+
+Zone name/server guessing is not supported if the zone name/server is not specified.
+
+Empty line doesn't send the update.
+
+Examples
+--------
+
+1. Send one update of the zone example.com to the server 192.168.1.1. The update
+ contains two new records::
+
+ $ knsupdate
+ > server 192.168.1.1
+ > zone example.com.
+ > origin example.com.
+ > ttl 3600
+ > add test1.example.com. 7200 A 192.168.2.2
+ > add test2 TXT "hello"
+ > show
+ > send
+ > answer
+ > quit
+
+See Also
+--------
+
+:manpage:`kdig(1)`, :manpage:`khost(1)`, :manpage:`keymgr(8)`.
diff --git a/doc/man_kzonecheck.rst b/doc/man_kzonecheck.rst
new file mode 100644
index 0000000..1858bca
--- /dev/null
+++ b/doc/man_kzonecheck.rst
@@ -0,0 +1,45 @@
+.. highlight:: console
+
+kzonecheck – Knot DNS zone file checking tool
+=============================================
+
+Synopsis
+--------
+
+:program:`kzonecheck` [*options*] *filename*
+
+Description
+-----------
+
+The utility checks zone file syntax and runs semantic checks on the zone
+content. The executed checks are the same as the checks run by the Knot
+DNS server.
+
+Please, refer to the ``semantic-checks`` configuration option in
+:manpage:`knot.conf(5)` for the full list of available semantic checks.
+
+Options
+.......
+
+**-o**, **--origin** *origin*
+ Zone origin. If not specified, the origin is determined from the file name
+ (possibly removing the ``.zone`` suffix).
+
+**-t**, **--time** *time*
+ Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS
+ format, or [+/-]\ *time*\ [unit] format, where unit can be **Y**, **M**,
+ **D**, **h**, **m**, or **s**. Default is current UNIX timestamp.
+
+**-v**, **--verbose**
+ Enable debug output.
+
+**-h**, **--help**
+ Print the program help.
+
+**-V**, **--version**
+ Print the program version.
+
+See Also
+--------
+
+:manpage:`knotd(8)`, :manpage:`knot.conf(5)`.
diff --git a/doc/migration.rst b/doc/migration.rst
new file mode 100644
index 0000000..30eb5b0
--- /dev/null
+++ b/doc/migration.rst
@@ -0,0 +1,146 @@
+.. highlight:: none
+.. _Migration:
+
+*********
+Migration
+*********
+
+.. _Upgrade 2.4.x to 2.5.x:
+
+Upgrade 2.4.x to 2.5.x
+======================
+
+This chapter describes some steps necessary after upgrading Knot DNS from
+version 2.4.x to 2.5.x.
+
+.. _Building changes:
+
+Building changes
+----------------
+
+The ``--enable-dnstap`` configure option now enables the dnstap support in
+kdig only! To build the dnstap query module, ``--with-module-dnstap`` have
+to be used.
+
+Since Knot DNS version 2.5.0 each query module can be configured to be:
+
+- disabled: ``--with-module-``\ MODULE_NAME\ ``=no``
+- embedded: ``--with-module-``\ MODULE_NAME\ ``=yes``
+- external: ``--with-module-``\ MODULE_NAME\ ``=shared`` (excluding
+ ``dnsproxy`` and ``onlinesign``)
+
+The ``--with-timer-mapsize`` configure option was replaced with the runtime
+:ref:`template_max-timer-db-size` configuration option.
+
+.. _KASP DB migration:
+
+KASP DB migration
+-----------------
+
+Knot DNS version 2.4.x and earlier uses JSON files to store DNSSEC keys metadata,
+one for each zone. 2.5.x versions store those in binary format in a LMDB, all zones
+together. The migration is possible with the
+`pykeymgr <https://gitlab.labs.nic.cz/knot/knot-dns/blob/2.6/src/utils/pykeymgr/pykeymgr.in>`_
+script::
+
+ $ pykeymgr -i path/to/keydir
+
+The path to KASP DB directory is configuration-dependent, usually it is the ``keys``
+subdirectory in the zone storage.
+
+In rare installations, the JSON files might be spread across more directories. In such
+case, it is necessary to put them together into one directory and migrate at once.
+
+.. _Configuration changes 2.5:
+
+Configuration changes
+---------------------
+
+It is no longer possible to configure KASP DB per zone or in a non-default
+template. Ensure just one common KASP DB configuration in the default
+template.
+
+As Knot DNS version 2.5.0 brings dynamically loaded modules, some modules
+were renamed for technical reasons. So it is necessary to rename all
+occurrences (module section names and references from zones or templates)
+of the following module names in the configuration::
+
+ mod-online-sign -> mod-onlinesign
+
+ mod-synth-record -> mod-synthrecord
+
+.. _Upgrade 2.5.x to 2.6.x:
+
+Upgrade 2.5.x to 2.6.x
+======================
+
+Upgrading from Knot DNS version 2.5.x to 2.6.x is almost seamless.
+
+.. _Configuration changes 2.6:
+
+Configuration changes
+---------------------
+
+The ``dsa`` and ``dsa-nsec3-sha1`` algorithm values are no longer supported
+by the :ref:`policy_algorithm` option.
+
+The ``ixfr-from-differences`` zone/template option was deprecated in favor of
+the :ref:`zone_zonefile-load` option.
+
+.. _Upgrade 2.6.x to 2.7.x:
+
+Upgrade 2.6.x to 2.7.x
+======================
+
+Upgrading from Knot DNS version 2.6.x to 2.7.x is seamless if no obsolete
+configuration or module rosedb is used.
+
+.. _Knot DNS for BIND users:
+
+Knot DNS for BIND users
+=======================
+
+.. _Automatic DNSSEC signing:
+
+Automatic DNSSEC signing
+------------------------
+
+Migrating automatically signed zones from BIND to Knot DNS requires copying
+up-to-date zone files from BIND, importing existing private keys, and updating
+server configuration:
+
+1. To obtain current content of the zone which is being migrated,
+ request BIND to flush the zone into the zone file: ``rndc flush
+ example.com``.
+
+ .. NOTE::
+ If dynamic updates (DDNS) are enabled for the given zone, you
+ might need to freeze the zone before flushing it. That can be done
+ similarly::
+
+ $ rndc freeze example.com
+
+2. Copy the fresh zone file into the zones :ref:`storage<zone_storage>`
+ directory of Knot DNS.
+
+3. Import all existing zone keys into the KASP database. Make sure that all
+ the keys were imported correctly::
+
+ $ keymgr example.com. import-bind path/to/Kexample.com.+013+11111
+ $ keymgr example.com. import-bind path/to/Kexample.com.+013+22222
+ $ ...
+ $ keymgr example.com. list
+
+ .. NOTE::
+ If the server configuration file or database is not at the default location,
+ add a configuration parameter (-c or -C).
+
+ .. NOTE::
+ The server can be run under a dedicated user account, usually ``knot``.
+ As the server requires read-write access to the KASP database, the
+ permissions must be set correctly. This can be achieved for instance by
+ executing all KASP database management commands under sudo::
+
+ $ sudo -u knot keymgr ...
+
+4. Follow :ref:`Automatic DNSSEC signing` steps to configure DNSSEC signing.
diff --git a/doc/modules.rst.in b/doc/modules.rst.in
new file mode 100644
index 0000000..727e9e0
--- /dev/null
+++ b/doc/modules.rst.in
@@ -0,0 +1,8 @@
+.. highlight:: none
+.. _Modules:
+
+*******
+Modules
+*******
+
+@DOC_MODULES@
diff --git a/doc/operation.rst b/doc/operation.rst
new file mode 100644
index 0000000..25cb964
--- /dev/null
+++ b/doc/operation.rst
@@ -0,0 +1,722 @@
+.. highlight:: console
+.. _Operation:
+
+*********
+Operation
+*********
+
+The Knot DNS server part ``knotd`` can run either in the foreground, or in the background
+using the ``-d`` option. When run in the foreground, it doesn't create a PID file.
+Other than that, there are no differences and you can control both the same way.
+
+The tool ``knotc`` is designed as a user front-end, making it easier to control running
+server daemon. If you want to control the daemon directly, use ``SIGINT`` to quit
+the process or ``SIGHUP`` to reload the configuration.
+
+If you pass neither configuration file (``-c`` parameter) nor configuration
+database (``-C`` parameter), the server will first attempt to use the default
+configuration database stored in ``/var/lib/knot/confdb`` or the
+default configuration file stored in ``/etc/knot/knot.conf``. Both the
+default paths can be reconfigured with ``--with-storage=path`` or
+``--with-configdir=path`` respectively.
+
+Example of server start as a daemon::
+
+ $ knotd -d -c knot.conf
+
+Example of server shutdown::
+
+ $ knotc -c knot.conf stop
+
+For a complete list of actions refer to the program help (``-h`` parameter)
+or to the corresponding manual page.
+
+Also, the server needs to create :ref:`server_rundir` and :ref:`zone_storage`
+directories in order to run properly.
+
+.. _Configuration database:
+
+Configuration database
+======================
+
+In the case of a huge configuration file, the configuration can be stored
+in a binary database. Such a database can be simply initialized::
+
+ $ knotc conf-init
+
+or preloaded from a file::
+
+ $ knotc conf-import input.conf
+
+Also the configuration database can be exported into a textual file::
+
+ $ knotc conf-export output.conf
+
+.. WARNING::
+ The import and export commands access the configuration database
+ directly, without any interaction with the server. So it is strictly
+ recommended to perform these operations when the server is not running.
+
+.. _Dynamic configuration:
+
+Dynamic configuration
+=====================
+
+The configuration database can be accessed using the server control interface
+while the server is running. To get the full power of the dynamic configuration,
+the server must be started with a specified configuration database location
+or with the default database initialized. Otherwise all the changes to the
+configuration will be temporary (until the server is stopped).
+
+.. NOTE::
+ The database can be :ref:`imported<Configuration database>` in advance.
+
+Most of the commands get an item name and value parameters. The item name is
+in the form of ``section[identifier].name``. If the item is multivalued,
+more values can be specified as individual (command line) arguments.
+
+.. CAUTION::
+ Beware of the possibility of pathname expansion by the shell. For this reason,
+ it is advisable to slash square brackets or to quote command parameters if
+ not executed in the interactive mode.
+
+To get the list of configuration sections or to get the list of section items::
+
+ $ knotc conf-list
+ $ knotc conf-list 'server'
+
+To get the whole configuration or to get the whole configuration section or
+to get all section identifiers or to get a specific configuration item::
+
+ $ knotc conf-read
+ $ knotc conf-read 'remote'
+ $ knotc conf-read 'zone.domain'
+ $ knotc conf-read 'zone[example.com].master'
+
+.. WARNING::
+ The following operations don't work on OpenBSD!
+
+Modifying operations require an active configuration database transaction.
+Just one transaction can be active at a time. Such a transaction then can
+be aborted or committed. A semantic check is executed automatically before
+every commit::
+
+ $ knotc conf-begin
+ $ knotc conf-abort
+ $ knotc conf-commit
+
+To set a configuration item value or to add more values or to add a new
+section identifier or to add a value to all identified sections::
+
+ $ knotc conf-set 'server.identity' 'Knot DNS'
+ $ knotc conf-set 'server.listen' '0.0.0.0@53' '::@53'
+ $ knotc conf-set 'zone[example.com]'
+ $ knotc conf-set 'zone.slave' 'slave2'
+
+.. NOTE::
+ Also the include operation can be performed. A non-absolute file
+ location is relative to the server binary path, not to the control binary
+ path!
+
+ ::
+
+ $ knotc conf-set 'include' '/tmp/new_zones.conf'
+
+To unset the whole configuration or to unset the whole configuration section
+or to unset an identified section or to unset an item or to unset a specific
+item value::
+
+ $ knotc conf-unset
+ $ knotc conf-unset 'zone'
+ $ knotc conf-unset 'zone[example.com]'
+ $ knotc conf-unset 'zone[example.com].master'
+ $ knotc conf-unset 'zone[example.com].master' 'remote2' 'remote5'
+
+To get the change between the current configuration and the active transaction
+for the whole configuration or for a specific section or for a specific
+identified section or for a specific item::
+
+ $ knotc conf-diff
+ $ knotc conf-diff 'zone'
+ $ knotc conf-diff 'zone[example.com]'
+ $ knotc conf-diff 'zone[example.com].master'
+
+An example of possible configuration initialization::
+
+ $ knotc conf-begin
+ $ knotc conf-set 'server.listen' '0.0.0.0@53' '::@53'
+ $ knotc conf-set 'remote[master_server]'
+ $ knotc conf-set 'remote[master_server].address' '192.168.1.1'
+ $ knotc conf-set 'template[default]'
+ $ knotc conf-set 'template[default].storage' '/var/lib/knot/zones/'
+ $ knotc conf-set 'template[default].master' 'master_server'
+ $ knotc conf-set 'zone[example.com]'
+ $ knotc conf-diff
+ $ knotc conf-commit
+
+.. _Running a slave server:
+
+Slave mode
+==========
+
+Running the server as a slave is very straightforward as you usually
+bootstrap zones over AXFR and thus avoid any manual zone operations.
+In contrast to AXFR, when the incremental transfer finishes, it stores
+the differences in the journal file and doesn't update the zone file
+immediately but after the :ref:`zone_zonefile-sync` period elapses.
+
+.. _Running a master server:
+
+Master mode
+===========
+
+If you just want to check the zone files before starting, you can use::
+
+ $ knotc zone-check example.com
+
+For an approximate estimation of server's memory consumption, you can use::
+
+ $ knotc zone-memstats example.com
+
+This action prints the count of resource records, percentage of signed
+records and finally estimation of memory consumption for each zone, unless
+specified otherwise. Please note that the estimated values may differ from the
+actual consumption. Also, for slave servers with incoming transfers
+enabled, be aware that the actual memory consumption might be double
+or higher during transfers.
+
+.. _Editing zones:
+
+Reading and editing zones
+=========================
+
+Knot DNS allows you to read or change zone contents online using server
+control interface.
+
+.. WARNING::
+ Avoid concurrent zone file modification, and/or dynamic updates, and/or
+ zone changing over control interface. Otherwise, the zone could be inconsistent.
+
+To get contents of all configured zones, or a specific zone contents, or zone
+records with a specific owner, or even with a specific record type::
+
+ $ knotc zone-read --
+ $ knotc zone-read example.com
+ $ knotc zone-read example.com ns1
+ $ knotc zone-read example.com ns1 NS
+
+.. NOTE::
+ If the record owner is not a fully qualified domain name, then it is
+ considered as a relative name to the zone name.
+
+To start a writing transaction on all zones or on specific zones::
+
+ $ knotc zone-begin --
+ $ knotc zone-begin example.com example.net
+
+Now you can list all nodes within the transaction using the ```zone-get```
+command, which always returns current data with all changes included. The
+command has the same syntax as ```zone-read```.
+
+Within the transaction, you can add a record to a specific zone or to all
+zones with an open transaction::
+
+ $ knotc zone-set example.com ns1 3600 A 192.168.0.1
+ $ knotc zone-set -- ns1 3600 A 192.168.0.1
+
+To remove all records with a specific owner, or a specific rrset, or a
+specific record data::
+
+ $ knotc zone-unset example.com ns1
+ $ knotc zone-unset example.com ns1 A
+ $ knotc zone-unset example.com ns1 A 192.168.0.2
+
+To see the difference between the original zone and the current version::
+
+ $ knotc zone-diff example.com
+
+Finally, either commit or abort your transaction::
+
+ $ knotc zone-commit example.com
+ $ knotc zone-abort example.com
+
+A full example of setting up a completely new zone from scratch::
+
+ $ knotc conf-begin
+ $ knotc conf-set zone.domain example.com
+ $ knotc conf-commit
+ $ knotc zone-begin example.com
+ $ knotc zone-set example.com @ 7200 SOA ns hostmaster 1 86400 900 691200 3600
+ $ knotc zone-set example.com ns 3600 A 192.168.0.1
+ $ knotc zone-set example.com www 3600 A 192.168.0.100
+ $ knotc zone-commit example.com
+
+.. NOTE::
+ If quotes are necessary for record data specification, don't forget to escape them::
+
+ $ knotc zone-set example.com @ 3600 TXT \"v=spf1 a:mail.example.com -all\"
+
+.. _Editing zone file:
+
+Reading and editing the zone file safely
+========================================
+
+It's always possible to read and edit the zone contents via zone file manipulation.
+However, it may lead to confusion if zone contents are continuously changing or
+in case of operator's mistake. This paragraph describes a safe way to modify zone
+by editing the zone file, taking advantage of zone freeze/thaw feature.::
+
+ $ knotc zone-freeze example.com.
+ $ while ! knotc zone-status example.com. +freeze | grep -q 'freeze: yes'; do sleep 1; done
+ $ knotc zone-flush example.com.
+
+After calling freeze to the zone, there still may be running zone operations (e.g. signing),
+causing freeze pending. So we watch the zone status until frozen. Then we can flush the
+frozen zone contents.
+
+Now we open a text editor and perform desired changes to the zone file. It's necessary
+to **increase SOA serial** in this step to keep consistency. Finally, we can load the
+modified zone file and if successful, thaw the zone.::
+
+ $ knotc zone-reload example.com.
+ $ knotc zone-thaw example.com.
+
+.. _Zone loading:
+
+Zone loading
+============
+
+The process how the server loads a zone is influenced by the configuration of the
+:ref:`zonefile-load <zone_zonefile-load>` and :ref:`journal-content <zone_journal-content>`
+parameters (also DNSSEC signing applies), the existence of a zone file and journal
+(and their relative out-of-dateness), and whether it is a cold start of the server
+or a zone reload (e.g. invoked by the knotc interface). Please note that zone transfers
+are not taken into account here – they are planned after the zone is loaded
+(including AXFR bootstrap).
+
+If the zone file exists and is not excluded by the configuration, it is first loaded
+and according to its SOA serial number relevant journal changesets are applied.
+If this is a zone reload and we have "`zonefile-load: difference`", the difference
+between old and new contents is computed and stored into the journal like an update.
+The zone file should be either unchaged since last load or changed with incremented
+SOA serial. In the case of a decreased SOA serial, the load is interrupted with
+an error; if unchanged, it is increased by the server.
+
+If the procedure described above succeeds without errors, the resulting zone contents are (after potential DNSSEC signing)
+used as the new zone.
+
+The option "`journal-content: all`" lets the server, beside better performance, to keep
+track of the zone contents also across server restarts. It makes the cold start
+effectively work like a zone reload with the old contents loaded from the journal
+(unless this is the very first start with the zone not yet saved into the journal).
+
+.. _Journal behaviour:
+
+Journal behaviour
+=================
+
+The zone journal keeps some history of changes made to the zone. It is useful for
+responding to IXFR queries. Also if :ref:`zone file flush <zone_zonefile-sync>` is disabled,
+journal keeps diff between the zone file and zone for the case of server shutdown.
+The history is stored in changesets – diffs of zone contents between two
+(usually subsequent) zone serials.
+
+Journals of all zones are stored in a common LMDB database. Huge changesets are
+split into 70 KiB [#fn-hc]_ blocks to prevent fragmentation of the DB.
+Journal does each operation in one transaction to keep consistency of the DB and performance.
+The exception is when store transaction exceeds 5 % of the whole DB mapsize, it is split into multiple ones
+and some dirty-chunks-management involves.
+
+Each zone journal has own :ref:`usage limit <zone_max-journal-usage>`
+on how much DB space it may occupy. Before hitting the limit,
+changesets are stored one-by-one and whole history is linear. While hitting the limit,
+the zone is flushed into the zone file, and oldest changesets are deleted as needed to free
+some space. Actually, twice [#fn-hc]_ the needed amount is deleted to
+prevent too frequent deletes. Further zone file flush is invoked after the journal runs out of deletable
+"flushed changesets".
+
+If :ref:`zone file flush <zone_zonefile-sync>` is disabled, then instead of flushing the zone, the journal tries to
+save space by merging older changesets into one. It works well if the changes rewrite
+each other, e.g. periodically changing few zone records, re-signing whole zone...
+The difference between the zone file and the zone is thus preserved, even if journal deletes some
+older changesets.
+
+If the journal is used to store both zone history and contents, a special changeset
+is present with zone contents. When the journal gets full, the changes are merged into this
+special changeset.
+
+There is also a :ref:`safety hard limit <template_max-journal-db-size>` for overall
+journal database size, but it's strongly recommended to set the per-zone limits in
+a way to prevent hitting this one. For LMDB, it's hard to recover from the
+database-full state. For wiping one zone's journal, see *knotc zone-purge +journal*
+command.
+
+.. [#fn-hc] This constant is hardcoded.
+
+.. _Handling, zone file, journal, changes, serials:
+
+Handling zone file, journal, changes, serials
+=============================================
+
+Some configuration options regarding the zone file and journal, together with operation
+procedures, might lead to unexpected results. This chapter shall point out
+some interference and both recommend and warn before some combinations thereof.
+Unfortunately, there is no optimal combination of configuration options,
+every approach has some disadvantages.
+
+Example 1
+---------
+
+Keep the zone file updated::
+
+ zonefile-sync: 0
+ zonefile-load: whole
+ journal-content: changes
+
+This is actually setting default values. The user can always check the current zone
+contents in the zonei file, and also modify it (recommended with server turned-off or
+taking the :ref:`safe way<Editing zone file>`). Journal serves here just as a source of
+history for slaves' IXFR. Some users dislike that the server overwrites their prettily
+prepared zone file.
+
+Example 2
+---------
+
+Zonefileless setup::
+
+ zonefile-sync: -1
+ zonefile-load: none
+ journal-content: all
+
+Zone contents are stored just in the journal. The zone is updated by DDNS,
+zone transfer, or via the control interface. The user might have filled the
+zone contents initially from a zone file by setting "zonefile-load: whole" temporarily.
+It's also a good setup for slaves. Anyway, it's recommended to carefully tune
+the journal-size-related options to avoid surprises of journal getting full.
+
+Example 3
+---------
+
+Input-only zone file::
+
+ zonefile-sync: -1
+ zonefile-load: difference
+ journal-content: changes
+
+The user can make changes to the zone by editing the zone file, and his pretty zone file
+gets never overwritten and filled with DNSSEC-related autogenerated records – they are
+only stored in the journal.
+
+The zone file's SOA serial must be properly set to a number which is higher than the
+current SOA serial in the zone (not in the zone file) if manually updated!
+
+.. NOTE::
+ In the case of "zonefile-load: difference-no-serial", the SOA serial is
+ handled by the server automatically during server reload.
+
+.. _DNSSEC Key rollovers:
+
+DNSSEC key rollovers
+====================
+
+This section describes the process of DNSSEC key rollover and its implementation
+in Knot DNS, and how the operator might watch and check that it's working correctly.
+The prerequisite is automatic zone signing with enabled
+:ref:`automatic key management<dnssec-automatic-ksk-management>`.
+
+The KSK and ZSK rollovers are triggered by the respective zone key getting old according
+to the settings (see :ref:`KSK<policy_ksk-lifetime>` and :ref:`ZSK<policy_zsk-lifetime>` lifetimes).
+
+The algorithm rollover happens when the policy :ref:`algorithm<policy_algorithm>`
+field is updated to a different value.
+
+The signing scheme rollover happens when the policy :ref:`singing scheme<policy_single-type-signing>`
+field is changed.
+
+It's also possible to change the algorithm and signing scheme in one rollover.
+
+The operator may check the next rollover phase time by watching the next zone signing time,
+either in the log or via ``knotc zone-status``. There is no special log for finishing a rollover.
+
+.. NOTE::
+ There are never two key rollovers running in parallel for one zone. If
+ a rollover is triggered while another is in progress, it waits until the
+ first one is finished.
+
+The ZSK rollover is performed with Pre-publish method, KSK rollover uses Double-Signature
+scheme, as described in :rfc:`6781`.
+
+.. _DNSSEC KSK rollover example:
+
+KSK rollover example
+--------------------
+
+Let's start with the following set of keys::
+
+ 2017-10-24T15:40:48 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T15:40:48 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active
+
+The last fields hint the key state: ``public`` denotes a key that will be presented
+as the DNSKEY record, ``ready`` means that CDS/CDNSKEY records were created,
+``active`` tells us if the key is used for signing.
+
+Upon the zone's KSK lifetime expiration, the rollover continues along the
+lines of :rfc:`6781#section-4.1.2`::
+
+ 2017-10-24T15:41:17 info: [example.com.] DNSSEC, signing zone
+ 2017-10-24T15:41:18 info: [example.com.] DNSSEC, KSK rollover started
+ 2017-10-24T15:41:18 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public
+ 2017-10-24T15:41:18 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T15:41:18 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active
+ 2017-10-24T15:41:18 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T15:41:18 info: [example.com.] DNSSEC, successfully signed
+ 2017-10-24T15:41:18 info: [example.com.] DNSSEC, next signing at 2017-10-24T15:41:22
+ ...
+ 2017-10-24T15:41:22 info: [example.com.] DNSSEC, signing zone
+ 2017-10-24T15:41:22 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T15:41:22 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public, ready, active
+ 2017-10-24T15:41:22 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active
+ 2017-10-24T15:41:22 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T15:41:22 info: [example.com.] DNSSEC, successfully signed
+ 2017-10-24T15:41:22 info: [example.com.] DNSSEC, next signing at 2017-10-24T15:41:23
+ 2017-10-24T15:41:22 notice: [example.com.] DNSSEC, KSK submission, waiting for confirmation
+
+At this point new KSK has to be submitted to the parent zone. Knot detects the updated parent's DS
+record automatically (and waits for additional period of the DS's TTL before retiring the old key)
+if :ref:`parent DS check<Submission section>` is configured, otherwise the
+operator must confirm it manually with ``knotc zone-ksk-submitted``::
+
+ 2017-10-24T15:41:23 notice: [example.com.] DNSSEC, KSK submission, confirmed
+ 2017-10-24T15:41:23 info: [example.com.] DNSSEC, signing zone
+ 2017-10-24T15:41:23 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T15:41:23 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T15:41:23 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active
+ 2017-10-24T15:41:23 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T15:41:23 info: [example.com.] DNSSEC, zone is up-to-date
+ 2017-10-24T15:41:23 info: [example.com.] DNSSEC, next signing at 2017-10-24T15:41:28
+ ...
+ 2017-10-24T15:41:28 info: [example.com.] DNSSEC, signing zone
+ 2017-10-24T15:41:28 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public
+ 2017-10-24T15:41:28 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T15:41:28 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active
+ 2017-10-24T15:41:28 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T15:41:28 info: [example.com.] DNSSEC, successfully signed
+ 2017-10-24T15:41:28 info: [example.com.] DNSSEC, next signing at 2017-10-24T15:41:33
+ ...
+ 2017-10-24T15:41:33 info: [example.com.] DNSSEC, signing zone
+ 2017-10-24T15:41:33 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T15:41:33 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active
+ 2017-10-24T15:41:33 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T15:41:33 info: [example.com.] DNSSEC, successfully signed
+ 2017-10-24T15:41:33 info: [example.com.] DNSSEC, next signing at 2017-10-24T15:41:47
+
+.. TIP::
+ If systemd is available, the KSK submission event is logged into journald
+ in a structured way. The intended use case is to trigger a user-created script.
+ Example::
+
+ journalctl -f -t knotd -o json | python3 -c '
+ import json, sys
+ for line in sys.stdin:
+ k = json.loads(line);
+ if "KEY_SUBMISSION" in k:
+ print("%s, zone=%s, keytag=%s" % (k["__REALTIME_TIMESTAMP"], k["ZONE"], k["KEY_SUBMISSION"]))
+ '
+
+Algorithm rollover example
+--------------------------
+
+Let's start with the following set of keys::
+
+ 2017-10-24T14:53:06 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T14:53:06 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, public, active
+
+When the zone's DNSSEC policy algorithm is changed to ``ECDSAP256SHA256`` and the
+server is reloaded, the rollover continues along the lines of :rfc:`6781#section-4.1.4`::
+
+ 2017-10-24T14:53:26 info: [example.com.] DNSSEC, algorithm rollover started
+ 2017-10-24T14:53:26 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK
+ 2017-10-24T14:53:26 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, active
+ 2017-10-24T14:53:26 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T14:53:26 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, public, active
+ 2017-10-24T14:53:26 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T14:53:26 info: [example.com.] DNSSEC, successfully signed
+ 2017-10-24T14:53:26 info: [example.com.] DNSSEC, next signing at 2017-10-24T14:53:34
+ ...
+ 2017-10-24T14:53:34 info: [example.com.] DNSSEC, signing zone
+ 2017-10-24T14:53:34 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, active
+ 2017-10-24T14:53:34 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active
+ 2017-10-24T14:53:34 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T14:53:34 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, public, active
+ 2017-10-24T14:53:34 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T14:53:34 info: [example.com.] DNSSEC, successfully signed
+ 2017-10-24T14:53:34 info: [example.com.] DNSSEC, next signing at 2017-10-24T14:53:44
+ ...
+ 2017-10-24T14:53:44 info: [example.com.] DNSSEC, signing zone
+ 2017-10-24T14:53:44 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, ready, active
+ 2017-10-24T14:53:44 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active
+ 2017-10-24T14:53:44 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T14:53:44 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, public, active
+ 2017-10-24T14:53:44 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T14:53:44 info: [example.com.] DNSSEC, successfully signed
+ 2017-10-24T14:53:44 info: [example.com.] DNSSEC, next signing at 2017-10-31T13:52:37
+ 2017-10-24T14:53:44 notice: [example.com.] DNSSEC, KSK submission, waiting for confirmation
+
+Again, KSK submission follows as in :ref:`KSK rollover example<DNSSEC ksk rollover example>`::
+
+ 2017-10-24T14:54:20 notice: [example.com.] DNSSEC, KSK submission, confirmed
+ 2017-10-24T14:54:20 info: [example.com.] DNSSEC, signing zone
+ 2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, active
+ 2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active
+ 2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK, public, active
+ 2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, public, active
+ 2017-10-24T14:54:20 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T14:54:21 info: [example.com.] DNSSEC, zone is up-to-date
+ 2017-10-24T14:54:21 info: [example.com.] DNSSEC, next signing at 2017-10-24T14:54:30
+ ...
+ 2017-10-24T14:54:30 info: [example.com.] DNSSEC, signing zone
+ 2017-10-24T14:54:30 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, active
+ 2017-10-24T14:54:30 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active
+ 2017-10-24T14:54:30 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK
+ 2017-10-24T14:54:30 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, active
+ 2017-10-24T14:54:30 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T14:54:30 info: [example.com.] DNSSEC, successfully signed
+ 2017-10-24T14:54:30 info: [example.com.] DNSSEC, next signing at 2017-10-24T14:54:40
+ ...
+ 2017-10-24T14:54:40 info: [example.com.] DNSSEC, signing zone
+ 2017-10-24T14:54:40 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, active
+ 2017-10-24T14:54:40 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active
+ 2017-10-24T14:54:40 info: [example.com.] DNSSEC, signing started
+ 2017-10-24T14:54:40 info: [example.com.] DNSSEC, successfully signed
+ 2017-10-24T14:54:40 info: [example.com.] DNSSEC, next signing at 2017-10-31T13:53:26
+
+.. _DNSSEC Shared KSK:
+
+DNSSEC shared KSK
+=================
+
+Knot DNS allows, with automatic DNSSEC key management, to configure a shared KSK for multiple zones.
+By enabling :ref:`policy_ksk-shared`, we tell Knot to share all newly-created KSKs
+among all the zones with the same :ref:`DNSSEC signing policy<Policy section>` assigned.
+
+The feature works as follows. Each zone still manages its keys separately. If a new KSK shall be
+generated for the zone, it first checks if it can grab another zone's shared KSK instead -
+that is the last generated KSK in any of the zones with the same policy assigned.
+Anyway, only the cryptographic material is shared, the key may have different timers
+in each zone.
+
+.. rubric:: Consequences:
+
+If we have an initial setting with brand new zones without any DNSSEC keys,
+the initial keys for all zones are generated. With shared KSK, they will all have the same KSK,
+but different ZSKs. The KSK rollovers may take place at slightly different time for each of the zones,
+but the resulting new KSK will be shared again among all of them.
+
+If we have zones already having their keys, turning on the shared KSK feature triggers no action.
+But when a KSK rollover takes place, they will use the same new key afterwards.
+
+.. _DNSSEC Delete algorithm:
+
+DNSSEC delete algorithm
+=======================
+
+This is a way how to "disconnect" a signed zone from DNSSEC-aware parent zone.
+More precisely, we tell the parent zone to remove our zone's DS record by
+publishing a special formatted CDNSKEY and CDS record. This is mostly useful
+if we want to turn off DNSSEC on our zone so it becomes insecure, but not bogus.
+
+With automatic DNSSEC signing and key management by Knot, this is as easy as
+configuring :ref:`policy_cds-cdnskey-publish` option and reloading the configuration.
+We check if the special CDNSKEY and CDS records with the rdata "0 3 0 AA==" and "0 0 0 00",
+respectively, appeared in the zone.
+
+After the parent zone notices and reflects the change, we wait for TTL expire
+(so all resolvers' caches get updated), and finally we may do anything with the
+zone, e.g. turning off DNSSEC, removing all the keys and signatures as desired.
+
+.. _DNSSEC Export Import KASP DB:
+
+Export/import KASP DB
+======================
+
+If you would like make a backup of your KASP DB or transfer your cryptographic
+keys to a different server,
+you may utilize the ``mdb_dump`` and ``mdb_load`` tools provided by the
+`lmdb-utils <https://packages.ubuntu.com/bionic/lmdb-utils>`_
+package on Ubuntu and Debian or by the `lmdb <https://rpms.remirepo.net/rpmphp/zoom.php?rpm=lmdb>`_
+package on Fedora, CentOS and RHEL.
+These tools allow you to convert the contents of any LMDB database to a portable plain text format
+which can be imported to any other LMDB database. Note that the `keys` subdirectory of the
+:ref:`template_kasp-db` directory containing the \*.pem files has to be copied separately.
+
+.. NOTE::
+ Make sure to freeze DNSSEC events on a running server prior to applying the following
+ commands to its KASP DB. Use the ``knotc zone-freeze`` and ``knotc zone-thaw`` commands
+ as described in :ref:`Editing zone file`.
+
+Use the ``mdb_dump -a`` command with the configured :ref:`template_kasp-db` directory
+as an argument to convert the contents of the LMDB database to a portable text format:
+
+.. code-block:: console
+
+ $ mdb_dump -a /path/to/keys
+
+Save the output of the command to a text file. You may then import the file
+into a different LMDB database using the ``mdb_load -f`` command, supplying the path
+to the file and the path to the database directory as arguments:
+
+.. code-block:: console
+
+ $ mdb_load -f /path/to/dump_file /path/to/keys
+
+.. NOTE::
+ Depending on your use case, it might be necessary to call ``knotc zone-sign``
+ (e.g. to immediately sign the zones with the new imported keys) or ``knotc zone-reload``
+ (e.g. to refresh DNSSEC signatures generated by the :ref:`geoip module<mod-geoip>`)
+ after importing new content into the KASP DB of a running server.
+
+.. _Controlling running daemon:
+
+Daemon controls
+===============
+
+Knot DNS was designed to allow server reconfiguration on-the-fly
+without interrupting its operation. Thus it is possible to change
+both configuration and zone files and also add or remove zones without
+restarting the server. This can be done with::
+
+ $ knotc reload
+
+If you want to refresh the slave zones, you can do this with::
+
+ $ knotc zone-refresh
+
+.. _Statistics:
+
+Statistics
+==========
+
+The server provides some general statistics and optional query module statistics
+(see :ref:`mod-stats<mod-stats>`).
+
+Server statistics or global module statistics can be shown by::
+
+ $ knotc stats
+ $ knotc stats server # Show all server counters
+ $ knotc stats mod-stats # Show all mod-stats counters
+ $ knotc stats server.zone-count # Show specific server counter
+
+Per zone statistics can be shown by::
+
+ $ knotc zone-stats example.com mod-stats
+
+To show all supported counters even with 0 value use the force option.
+
+A simple periodic statistic dumping to a YAML file can also be enabled. See
+:ref:`statistics_section` for the configuration details.
+
+As the statistics data can be accessed over the server control socket,
+it is possible to create an arbitrary script (Python is supported at the moment)
+which could, for example, publish the data in the JSON format via HTTP(S)
+or upload the data to a more efficient time series database. Take a look into
+the python folder of the project for these scripts.
diff --git a/doc/reference.rst b/doc/reference.rst
new file mode 100644
index 0000000..93bca65
--- /dev/null
+++ b/doc/reference.rst
@@ -0,0 +1,1558 @@
+.. highlight:: none
+.. _Configuration Reference:
+
+***********************
+Configuration Reference
+***********************
+
+.. _Description:
+
+Description
+===========
+
+Configuration files for Knot DNS use simplified YAML format. Simplified means
+that not all of the features are supported.
+
+For the description of configuration items, we have to declare a meaning of
+the following symbols:
+
+- *INT* – Integer
+- *STR* – Textual string
+- *HEXSTR* – Hexadecimal string (with ``0x`` prefix)
+- *BOOL* – Boolean value (``on``/``off`` or ``true``/``false``)
+- *TIME* – Number of seconds, an integer with possible time multiplier suffix
+ (``s`` ~ 1, ``m`` ~ 60, ``h`` ~ 3600 or ``d`` ~ 24 * 3600)
+- *SIZE* – Number of bytes, an integer with possible size multiplier suffix
+ (``B`` ~ 1, ``K`` ~ 1024, ``M`` ~ 1024^2 or ``G`` ~ 1024^3)
+- *BASE64* – Base64 encoded string
+- *ADDR* – IPv4 or IPv6 address
+- *DNAME* – Domain name
+- ... – Multi-valued item, order of the values is preserved
+- [ ] – Optional value
+- \| – Choice
+
+There are 12 main sections (``module``, ``server``, ``control``, ``log``,
+``statistics``, ``keystore``, ``policy``, ``key``, ``acl``, ``remote``,
+``template``, and ``zone``) and module sections with the ``mod-`` prefix.
+Most of the sections (excluding ``server``, ``control``, and ``statistics``)
+are sequences of settings blocks. Each settings block begins with a unique identifier,
+which can be used as a reference from other sections (such identifier
+must be defined in advance).
+
+A multi-valued item can be specified either as a YAML sequence::
+
+ address: [10.0.0.1, 10.0.0.2]
+
+or as more single-valued items each on an extra line::
+
+ address: 10.0.0.1
+ address: 10.0.0.2
+
+If an item value contains spaces or other special characters, it is necessary
+to enclose such value within double quotes ``"`` ``"``.
+
+.. _Comments:
+
+Comments
+========
+
+A comment begins with a ``#`` character and is ignored during processing.
+Also each configuration section or sequence block allows a permanent
+comment using the ``comment`` item which is stored in the server beside the
+configuration.
+
+.. _Includes:
+
+Includes
+========
+
+Another configuration file or files, matching a pattern, can be included at
+the top level in the current file. If the path is not absolute, then it
+is considered to be relative to the current file. The pattern can be
+an arbitrary string meeting POSIX *glob* requirements, e.g. dir/\*.conf.
+Matching files are processed in sorted order.
+
+::
+
+ include: STR
+
+.. _Module section:
+
+Module section
+==============
+
+Dynamic modules loading configuration.
+
+.. NOTE::
+ If configured with non-empty ```--with-moduledir=path``` parameter, all
+ shared modules in this directory will be automatically loaded.
+
+::
+
+ module:
+ - id: STR
+ file: STR
+
+.. _module_id:
+
+id
+--
+
+A module identifier in the form of the ``mod-`` prefix and module name suffix.
+
+.. _module_file:
+
+file
+----
+
+A path to a shared library file with the module implementation.
+
+*Default:* ``${libdir}/knot/modules-${version}``/module_name.so
+(or ``${path}``/module_name.so if configured with ``--with-moduledir=path``)
+
+.. WARNING::
+ If the path is not absolute, the library is searched in the set of
+ system directories. See ``man dlopen`` for more details.
+
+.. _Server section:
+
+Server section
+==============
+
+General options related to the server.
+
+::
+
+ server:
+ identity: [STR]
+ version: [STR]
+ nsid: [STR|HEXSTR]
+ rundir: STR
+ user: STR[:STR]
+ pidfile: STR
+ udp-workers: INT
+ tcp-workers: INT
+ background-workers: INT
+ async-start: BOOL
+ tcp-handshake-timeout: TIME
+ tcp-idle-timeout: TIME
+ tcp-reply-timeout: TIME
+ max-tcp-clients: INT
+ max-udp-payload: SIZE
+ max-ipv4-udp-payload: SIZE
+ max-ipv6-udp-payload: SIZE
+ edns-client-subnet: BOOL
+ answer-rotation: BOOL
+ listen: ADDR[@INT] ...
+
+.. _server_identity:
+
+identity
+--------
+
+An identity of the server returned in the response to the query for TXT
+record ``id.server.`` or ``hostname.bind.`` in the CHAOS class (:rfc:`4892`).
+Set empty value to disable.
+
+*Default:* FQDN hostname
+
+.. _server_version:
+
+version
+-------
+
+A version of the server software returned in the response to the query
+for TXT record ``version.server.`` or ``version.bind.`` in the CHAOS
+class (:rfc:`4892`). Set empty value to disable.
+
+*Default:* server version
+
+.. _server_nsid:
+
+nsid
+----
+
+A DNS name server identifier (:rfc:`5001`). Set empty value to disable.
+
+*Default:* FQDN hostname
+
+.. _server_rundir:
+
+rundir
+------
+
+A path for storing run-time data (PID file, unix sockets, etc.).
+
+*Default:* ``${localstatedir}/run/knot`` (configured with ``--with-rundir=path``)
+
+.. _server_user:
+
+user
+----
+
+A system user with an optional system group (``user:group``) under which the
+server is run after starting and binding to interfaces. Linux capabilities
+are employed if supported.
+
+*Default:* root:root
+
+.. _server_pidfile:
+
+pidfile
+-------
+
+A PID file location.
+
+*Default:* :ref:`rundir<server_rundir>`/knot.pid
+
+.. _server_udp-workers:
+
+udp-workers
+-----------
+
+A number of UDP workers (threads) used to process incoming queries
+over UDP.
+
+*Default:* auto-estimated optimal value based on the number of online CPUs
+
+.. _server_tcp-workers:
+
+tcp-workers
+-----------
+
+A number of TCP workers (threads) used to process incoming queries
+over TCP.
+
+*Default:* auto-estimated optimal value based on the number of online CPUs
+
+.. _server_background-workers:
+
+background-workers
+------------------
+
+A number of workers (threads) used to execute background operations (zone
+loading, zone updates, etc.).
+
+*Default:* auto-estimated optimal value based on the number of online CPUs
+
+.. _server_async-start:
+
+async-start
+-----------
+
+If enabled, server doesn't wait for the zones to be loaded and starts
+responding immediately with SERVFAIL answers until the zone loads.
+
+*Default:* off
+
+.. _server_tcp-handshake-timeout:
+
+tcp-handshake-timeout
+---------------------
+
+Maximum time between newly accepted TCP connection and the first query.
+This is useful to disconnect inactive connections faster than connections
+that already made at least 1 meaningful query.
+
+*Default:* 5
+
+.. _server_tcp-idle-timeout:
+
+tcp-idle-timeout
+----------------
+
+Maximum idle time between requests on a TCP connection. This also limits
+receiving of a single query, each query must be received in this time limit.
+
+*Default:* 20
+
+.. _server_tcp-reply-timeout:
+
+tcp-reply-timeout
+-----------------
+
+Maximum time to wait for an outgoing connection or for a reply to an issued
+request (SOA, NOTIFY, AXFR...).
+
+*Default:* 10
+
+.. _server_max-tcp-clients:
+
+max-tcp-clients
+---------------
+
+A maximum number of TCP clients connected in parallel, set this below the file
+descriptor limit to avoid resource exhaustion.
+
+*Default:* 100
+
+.. _server_max-udp-payload:
+
+max-udp-payload
+---------------
+
+Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
+
+*Default:* 4096
+
+.. _server_max-ipv4-udp-payload:
+
+max-ipv4-udp-payload
+--------------------
+
+Maximum EDNS0 UDP payload size for IPv4.
+
+*Default:* 4096
+
+.. _server_max-ipv6-udp-payload:
+
+max-ipv6-udp-payload
+--------------------
+
+Maximum EDNS0 UDP payload size for IPv6.
+
+*Default:* 4096
+
+.. _server_edns-client-subnet:
+
+edns-client-subnet
+------------------
+
+Enable or disable EDNS Client Subnet support. If enabled, responses to queries
+containing the EDNS Client Subnet option
+always contain a valid EDNS Client Subnet option according to :rfc:`7871`.
+
+*Default:* off
+
+.. _server_answer-rotation:
+
+answer-rotation
+---------------
+
+Enable or disable sorted-rrset rotation in the answer section of normal replies.
+The rotation shift is simply determined by a query ID.
+
+*Default:* off
+
+.. _server_listen:
+
+listen
+------
+
+One or more IP addresses where the server listens for incoming queries.
+Optional port specification (default is 53) can be appended to each address
+using ``@`` separator. Use ``0.0.0.0`` for all configured IPv4 addresses or
+``::`` for all configured IPv6 addresses.
+
+*Default:* not set
+
+.. _Key section:
+
+Key section
+===========
+
+Shared TSIG keys used to authenticate communication with the server.
+
+::
+
+ key:
+ - id: DNAME
+ algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
+ secret: BASE64
+
+.. _key_id:
+
+id
+--
+
+A key name identifier.
+
+.. NOTE::
+ This value MUST be exactly the same as the name of the TSIG key on the
+ opposite master/slave server(s).
+
+.. _key_algorithm:
+
+algorithm
+---------
+
+A TSIG key algorithm. See
+`TSIG Algorithm Numbers <https://www.iana.org/assignments/tsig-algorithm-names/tsig-algorithm-names.xhtml>`_.
+
+Possible values:
+
+- ``hmac-md5``
+- ``hmac-sha1``
+- ``hmac-sha224``
+- ``hmac-sha256``
+- ``hmac-sha384``
+- ``hmac-sha512``
+
+*Default:* not set
+
+.. _key_secret:
+
+secret
+------
+
+Shared key secret.
+
+*Default:* not set
+
+.. _ACL section:
+
+ACL section
+===========
+
+Access control list rule definitions. The ACLs are used to match incoming
+connections to allow or deny requested operation (zone transfer request, DDNS
+update, etc.).
+
+::
+
+ acl:
+ - id: STR
+ address: ADDR[/INT] | ADDR-ADDR ...
+ key: key_id ...
+ action: notify | transfer | update ...
+ deny: BOOL
+
+.. _acl_id:
+
+id
+--
+
+An ACL rule identifier.
+
+.. _acl_address:
+
+address
+-------
+
+An ordered list of IP addresses, network subnets, or network ranges. The query
+must match one of them. Empty value means that address match is not required.
+
+*Default:* not set
+
+.. _acl_key:
+
+key
+---
+
+An ordered list of :ref:`reference<key_id>`\ s to TSIG keys. The query must
+match one of them. Empty value means that transaction authentication is not used.
+
+*Default:* not set
+
+.. _acl_action:
+
+action
+------
+
+An ordered list of allowed (or denied) actions.
+
+Possible values:
+
+- ``notify`` – Allow incoming notify.
+- ``transfer`` – Allow zone transfer.
+- ``update`` – Allow zone updates.
+
+*Default:* not set
+
+.. _acl_deny:
+
+deny
+----
+
+If enabled, instead of allowing, deny the specified :ref:`action<acl_action>`,
+:ref:`address<acl_address>`, :ref:`key<acl_key>`, or combination if these
+items. If no action is specified, deny all actions.
+
+*Default:* off
+
+.. _Control section:
+
+Control section
+===============
+
+Configuration of the server control interface.
+
+::
+
+ control:
+ listen: STR
+ timeout: TIME
+
+.. _control_listen:
+
+listen
+------
+
+A UNIX socket path where the server listens for control commands.
+
+*Default:* :ref:`rundir<server_rundir>`/knot.sock
+
+.. _control_timeout:
+
+timeout
+-------
+
+Maximum time the control socket operations can take. Set 0 for infinity.
+
+*Default:* 5
+
+.. _statistics_section:
+
+Statistics section
+==================
+
+Periodic server statistics dumping.
+
+::
+
+ statistics:
+ timer: TIME
+ file: STR
+ append: BOOL
+
+.. _statistics_timer:
+
+timer
+-----
+
+A period after which all available statistics metrics will by written to the
+:ref:`file<statistics_file>`.
+
+*Default:* not set
+
+.. _statistics_file:
+
+file
+----
+
+A file path of statistics output in the YAML format.
+
+*Default:* :ref:`rundir<server_rundir>`/stats.yaml
+
+.. _statistics_append:
+
+append
+------
+
+If enabled, the output will be appended to the :ref:`file<statistics_file>`
+instead of file replacement.
+
+*Default:* off
+
+.. _Keystore section:
+
+Keystore section
+================
+
+DNSSEC keystore configuration.
+
+::
+
+ keystore:
+ - id: STR
+ backend: pem | pkcs11
+ config: STR
+
+.. _keystore_id:
+
+id
+--
+
+A keystore identifier.
+
+
+.. _keystore_backend:
+
+backend
+-------
+
+A key storage backend type.
+
+Possible values:
+
+- ``pem`` – PEM files.
+- ``pkcs11`` – PKCS #11 storage.
+
+*Default:* pem
+
+.. _keystore_config:
+
+config
+------
+
+A backend specific configuration. A directory with PEM files (the path can
+be specified as a relative path to :ref:`kasp-db<template_kasp-db>`) or
+a configuration string for PKCS #11 storage (`<pkcs11-url> <module-path>`).
+
+.. NOTE::
+ Example configuration string for PKCS #11::
+
+ "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
+
+*Default:* :ref:`kasp-db<template_kasp-db>`/keys
+
+.. _Submission section:
+
+Submission section
+==================
+
+Parameters of KSK submission checks.
+
+::
+
+ submission:
+ - id: STR
+ parent: remote_id ...
+ check-interval: TIME
+ timeout: TIME
+
+.. _submission_id:
+
+id
+--
+
+A submission identifier.
+
+.. _submission_parent:
+
+parent
+------
+
+A list of :ref:`references<remote_id>` to parent's DNS servers to be checked for
+presence of corresponding DS records in the case of KSK submission. All of them must
+have a corresponding DS for the rollover to continue. If none is specified, the
+rollover must be pushed forward manually.
+
+*Default:* not set
+
+.. TIP::
+ A DNSSEC-validating resolver can be set as a parent.
+
+.. _submission_check-interval:
+
+check-interval
+--------------
+
+Interval for periodic checks of DS presence on parent's DNS servers, in the
+case of the KSK submission.
+
+*Default:* 1 hour
+
+.. _submission_timeout:
+
+timeout
+-------
+
+After this period, the KSK submission is automatically considered successful, even
+if all the checks were negative or no parents are configured. Set 0 for infinity.
+
+*Default:* 0
+
+.. _Policy section:
+
+Policy section
+==============
+
+DNSSEC policy configuration.
+
+::
+
+ policy:
+ - id: STR
+ keystore: STR
+ manual: BOOL
+ single-type-signing: BOOL
+ algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519
+ ksk-size: SIZE
+ zsk-size: SIZE
+ ksk-shared: BOOL
+ dnskey-ttl: TIME
+ zsk-lifetime: TIME
+ ksk-lifetime: TIME
+ propagation-delay: TIME
+ rrsig-lifetime: TIME
+ rrsig-refresh: TIME
+ nsec3: BOOL
+ nsec3-iterations: INT
+ nsec3-opt-out: BOOL
+ nsec3-salt-length: INT
+ nsec3-salt-lifetime: TIME
+ ksk-submission: submission_id
+ cds-cdnskey-publish: none | delete-dnssec | rollover | always
+
+.. _policy_id:
+
+id
+--
+
+A policy identifier.
+
+.. _policy_keystore:
+
+keystore
+--------
+
+A :ref:`reference<keystore_id>` to a keystore holding private key material
+for zones. A special *default* value can be used for the default keystore settings.
+
+*Default:* default
+
+.. _policy_manual:
+
+manual
+------
+
+If enabled, automatic key management is not used.
+
+*Default:* off
+
+.. _policy_single-type-signing:
+
+single-type-signing
+-------------------
+
+If enabled, Single-Type Signing Scheme is used in the automatic key management
+mode.
+
+*Default:* off
+
+.. _policy_algorithm:
+
+algorithm
+---------
+
+An algorithm of signing keys and issued signatures. See
+`DNSSEC Algorithm Numbers <https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1>`_.
+
+Possible values:
+
+- ``rsasha1``
+- ``rsasha1-nsec3-sha1``
+- ``rsasha256``
+- ``rsasha512``
+- ``ecdsap256sha256``
+- ``ecdsap384sha384``
+- ``ed25519``
+
+*Default:* ecdsap256sha256
+
+.. NOTE::
+ Ed25519 algorithm is only available when compiled with GnuTLS 3.6.0+.
+
+.. _policy_ksk-size:
+
+ksk-size
+--------
+
+A length of newly generated :abbr:`KSK (Key Signing Key)` or
+:abbr:`CSK (Combined Signing Key)` keys.
+
+*Default:* 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519)
+
+.. _policy_zsk-size:
+
+zsk-size
+--------
+
+A length of newly generated :abbr:`ZSK (Zone Signing Key)` keys.
+
+*Default:* see default for :ref:`ksk-size<policy_ksk-size>`
+
+.. _policy_ksk-shared:
+
+ksk-shared
+----------
+
+If enabled, all zones with this policy assigned will share one KSK.
+
+*Default:* off
+
+dnskey-ttl
+----------
+
+A TTL value for DNSKEY records added into zone apex.
+
+*Default:* zone SOA TTL
+
+.. NOTE::
+ Has infuence over ZSK key lifetime.
+
+.. _policy_zsk-lifetime:
+
+zsk-lifetime
+------------
+
+A period between ZSK publication and the next rollover initiation.
+
+*Default:* 30 days
+
+.. NOTE::
+ ZSK key lifetime is also infuenced by propagation-delay and dnskey-ttl
+
+ Zero (aka infinity) value causes no ZSK rollover as a result.
+
+.. _policy_ksk-lifetime:
+
+ksk-lifetime
+------------
+
+A period between KSK publication and the next rollover initiation.
+
+*Default:* 0
+
+.. NOTE::
+ KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl,
+ and KSK submission delay.
+
+ Zero (aka infinity) value causes no KSK rollover as a result.
+
+ This applies for CSK lifetime if single-type-signing is enabled.
+
+.. _policy_propagation-delay:
+
+propagation-delay
+-----------------
+
+An extra delay added for each key rollover step. This value should be high
+enough to cover propagation of data from the master server to all slaves.
+
+*Default:* 1 hour
+
+.. NOTE::
+ Has infuence over ZSK key lifetime.
+
+.. _policy_rrsig-lifetime:
+
+rrsig-lifetime
+--------------
+
+A validity period of newly issued signatures.
+
+*Default:* 14 days
+
+.. _policy_rrsig-refresh:
+
+rrsig-refresh
+-------------
+
+A period how long before a signature expiration the signature will be refreshed.
+
+*Default:* 7 days
+
+.. _policy_nsec:
+
+nsec3
+-----
+
+Specifies if NSEC3 will be used instead of NSEC.
+
+*Default:* off
+
+.. _policy_nsec3-iterations:
+
+nsec3-iterations
+----------------
+
+A number of additional times the hashing is performed.
+
+*Default:* 5
+
+.. _policy_nsec3-opt-out:
+
+nsec3-opt-out
+-------------
+
+If set, NSEC3 records won't be created for insecure delegations.
+This speeds up the zone signing and reduces overall zone size.
+
+.. WARNING::
+ NSEC3 with the Opt-Out bit set no longer works as a proof of non-existence
+ in this zone.
+
+*Default:* off
+
+.. _policy_nsec3-salt-length:
+
+nsec3-salt-length
+-----------------
+
+A length of a salt field in octets, which is appended to the original owner
+name before hashing.
+
+*Default:* 8
+
+.. _policy_nsec3-salt-lifetime:
+
+nsec3-salt-lifetime
+-------------------
+
+A validity period of newly issued salt field.
+
+*Default:* 30 days
+
+.. _policy_ksk-submission-check:
+
+ksk-submission
+--------------
+
+A reference to :ref:`submission<submission_id>` section holding parameters of
+KSK submittion checks.
+
+*Default:* not set
+
+.. _policy_cds-cdnskey-publish:
+
+cds-cdnskey-publish
+-------------------
+
+Controls if and how shall the CDS and CDNSKEY be published in the zone.
+
+.. NOTE::
+ This only applies if the zone keys are automatically managed by the server.
+
+Possible values:
+
+- ``none`` – Never publish any CDS or CDNSKEY records in the zone.
+- ``delete-dnssec`` – Publish special CDS and CDNSKEY records indicating turning off DNSSEC.
+- ``rollover`` – Publish CDS and CDNSKEY records only in the submission phase of KSK rollover.
+- ``always`` – Always publish CDS and CDNSKEY records for the current KSK.
+
+*Default:* always
+
+.. _Remote section:
+
+Remote section
+==============
+
+Definitions of remote servers for outgoing connections (source of a zone
+transfer, target for a notification, etc.).
+
+::
+
+ remote:
+ - id: STR
+ address: ADDR[@INT] ...
+ via: ADDR[@INT] ...
+ key: key_id
+
+.. _remote_id:
+
+id
+--
+
+A remote identifier.
+
+.. _remote_address:
+
+address
+-------
+
+An ordered list of destination IP addresses which are used for communication
+with the remote server. The addresses are tried in sequence unless the
+operation is successful. Optional destination port (default is 53)
+can be appended to the address using ``@`` separator.
+
+*Default:* not set
+
+.. _remote_via:
+
+via
+---
+
+An ordered list of source IP addresses. The first address with the same family
+as the destination address is used. Optional source port (default is random)
+can be appended to the address using ``@`` separator.
+
+*Default:* not set
+
+.. _remote_key:
+
+key
+---
+
+A :ref:`reference<key_id>` to the TSIG key which is used to authenticate
+the communication with the remote server.
+
+*Default:* not set
+
+.. _Template section:
+
+Template section
+================
+
+A template is a shareable zone setting which can be used for configuration of
+many zones in one place. A special default template (with the *default* identifier)
+can be used for global querying configuration or as an implicit configuration
+if a zone doesn't have another template specified.
+
+::
+
+ template:
+ - id: STR
+ timer-db: STR
+ max-timer-db-size: SIZE
+ journal-db: STR
+ journal-db-mode: robust | asynchronous
+ max-journal-db-size: SIZE
+ kasp-db: STR
+ max-kasp-db-size: SIZE
+ global-module: STR/STR ...
+ # All zone options (excluding 'template' item)
+
+.. _template_id:
+
+id
+--
+
+A template identifier.
+
+.. _template_timer-db:
+
+timer-db
+--------
+
+Specifies a path of the persistent timer database. The path can be specified
+as a relative path to the *default* template :ref:`storage<zone_storage>`.
+
+.. NOTE::
+ This option is only available in the *default* template.
+
+*Default:* :ref:`storage<zone_storage>`/timers
+
+.. _template_max-timer-db-size:
+
+max-timer-db-size
+-----------------
+
+Hard limit for the timer database maximum size.
+
+.. NOTE::
+ This option is only available in the *default* template.
+
+*Default:* 100 MiB
+
+.. _template_journal-db:
+
+journal-db
+----------
+
+Specifies a path of the persistent journal database. The path can be specified
+as a relative path to the *default* template :ref:`storage<zone_storage>`.
+
+.. NOTE::
+ This option is only available in the *default* template.
+
+*Default:* :ref:`storage<zone_storage>`/journal
+
+.. _template_journal-db-mode:
+
+journal-db-mode
+---------------
+
+Specifies journal LMDB backend configuration, which influences performance
+and durability.
+
+Possible values:
+
+- ``robust`` – The journal DB disk sychronization ensures DB durability but is
+ generally slower.
+- ``asynchronous`` – The journal DB disk synchronization is optimized for
+ better performance at the expense of lower DB durability; this mode is
+ recommended only on slave nodes with many zones.
+
+.. NOTE::
+ This option is only available in the *default* template.
+
+*Default:* robust
+
+.. _template_max-journal-db-size:
+
+max-journal-db-size
+-------------------
+
+Hard limit for the common journal DB. There is no cleanup logic in journal
+to recover from reaching this limit: journal simply starts refusing changes
+across all zones. Decreasing this value has no effect if lower than actual
+DB file size.
+
+It is recommended to limit :ref:`max-journal-usage<zone_max-journal-usage>`
+per-zone instead of max-journal-size in most cases. Please keep this value
+larger than the sum of all zones' journal usage limits. See more details
+regarding :ref:`journal behaviour<Journal behaviour>`.
+
+This value also influences server's usage of virtual memory.
+
+.. NOTE::
+ This option is only available in the *default* template.
+
+*Default:* 20 GiB (1 GiB for 32-bit)
+
+.. _template_kasp-db:
+
+kasp-db
+-------
+
+A KASP database path. Non-absolute path is relative to
+:ref:`storage<zone_storage>`.
+
+*Default:* :ref:`storage<zone_storage>`/keys
+
+.. NOTE::
+ This option is only available in the *default* template.
+
+.. _template_max-kasp-db-size:
+
+max-kasp-db-size
+----------------
+
+Hard limit for the KASP database maximum size.
+
+.. NOTE::
+ This option is only available in the *default* template.
+
+*Default:* 500 MiB
+
+.. _template_global-module:
+
+global-module
+-------------
+
+An ordered list of references to query modules in the form of *module_name* or
+*module_name/module_id*. These modules apply to all queries.
+
+.. NOTE::
+ This option is only available in the *default* template.
+
+*Default:* not set
+
+.. _Zone section:
+
+Zone section
+============
+
+Definition of zones served by the server.
+
+::
+
+ zone:
+ - domain: DNAME
+ template: template_id
+ storage: STR
+ file: STR
+ master: remote_id ...
+ ddns-master: remote_id
+ notify: remote_id ...
+ acl: acl_id ...
+ semantic-checks: BOOL
+ disable-any: BOOL
+ zonefile-sync: TIME
+ zonefile-load: none | difference | difference-no-serial | whole
+ journal-content: none | changes | all
+ max-journal-usage: SIZE
+ max-journal-depth: INT
+ max-zone-size : SIZE
+ dnssec-signing: BOOL
+ dnssec-policy: STR
+ request-edns-option: INT:[HEXSTR]
+ serial-policy: increment | unixtime | dateserial
+ min-refresh-interval: TIME
+ max-refresh-interval: TIME
+ module: STR/STR ...
+
+.. _zone_domain:
+
+domain
+------
+
+A zone name identifier.
+
+.. _zone_template:
+
+template
+--------
+
+A :ref:`reference<template_id>` to a configuration template.
+
+*Default:* not set or *default* (if the template exists)
+
+.. _zone_storage:
+
+storage
+-------
+
+A data directory for storing zone files, journal database, and timers database.
+
+*Default:* ``${localstatedir}/lib/knot`` (configured with ``--with-storage=path``)
+
+.. _zone_file:
+
+file
+----
+
+A path to the zone file. Non-absolute path is relative to
+:ref:`storage<zone_storage>`. It is also possible to use the following formatters:
+
+- ``%c[``\ *N*\ ``]`` or ``%c[``\ *N*\ ``-``\ *M*\ ``]`` – Means the *N*\ th
+ character or a sequence of characters beginning from the *N*\ th and ending
+ with the *M*\ th character of the textual zone name (see ``%s``). The
+ indexes are counted from 0 from the left. All dots (including the terminal
+ one) are considered. If the character is not available, the formatter has no effect.
+- ``%l[``\ *N*\ ``]`` – Means the *N*\ th label of the textual zone name
+ (see ``%s``). The index is counted from 0 from the right (0 ~ TLD).
+ If the label is not available, the formatter has no effect.
+- ``%s`` – Means the current zone name in the textual representation.
+ The zone name doesn't include the terminating dot (the result for the root
+ zone is the empty string!).
+- ``%%`` – Means the ``%`` character.
+
+.. WARNING::
+ Beware of special characters which are escaped or encoded in the \\DDD form
+ where DDD is corresponding decimal ASCII code.
+
+*Default:* :ref:`storage<zone_storage>`/``%s``\ .zone
+
+.. _zone_master:
+
+master
+------
+
+An ordered list of :ref:`references<remote_id>` to zone master servers.
+
+*Default:* not set
+
+.. _zone_ddns-master:
+
+ddns-master
+-----------
+
+A :ref:`reference<remote_id>` to zone primary master server.
+If not specified, the first :ref:`master<zone_master>` server is used.
+
+*Default:* not set
+
+.. _zone_notify:
+
+notify
+------
+
+An ordered list of :ref:`references<remote_id>` to remotes to which notify
+message is sent if the zone changes.
+
+*Default:* not set
+
+.. _zone_acl:
+
+acl
+---
+
+An ordered list of :ref:`references<acl_id>` to ACL rules which can allow
+or disallow zone transfers, updates or incoming notifies.
+
+*Default:* not set
+
+.. _zone_semantic-checks:
+
+semantic-checks
+---------------
+
+If enabled, extra zone semantic checks are turned on.
+
+Several checks are enabled by default and cannot be turned off. An error in
+mandatory checks causes zone not to be loaded. An error in extra checks is
+logged only.
+
+Mandatory checks:
+
+- SOA record missing in the zone (:rfc:`1034`)
+- An extra record together with CNAME record except for RRSIG and DS (:rfc:`1034`)
+- Multiple CNAME record with the same owner
+- DNAME record having a record under it (:rfc:`2672`)
+
+Extra checks:
+
+- Missing NS record at the zone apex
+- Missing glue A or AAAA record
+- Invalid DNSKEY, DS, or NSEC3PARAM record
+- CDS or CDNSKEY inconsistency
+- Missing, invalid, or unverifiable RRSIG record
+- Invalid NSEC(3) record
+- Broken or non-cyclic NSEC(3) chain
+
+*Default:* off
+
+.. _zone_disable-any:
+
+disable-any
+-----------
+
+If enabled, all authoritative ANY queries sent over UDP will be answered
+with an empty response and with the TC bit set. Use this option to minimize
+the risk of DNS reflection attack.
+
+*Default:* off
+
+.. _zone_zonefile-sync:
+
+zonefile-sync
+-------------
+
+The time after which the current zone in memory will be synced with a zone file
+on the disk (see :ref:`file<zone_file>`). The server will serve the latest
+zone even after a restart using zone journal, but the zone file on the disk will
+only be synced after ``zonefile-sync`` time has expired (or after manual zone
+flush). This is applicable when the zone is updated via IXFR, DDNS or automatic
+DNSSEC signing. In order to completely disable automatic zone file synchronization,
+set the value to -1. In that case, it is still possible to force a manual zone flush
+using the ``-f`` option.
+
+.. NOTE::
+ If you are serving large zones with frequent updates where
+ the immediate sync with a zone file is not desirable, increase the value.
+
+*Default:* 0 (immediate)
+
+.. _zone_zonefile-load:
+
+zonefile-load
+-------------
+
+Selects how the zone file contents are applied during zone load.
+
+Possible values:
+
+- ``none`` – The zone file is not used at all.
+- ``difference`` – If the zone contents are already available during server start or reload,
+ the difference is computed between them and the contents of the zone file. This difference
+ is then checked for semantic errors and
+ applied to the current zone contents.
+- ``difference-no-serial`` – Same as ``difference``, but the SOA serial in the zone file is
+ ignored, the server takes care of incrementing the serial automatically.
+- ``whole`` – Zone contents are loaded from the zone file.
+
+When ``difference`` is configured and there are no zone contents yet (cold start of Knot
+and no zone contents in journal), it behaves the same way like ``whole``.
+
+*Default:* whole
+
+.. _zone_journal-content:
+
+journal-content
+---------------
+
+Selects how the journal shall be used to store zone and its changes.
+
+Possible values:
+
+- ``none`` – The journal is not used at all.
+- ``changes`` – Zone changes history is stored in journal.
+- ``all`` – Zone contents and history is stored in journal.
+
+*Default:* changes
+
+.. _zone_max-journal-usage:
+
+max-journal-usage
+-----------------
+
+Policy how much space in journal DB will the zone's journal occupy.
+
+*Default:* 100 MiB
+
+.. NOTE::
+ Journal DB may grow far above the sum of max-journal-usage across
+ all zones, because of DB free space fragmentation.
+
+.. _zone_max_journal_depth:
+
+max-journal-depth
+-----------------
+
+Maximum history length of journal.
+
+*Minimum:* 2
+
+*Default:* 2^64
+
+.. _zone_max_zone_size:
+
+max-zone-size
+-------------
+
+Maximum size of the zone. The size is measured as size of the zone records
+in wire format without compression. The limit is enforced for incoming zone
+transfers and dynamic updates.
+
+For incremental transfers (IXFR), the effective limit for the total size of
+the records in the transfer is twice the configured value. However the final
+size of the zone must satisfy the configured value.
+
+*Default:* 2^64
+
+.. _zone_dnssec-signing:
+
+dnssec-signing
+--------------
+
+If enabled, automatic DNSSEC signing for the zone is turned on.
+
+*Default:* off
+
+.. _zone_dnssec-policy:
+
+dnssec-policy
+-------------
+
+A :ref:`reference<policy_id>` to DNSSEC signing policy. A special *default*
+value can be used for the default policy settings.
+
+*Required*
+
+.. _zone_request_edns_option:
+
+request-edns-option
+-------------------
+
+An arbitrary EDNS0 option which is included into a server request (AXFR, IXFR,
+SOA, or NOTIFY). The value is in the option_code:option_data format.
+
+*Default:* not set
+
+.. _zone_serial-policy:
+
+serial-policy
+-------------
+
+Specifies how the zone serial is updated after a dynamic update or
+automatic DNSSEC signing. If the serial is changed by the dynamic update,
+no change is made.
+
+Possible values:
+
+- ``increment`` – The serial is incremented according to serial number arithmetic.
+- ``unixtime`` – The serial is set to the current unix time.
+- ``dateserial`` – The 10-digit serial (YYYYMMDDnn) is incremented, the first
+ 8 digits match the current iso-date.
+
+.. NOTE::
+ In case of ``unixtime``, if the resulting serial is lower or equal than current zone
+ (this happens e.g. in case of migrating from other policy or frequent updates)
+ the serial is incremented instead.
+
+ Use dateserial only if you expect less than 100 updates per day per zone.
+
+*Default:* increment
+
+.. _zone_min-refresh-interval:
+
+min-refresh-interval
+--------------------
+
+Forced minimum zone refresh interval to avoid flooding master.
+
+*Default:* 2
+
+.. _zone_max-refresh-interval:
+
+max-refresh-interval
+--------------------
+
+Forced maximum zone refresh interval.
+
+*Default:* not set
+
+.. _zone_module:
+
+module
+------
+
+An ordered list of references to query modules in the form of *module_name* or
+*module_name/module_id*. These modules apply only to the current zone queries.
+
+*Default:* not set
+
+.. _Logging section:
+
+Logging section
+===============
+
+Server can be configured to log to the standard output, standard error
+output, syslog (or systemd journal if systemd is enabled) or into an arbitrary
+file.
+
+There are 6 logging severity levels:
+
+- ``critical`` – Non-recoverable error resulting in server shutdown.
+- ``error`` – Recoverable error, action should be taken.
+- ``warning`` – Warning that might require user action.
+- ``notice`` – Server notice or hint.
+- ``info`` – Informational message.
+- ``debug`` – Debug messages (must be turned on at compile time).
+
+In the case of missing log section, ``warning`` or more serious messages
+will be logged to both standard error output and syslog. The ``info`` and
+``notice`` messages will be logged to standard output.
+
+::
+
+ log:
+ - target: stdout | stderr | syslog | STR
+ server: critical | error | warning | notice | info | debug
+ control: critical | error | warning | notice | info | debug
+ zone: critical | error | warning | notice | info | debug
+ any: critical | error | warning | notice | info | debug
+
+.. _log_target:
+
+target
+------
+
+A logging output.
+
+Possible values:
+
+- ``stdout`` – Standard output.
+- ``stderr`` – Standard error output.
+- ``syslog`` – Syslog.
+- *file\_name* – A specific file.
+
+.. _log_server:
+
+server
+------
+
+Minimum severity level for messages related to general operation of the server
+that are logged.
+
+*Default:* not set
+
+.. _log_control:
+
+control
+-------
+
+Minimum severity level for messages related to server control that are logged.
+
+*Default:* not set
+
+.. _log_zone:
+
+zone
+----
+
+Minimum severity level for messages related to zones that are logged.
+
+*Default:* not set
+
+.. _log_any:
+
+any
+---
+
+Minimum severity level for all message types that are logged.
+
+*Default:* not set
diff --git a/doc/requirements.rst b/doc/requirements.rst
new file mode 100644
index 0000000..0192fe9
--- /dev/null
+++ b/doc/requirements.rst
@@ -0,0 +1,96 @@
+.. highlight:: none
+.. _Requirements:
+
+************
+Requirements
+************
+
+Hardware
+========
+
+Knot DNS requirements are not very demanding for typical
+installations, and a commodity server or a virtual solution will be
+sufficient in most cases.
+
+However, please note that there are some scenarios that will require
+administrator's attention and some testing of exact requirements before
+deploying Knot DNS to a production environment. These cases include
+deployment for a large number of zones (DNS hosting), large number
+of records in one or more zones (TLD), or large number of requests.
+
+CPU requirements
+----------------
+
+The server scales with processing power and also with the number of
+available cores/CPUs. Enabling Hyper-threading is convenient if supported.
+
+There is no lower bound on the CPU requirements, but it should support
+memory barriers and CAS (i586 and newer).
+
+Network card
+------------
+
+The best results have been achieved with multi-queue network cards. The
+number of multi-queues should equal the total number of CPU cores (with
+Hyper-threading enabled).
+
+Memory requirements
+-------------------
+
+The server implementation focuses on performance and thus can be quite
+memory demanding. The rough estimate for memory requirements is
+3 times the size of the zone in the plain-text format. Again this is only
+an estimate and you are advised to do your own measurements before
+deploying Knot DNS to production.
+
+.. NOTE::
+ To ensure uninterrupted serving of the zone, Knot DNS
+ employs the Read-Copy-Update mechanism instead of locking and thus
+ requires twice the amount of memory for the duration of incoming
+ transfers.
+
+Operating system
+================
+
+Knot DNS itself is written in a portable way and can be compiled
+and run on most UNIX-like systems, such as Linux, \*BSD, and macOS.
+
+Required libraries
+==================
+
+Knot DNS requires a few libraries to be available:
+
+* libedit
+* gnutls >= 3.3
+* liburcu >= 0.5.4
+* lmdb >= 0.9.15
+
+.. NOTE::
+ The LMDB library is included with Knot DNS source code. However, linking
+ with the system library is preferred.
+
+Optional libraries
+==================
+
+International Domain Names support (IDNA2008 or IDNA2003) in **kdig**:
+
+* libidn2 (or libidn)
+
+Systemd's startup notification mechanism and journald logging:
+
+* libsystemd
+
+Dnstap support in **kdig** or module :ref:`dnstap<mod-dnstap>`:
+
+* fstrm (and protobuf-c if building from source code)
+
+Linux :manpage:`capabilities(7)` support, which allows the server to be started
+as a non-root user/group, binding to privileged ports (53), and giving up all
+its capabilities, resulting in a completely unprivileged process:
+
+* libcap-ng >= 0.6.4
+
+MaxMind database for **geodb** support in module :ref:`geoip<mod-geoip>`:
+
+* libmaxminddb0
+
diff --git a/doc/theme_html/static/admon_caution_48.png b/doc/theme_html/static/admon_caution_48.png
new file mode 100644
index 0000000..9016ec0
--- /dev/null
+++ b/doc/theme_html/static/admon_caution_48.png
Binary files differ
diff --git a/doc/theme_html/static/admon_important_48.png b/doc/theme_html/static/admon_important_48.png
new file mode 100644
index 0000000..7021f4c
--- /dev/null
+++ b/doc/theme_html/static/admon_important_48.png
Binary files differ
diff --git a/doc/theme_html/static/admon_note_48.png b/doc/theme_html/static/admon_note_48.png
new file mode 100644
index 0000000..e72e336
--- /dev/null
+++ b/doc/theme_html/static/admon_note_48.png
Binary files differ
diff --git a/doc/theme_html/static/admon_tip_48.png b/doc/theme_html/static/admon_tip_48.png
new file mode 100644
index 0000000..f679193
--- /dev/null
+++ b/doc/theme_html/static/admon_tip_48.png
Binary files differ
diff --git a/doc/theme_html/static/admon_warning_48.png b/doc/theme_html/static/admon_warning_48.png
new file mode 100644
index 0000000..2c338d5
--- /dev/null
+++ b/doc/theme_html/static/admon_warning_48.png
Binary files differ
diff --git a/doc/theme_html/static/admons.css b/doc/theme_html/static/admons.css
new file mode 100644
index 0000000..d9f3406
--- /dev/null
+++ b/doc/theme_html/static/admons.css
@@ -0,0 +1,69 @@
+/* === Style for admonitions === */
+
+/* Settings from 'basic' theme (modified only) */
+
+div.admonition {
+ margin-top: 10px;
+ margin-bottom: 10px;
+ padding: 7px;
+ padding-left: 54px;/* based on icon size */
+ padding-right: 24px;/* based on icon size */
+}
+
+/* Settings from 'classic' theme (modified only) */
+
+div.admonition p {
+ display: block;
+}
+
+p.admonition-title {
+ padding-bottom: 11px;/* based on icon size */
+ padding-top: 11px;/* based on icon size */
+}
+
+p.admonition-title:after {
+ content: none; /* do not add colon */
+}
+
+/* Icon settings for all admonitions */
+div.admonition {
+ /* background-image: url('abstract_admon_48.png'); */
+ background-repeat: no-repeat;
+ background-position: 2px 2px;
+}
+
+/* Specific admonitions */
+div.admonition-todo {
+ background-color: #CAE2B6;
+ border: solid 1px #439427;
+}
+
+div.warning {
+ background-image: url('admon_warning_48.png');
+ background-color: #FFE4E4;
+ border: solid 3px #990D1C;
+}
+
+div.caution {
+ background-image: url('admon_caution_48.png');
+ background-color: #FFE4E4;
+ border: solid 1px #990D1C;
+}
+
+div.important {
+ background-image: url('admon_important_48.png');
+ background-color: #FBECC8;
+ border: solid 1px #D68612;
+}
+
+div.note {
+ background-image: url('admon_note_48.png');
+ background-color: white;
+ border: solid 1px #D1D3D4;
+}
+
+div.tip {
+ background-image: url('admon_tip_48.png');
+ background-color: #F2E4FD;
+ border: solid 1px #D1C2E6;
+}
diff --git a/doc/theme_html/static/main.css b/doc/theme_html/static/main.css
new file mode 100644
index 0000000..d7eb5d1
--- /dev/null
+++ b/doc/theme_html/static/main.css
@@ -0,0 +1,6 @@
+@import url("nature.css");
+
+/* Addendum for admonitions */
+@import url("admons.css");
+
+/* Other overrides here */
diff --git a/doc/theme_html/theme.conf b/doc/theme_html/theme.conf
new file mode 100644
index 0000000..eb8c607
--- /dev/null
+++ b/doc/theme_html/theme.conf
@@ -0,0 +1,4 @@
+[theme]
+inherit = nature
+stylesheet = main.css
+pygments_style = sphinx
diff --git a/doc/troubleshooting.rst b/doc/troubleshooting.rst
new file mode 100644
index 0000000..b596738
--- /dev/null
+++ b/doc/troubleshooting.rst
@@ -0,0 +1,110 @@
+.. highlight:: console
+.. _Troubleshooting:
+
+***************
+Troubleshooting
+***************
+
+First of all, check the logs. Enabling at least the ``warning`` message
+severity may help you to identify some problems. See the :ref:`Logging section`
+for details.
+
+.. _Submitting a bugreport:
+
+Reporting bugs
+==============
+
+If you are unable to solve the problem by yourself, you can submit a
+bugreport to the Knot DNS developers. For security or sensitive issues
+contact the developers directly on
+`knot-dns@labs.nic.cz <mailto:knot-dns@labs.nic.cz>`_.
+All other bugs and questions may be directed to the public Knot DNS users
+mailing list
+(`knot-dns-users@lists.nic.cz <mailto:knot-dns-users@lists.nic.cz>`_) or
+may be entered into the
+`issue tracking system <https://gitlab.labs.nic.cz/knot/knot-dns/issues>`_.
+
+Before anything else, please try to answer the following questions:
+
+* Has it been working?
+* What has changed? System configuration, software updates, network
+ configuration, firewall rules modification, hardware replacement, etc.
+
+The bugreport should contain the answers for the previous questions and in
+addition at least the following information:
+
+* Knot DNS version and type of installation (distribution package, from source,
+ etc.)
+* Operating system, platform, kernel version
+* Relevant basic hardware information (processor, amount of memory, available
+ network devices, etc.)
+* Description of the bug
+* Log output with the highest verbosity (category ``any``, severity ``debug``)
+* Steps to reproduce the bug (if known)
+* Backtrace (if the bug caused a crash or a hang; see the next section)
+
+If possible, please provide a minimal configuration file and zone files which
+can be used to reproduce the bug.
+
+.. _Generating backtrace:
+
+Generating backtrace
+====================
+
+Backtrace carries basic information about the state of the program and how
+the program got where it is. It helps determining the location of the bug in
+the source code.
+
+If you run Knot DNS from distribution packages, make sure the debugging
+symbols for the package are installed. The symbols are usually distributed
+in a separate package.
+
+There are several ways to get the backtrace. One possible way is to extract
+the backtrace from a core dump file. Core dump is a memory snapshot generated
+by the operating system when a process crashes. The generating of core dumps
+must be usually enabled::
+
+ $ ulimit -c unlimited # Enable unlimited core dump size
+ $ knotd ... # Reproduce the crash
+ ...
+ $ gdb knotd <core-dump-file> # Start gdb on the core dump
+ (gdb) info threads # Get a summary of all threads
+ (gdb) thread apply all bt full # Extract backtrace from all threads
+ (gdb) quit
+
+To save the backtrace into a file, the following GDB commands can be used::
+
+ (gdb) set pagination off
+ (gdb) set logging file backtrace.txt
+ (gdb) set logging on
+ (gdb) info threads
+ (gdb) thread apply all bt full
+ (gdb) set logging off
+
+To generate a core dump of a running process, the `gcore` utility can be used::
+
+ $ gcore -o <output-file> $(pidof knotd)
+
+Please note that core dumps can be intercepted by an error-collecting system
+service (systemd-coredump, ABRT, Apport, etc.). If you are using such a service,
+consult its documentation about core dump retrieval.
+
+If the error is reproducible, it is also possible to start and inspect the
+server directly in the debugger::
+
+ $ gdb --args knotd -c /etc/knot.conf
+ (gdb) run
+ ...
+
+Alternatively, the debugger can be attached to a running server
+process. This is generally useful when troubleshooting a stuck process::
+
+ $ knotd ...
+ $ gdb --pid $(pidof knotd)
+ (gdb) continue
+ ...
+
+If you fail to get a backtrace of a running process using the previous method,
+you may try the single-purpose ``pstack`` utility::
+
+ $ pstack $(pidof knotd) > backtrace.txt
diff --git a/doc/utilities.rst b/doc/utilities.rst
new file mode 100644
index 0000000..2180942
--- /dev/null
+++ b/doc/utilities.rst
@@ -0,0 +1,21 @@
+.. highlight:: none
+.. _Utilities:
+
+Utilities
+=========
+
+Knot DNS comes with a few DNS client utilities and a few utilities to control
+the server. This section collects manual pages for all provided binaries:
+
+.. toctree::
+ :titlesonly:
+
+ man_kdig
+ man_keymgr
+ man_khost
+ man_kjournalprint
+ man_knotc
+ man_knotd
+ man_knsec3hash
+ man_knsupdate
+ man_kzonecheck