Adding upstream version 3.2.6.upstream/3.2.6upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

25 files changed, 6851 insertions, 0 deletions

diff --git a/doc/man/kcatalogprint.8in b/doc/man/kcatalogprint.8in
new file mode 100644
index 0000000..afab092
--- /dev/null
+++ b/doc/man/kcatalogprint.8in
@@ -0,0 +1,80 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KCATALOGPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kcatalogprint \- Knot DNS catalog print utility
+.SH SYNOPSIS
+.sp
+\fBkcatalogprint\fP [\fIconfig_option\fP \fIconfig_argument\fP] [\fIoption\fP]
+.SH DESCRIPTION
+.sp
+The program prints zone catalog stored in a catalog database.
+.SS Config options
+.INDENT 0.0
+.TP
+\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
+Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+.TP
+\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
+Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+The default configuration database, if exists, has a preference to the default
+configuration file.
+.TP
+\fB\-D\fP, \fB\-\-dir\fP \fIpath\fP
+Use specified catalog database path and default configuration.
+.UNINDENT
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-a\fP, \fB\-\-catalog\fP
+Filter the output by catalog zone name.
+.TP
+\fB\-m\fP, \fB\-\-member\fP
+Filter the output by member zone name.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH SEE ALSO
+.sp
+\fBknotd(8)\fP, \fBknot.conf(5)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/kdig.1in b/doc/man/kdig.1in
new file mode 100644
index 0000000..714eaf9
--- /dev/null
+++ b/doc/man/kdig.1in
@@ -0,0 +1,460 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KDIG" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kdig \- Advanced DNS lookup utility
+.SH SYNOPSIS
+.sp
+\fBkdig\fP [\fIcommon\-settings\fP] [\fIquery\fP [\fIsettings\fP]]...
+.sp
+\fBkdig\fP \fB\-h\fP
+.SH DESCRIPTION
+.sp
+This utility sends one or more DNS queries to a nameserver. Each query can have
+individual \fIsettings\fP, or it can be specified globally via \fIcommon\-settings\fP,
+which must precede \fIquery\fP specification.
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIquery\fP
+\fIname\fP | \fB\-q\fP \fIname\fP | \fB\-x\fP \fIaddress\fP | \fB\-G\fP \fItapfile\fP
+.TP
+\fIcommon\-settings\fP, \fIsettings\fP
+[\fIquery_class\fP] [\fIquery_type\fP] [\fB@\fP\fIserver\fP]... [\fIoptions\fP]
+.TP
+\fIname\fP
+Is a domain name that is to be looked up.
+.TP
+\fIserver\fP
+Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query
+to. An additional port can be specified using address:port ([address]:port
+for IPv6 address), address@port, or address#port notation. A value which begins
+with \(aq/\(aq character is considered an absolute UNIX socket path. If no server is
+specified, the servers from \fB/etc/resolv.conf\fP are used.
+.UNINDENT
+.sp
+If no arguments are provided, \fBkdig\fP sends NS query for the root
+zone.
+.SS Query classes
+.sp
+A \fIquery_class\fP can be either a DNS class name (IN, CH) or generic class
+specification \fBCLASS\fP\fIXXXXX\fP where \fIXXXXX\fP is a corresponding decimal
+class number. The default query class is IN.
+.SS Query types
+.sp
+A \fIquery_type\fP can be either a DNS resource record type
+(A, AAAA, NS, SOA, DNSKEY, ANY, etc.) or one of the following:
+.INDENT 0.0
+.TP
+\fBTYPE\fP\fIXXXXX\fP
+Generic query type specification where \fIXXXXX\fP is a corresponding decimal
+type number.
+.TP
+\fBAXFR\fP
+Full zone transfer request.
+.TP
+\fBIXFR=\fP\fIserial\fP
+Incremental zone transfer request for specified SOA serial number
+(i.e. all zone updates since the specified zone version are to be returned).
+.TP
+\fBNOTIFY=\fP\fIserial\fP
+Notify message with a SOA serial hint specified.
+.TP
+\fBNOTIFY\fP
+Notify message with a SOA serial hint unspecified.
+.UNINDENT
+.sp
+The default query type is A.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-4\fP
+Use the IPv4 protocol only.
+.TP
+\fB\-6\fP
+Use the IPv6 protocol only.
+.TP
+\fB\-b\fP \fIaddress\fP
+Set the source IP address of the query to \fIaddress\fP\&. The address must be a
+valid address for local interface or :: or 0.0.0.0. An optional port
+can be specified in the same format as the \fIserver\fP value.
+.TP
+\fB\-c\fP \fIclass\fP
+An explicit \fIquery_class\fP specification. See possible values above.
+.TP
+\fB\-d\fP
+Enable debug messages.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-k\fP \fIkeyfile\fP
+Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file must contain the key in the same format as accepted by the
+\fB\-y\fP option.
+.TP
+\fB\-p\fP \fIport\fP
+Set the nameserver port number or service name to send a query to. The default
+port is 53.
+.TP
+\fB\-q\fP \fIname\fP
+Set the query name. An explicit variant of \fIname\fP specification. If no \fIname\fP
+is provided, empty question section is set.
+.TP
+\fB\-t\fP \fItype\fP
+An explicit \fIquery_type\fP specification. See possible values above.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.TP
+\fB\-x\fP \fIaddress\fP
+Send a reverse (PTR) query for IPv4 or IPv6 \fIaddress\fP\&. The correct name, class
+and type is set automatically.
+.TP
+\fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
+Use the TSIG key named \fIname\fP to authenticate the request. The \fIalg\fP
+part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies
+the shared secret encoded in Base64.
+.TP
+\fB\-E\fP \fItapfile\fP
+Export a dnstap trace of the query and response messages received to the
+file \fItapfile\fP\&.
+.TP
+\fB\-G\fP \fItapfile\fP
+Generate message output from a previously saved dnstap file \fItapfile\fP\&.
+.TP
+\fB+\fP[\fBno\fP]\fBmultiline\fP
+Wrap long records to more lines and improve human readability.
+.TP
+\fB+\fP[\fBno\fP]\fBshort\fP
+Show record data only.
+.TP
+\fB+\fP[\fBno\fP]\fBgeneric\fP
+Use the generic representation format when printing resource record types
+and data.
+.TP
+\fB+\fP[\fBno\fP]\fBcrypto\fP
+Display the DNSSEC keys and signatures values in base64, instead of omitting them.
+.TP
+\fB+\fP[\fBno\fP]\fBaaflag\fP
+Set the AA flag.
+.TP
+\fB+\fP[\fBno\fP]\fBtcflag\fP
+Set the TC flag.
+.TP
+\fB+\fP[\fBno\fP]\fBrdflag\fP
+Set the RD flag.
+.TP
+\fB+\fP[\fBno\fP]\fBrecurse\fP
+Same as \fB+\fP[\fBno\fP]\fBrdflag\fP
+.TP
+\fB+\fP[\fBno\fP]\fBraflag\fP
+Set the RA flag.
+.TP
+\fB+\fP[\fBno\fP]\fBzflag\fP
+Set the zero flag bit.
+.TP
+\fB+\fP[\fBno\fP]\fBadflag\fP
+Set the AD flag.
+.TP
+\fB+\fP[\fBno\fP]\fBcdflag\fP
+Set the CD flag.
+.TP
+\fB+\fP[\fBno\fP]\fBdnssec\fP
+Set the DO flag.
+.TP
+\fB+\fP[\fBno\fP]\fBall\fP
+Show all packet sections.
+.TP
+\fB+\fP[\fBno\fP]\fBqr\fP
+Show the query packet.
+.TP
+\fB+\fP[\fBno\fP]\fBheader\fP
+Show the packet header.
+.TP
+\fB+\fP[\fBno\fP]\fBcomments\fP
+Show commented section names.
+.TP
+\fB+\fP[\fBno\fP]\fBopt\fP
+Show the EDNS pseudosection.
+.TP
+\fB+\fP[\fBno\fP]\fBopttext\fP
+Try to show unknown EDNS options as text.
+.TP
+\fB+\fP[\fBno\fP]\fBquestion\fP
+Show the question section.
+.TP
+\fB+\fP[\fBno\fP]\fBanswer\fP
+Show the answer section.
+.TP
+\fB+\fP[\fBno\fP]\fBauthority\fP
+Show the authority section.
+.TP
+\fB+\fP[\fBno\fP]\fBadditional\fP
+Show the additional section.
+.TP
+\fB+\fP[\fBno\fP]\fBtsig\fP
+Show the TSIG pseudosection.
+.TP
+\fB+\fP[\fBno\fP]\fBstats\fP
+Show trailing packet statistics.
+.TP
+\fB+\fP[\fBno\fP]\fBclass\fP
+Show the DNS class.
+.TP
+\fB+\fP[\fBno\fP]\fBttl\fP
+Show the TTL value.
+.TP
+\fB+\fP[\fBno\fP]\fBtcp\fP
+Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).
+.TP
+\fB+\fP[\fBno\fP]\fBfastopen\fP
+Use TCP Fast Open.
+.TP
+\fB+\fP[\fBno\fP]\fBignore\fP
+Don\(aqt use TCP automatically if a truncated reply is received.
+.TP
+\fB+\fP[\fBno\fP]\fBkeepopen\fP
+Keep TCP connection open for the following query if it has the same connection
+configuration. This applies to +tcp, +tls, and +https operations. The connection
+is considered in the context of a single kdig call only.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\fP
+Use TLS with the Opportunistic privacy profile (\fI\%RFC 7858#section\-4.1\fP).
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-ca\fP[=\fIFILE\fP]
+Use TLS with a certificate validation. Certification authority certificates
+are loaded from the specified PEM file (default is system certificate storage
+if no argument is provided).
+Can be specified multiple times. If the +tls\-hostname option is not provided,
+the name of the target server (if specified) is used for strict authentication.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-pin\fP=\fIBASE64\fP
+Use TLS with the Out\-of\-Band key\-pinned privacy profile (\fI\%RFC 7858#section\-4.2\fP).
+The PIN must be a Base64 encoded SHA\-256 hash of the X.509 SubjectPublicKeyInfo.
+Can be specified multiple times.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-hostname\fP=\fISTR\fP
+Use TLS with a remote server hostname check.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-sni\fP=\fISTR\fP
+Use TLS with a Server Name Indication.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-keyfile\fP=\fIFILE\fP
+Use TLS with a client keyfile.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-certfile\fP=\fIFILE\fP
+Use TLS with a client certfile.
+.TP
+\fB+\fP[\fBno\fP]\fBtls\-ocsp\-stapling\fP[=\fIH\fP]
+Use TLS with a valid stapled OCSP response for the server certificate
+(%u or specify hours). OCSP responses older than the specified period are
+considered invalid.
+.TP
+\fB+\fP[\fBno\fP]\fBhttps\fP[=\fIURL\fP]
+Use HTTPS (DNS\-over\-HTTPS) in wire format (\fI\%RFC 1035#section\-4.2.1\fP).
+It is also possible to specify URL=[authority][/path] where request
+will be sent to. Any leading scheme and authority indicator (i.e. //) are ignored.
+Authority might also be specified as the \fIserver\fP (using the parameter \fI@\fP).
+If \fIpath\fP is specified and \fIauthority\fP is missing, then the \fIserver\fP
+is used as authority together with the specified \fIpath\fP\&.
+Library \fIlibnghttp2\fP is required.
+.TP
+\fB+\fP[\fBno\fP]\fBhttps\-get\fP
+Use HTTPS with HTTP/GET method instead of the default HTTP/POST method.
+Library \fIlibnghttp2\fP is required.
+.TP
+\fB+\fP[\fBno\fP]\fBquic\fP
+Use QUIC (DNS\-over\-QUIC).
+.TP
+\fB+\fP[\fBno\fP]\fBnsid\fP
+Request the nameserver identifier (NSID).
+.TP
+\fB+\fP[\fBno\fP]\fBbufsize\fP=\fIB\fP
+Set EDNS buffer size in bytes (default is 4096 bytes).
+.TP
+\fB+\fP[\fBno\fP]\fBpadding\fP[=\fIB\fP]
+Use EDNS(0) padding option to pad queries, optionally to a specific
+size. The default is to pad queries with a sensible amount when using
++tls, and not to pad at all when queries are sent without TLS.  With
+no argument (i.e., just +padding) pad every query with a sensible
+amount regardless of the use of TLS. With +nopadding, never pad.
+.TP
+\fB+\fP[\fBno\fP]\fBalignment\fP[=\fIB\fP]
+Align the query to B\-byte\-block message using the EDNS(0) padding option
+(default is no or 128 if no argument is specified).
+.TP
+\fB+\fP[\fBno\fP]\fBsubnet\fP=\fISUBN\fP
+Set EDNS(0) client subnet SUBN=addr/prefix.
+.TP
+\fB+\fP[\fBno\fP]\fBedns\fP[=\fIN\fP]
+Use EDNS version (default is 0).
+.TP
+\fB+\fP[\fBno\fP]\fBtimeout\fP=\fIT\fP
+Set the wait\-for\-reply interval in seconds (default is 5 seconds). This timeout
+applies to each query attempt. Zero value or \fInotimeout\fP is interpreted as
+infinity.
+.TP
+\fB+\fP[\fBno\fP]\fBretry\fP=\fIN\fP
+Set the number (>=0) of UDP retries (default is 2). This doesn\(aqt apply to
+AXFR/IXFR.
+.TP
+\fB+\fP[\fBno\fP]\fBexpire\fP
+Sets the EXPIRE EDNS option.
+.TP
+\fB+\fP[\fBno\fP]\fBcookie\fP[=\fIHEX\fP]
+Attach EDNS(0) cookie to the query.
+.TP
+\fB+\fP[\fBno\fP]\fBbadcookie\fP
+Repeat a query with the correct cookie.
+.TP
+\fB+\fP[\fBno\fP]\fBednsopt\fP[=\fICODE\fP[:\fIHEX\fP]]
+Send custom EDNS option. The \fICODE\fP is EDNS option code in decimal, \fIHEX\fP
+is an optional hex encoded string to use as EDNS option value. This argument
+can be used multiple times. +noednsopt clears all EDNS options specified by
++ednsopt.
+.TP
+\fB+\fP[\fBno\fP]\fBproxy\fP=\fISRC_ADDR\fP[#\fISRC_PORT\fP]\-\fIDST_ADDR\fP[#\fIDST_PORT\fP]
+Add PROXYv2 header with the specified source and destination addresses to the query.
+The default source port is 0 and destination port 53.
+.TP
+\fB+\fP[\fBno\fP]\fBjson\fP
+Use JSON for output encoding (RFC 8427).
+.TP
+\fB+noidn\fP
+Disable the IDN transformation to ASCII and vice versa. IDN support depends
+on libidn availability during project building! If used in \fIcommon\-settings\fP,
+all IDN transformations are disabled. If used in the individual query \fIsettings\fP,
+transformation from ASCII is disabled on output for the particular query. Note
+that IDN transformation does not preserve domain name letter case.
+.UNINDENT
+.SH NOTES
+.sp
+Options \fB\-k\fP and \fB\-y\fP can not be used simultaneously.
+.sp
+Dnssec\-keygen keyfile format is not supported. Use \fBkeymgr(8)\fP instead.
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH EXAMPLES
+.INDENT 0.0
+.IP 1. 3
+Get A records for example.com:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdig example.com A
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+Perform AXFR for zone example.com from the server 192.0.2.1:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdig example.com \-t AXFR @192.0.2.1
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 3. 3
+Get A records for example.com from 192.0.2.1 and reverse lookup for address
+2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdig +tcp example.com \-t A @192.0.2.1 \-x 2001:DB8::1 @192.0.2.2
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 4. 3
+Get SOA record for example.com, use TLS, use system certificates, check
+for specified hostname, check for certificate pin, and print additional
+debug info:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdig \-d @185.49.141.38 +tls\-ca +tls\-host=getdnsapi.net \e
+  +tls\-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 5. 3
+DNS over HTTPS examples (various DoH implementations):
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdig @1.1.1.1 +https example.com.
+$ kdig @193.17.47.1 +https=/doh example.com.
+$ kdig @8.8.4.4 +https +https\-get example.com.
+$ kdig @8.8.8.8 +https +tls\-hostname=dns.google +fastopen example.com.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 6. 3
+More queries share one DoT connection:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdig @1.1.1.1 +tls +keepopen abc.example.com A mail.example.com AAAA
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+\fB/etc/resolv.conf\fP
+.SH SEE ALSO
+.sp
+\fBkhost(1)\fP, \fBknsupdate(1)\fP, \fBkeymgr(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/keymgr.8in b/doc/man/keymgr.8in
new file mode 100644
index 0000000..399ece8
--- /dev/null
+++ b/doc/man/keymgr.8in
@@ -0,0 +1,364 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+keymgr \- Knot DNS key management utility
+.SH SYNOPSIS
+.sp
+\fBkeymgr\fP [\fIconfig_option\fP \fIconfig_argument\fP] [\fIoption\fP\&...] \fIzone_name\fP \fIcommand\fP \fIargument\fP\&...
+.sp
+\fBkeymgr\fP [\fIconfig_option\fP \fIconfig_argument\fP] \fB\-l\fP
+.sp
+\fBkeymgr\fP \fB\-t\fP \fIparameter\fP\&...
+.SH DESCRIPTION
+.sp
+The \fBkeymgr\fP utility serves for manual key management in Knot DNS server.
+.sp
+Functions for DNSSEC keys and KASP (Key And Signature Policy)
+management are provided.
+.sp
+The DNSSEC and KASP configuration is stored in a so called KASP database.
+The database is backed by LMDB.
+.SS Config options
+.INDENT 0.0
+.TP
+\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
+Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+.TP
+\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
+Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+The default configuration database, if exists, has a preference to the default
+configuration file.
+.TP
+\fB\-D\fP, \fB\-\-dir\fP \fIpath\fP
+Use specified KASP database path and default configuration.
+.UNINDENT
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-t\fP, \fB\-\-tsig\fP \fItsig_name\fP [\fItsig_algorithm\fP [\fItsig_bits\fP]]
+Generates a TSIG key. TSIG algorithm can be specified by string (default: hmac\-sha256),
+bit length of the key by number (default: optimal length given by algorithm). The generated
+TSIG key is only displayed on \fIstdout\fP: the command does not create a file, nor include the
+key in a keystore.
+.TP
+\fB\-e\fP, \fB\-\-extended\fP
+Extended output (listing of keys with full description).
+.TP
+\fB\-j\fP, \fB\-\-json\fP
+Print the zones or keys in JSON format.
+.TP
+\fB\-l\fP, \fB\-\-list\fP
+Print the list of zones that have at least one key stored in the configured KASP
+database.
+.TP
+\fB\-x\fP, \fB\-\-mono\fP
+Don\(aqt generate colorized output.
+.TP
+\fB\-X\fP, \fB\-\-color\fP
+Force colorized output in the normal mode.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Keymgr runs with the same user privileges as configured for knotd\&.
+For example, if keymgr is run as \fBroot\fP, but the configured user
+is \fBknot\fP, it won\(aqt be able to read files (PEM files, KASP database, ...) readable
+only by \fBroot\fP\&.
+.UNINDENT
+.UNINDENT
+.SS Commands
+.INDENT 0.0
+.TP
+\fBlist\fP [\fItimestamp_format\fP]
+Prints the list of key IDs and parameters of keys belonging to the zone.
+.TP
+\fBgenerate\fP [\fIarguments\fP\&...]
+Generates new DNSSEC key and stores it in KASP database. Prints the key ID.
+This action takes some number of arguments (see below). Values for unspecified arguments are taken
+from corresponding policy (if \fI\-c\fP or \fI\-C\fP options used) or from Knot policy defaults.
+.TP
+\fBimport\-bind\fP \fIBIND_key_file\fP
+Imports a BIND\-style key into KASP database (converting it to PEM format).
+Takes one argument: path to BIND key file (private or public, but both MUST exist).
+.TP
+\fBimport\-pub\fP \fIBIND_pubkey_file\fP
+Imports a public key into KASP database. This key won\(aqt be rolled over nor used for signing.
+Takes one argument: path to BIND public key file.
+.TP
+\fBimport\-pem\fP \fIPEM_file\fP [\fIarguments\fP\&...]
+Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be
+specified (mainly algorithm, timers...) because they are not contained in the PEM format.
+.TP
+\fBimport\-pkcs11\fP \fIkey_id\fP [\fIarguments\fP\&...]
+Imports a DNSSEC key from PKCS #11 storage. The key parameters (same as for the generate action) need to be
+specified (mainly algorithm, timers...) because they are not available. In fact, no key
+data is imported, only KASP database metadata is created.
+.TP
+\fBnsec3\-salt\fP [\fInew_salt\fP]
+Prints the current NSEC3 salt used for signing. If \fInew_salt\fP is specified, the salt is overwritten.
+The salt is printed and expected in hexadecimal, or dash if empty.
+.TP
+\fBlocal\-serial\fP [\fInew_serial\fP]
+Print SOA serial stored in KASP database when using on\-secondary DNSSEC signing.
+If \fInew_serial\fP is specified, the serial is overwritten. After updating the serial, expire the zone
+(\fBzone\-purge +expire +zonefile +journal\fP) if the server is running, or remove corresponding zone file
+and journal contents if the server is stopped.
+.TP
+\fBmaster\-serial\fP [\fInew_serial\fP]
+Print SOA serial of the remote master stored in KASP database when using on\-secondary DNSSEC signing.
+If \fInew_serial\fP is specified, the serial is overwritten (not recommended).
+.TP
+\fBset\fP \fIkey_spec\fP [\fIarguments\fP\&...]
+Changes a timing argument (or ksk/zsk) of an existing key to a new value. \fIKey_spec\fP is either the
+key tag or a prefix of the key ID, with an optional \fI[id=|keytag=]\fP prefix; \fIarguments\fP
+are like for \fBgenerate\fP, but just the related ones.
+.TP
+\fBds\fP [\fIkey_spec\fP]
+Generate DS record (all digest algorithms together) for specified key. \fIKey_spec\fP
+is like for \fBset\fP, if unspecified, all KSKs are used.
+.TP
+\fBdnskey\fP [\fIkey_spec\fP]
+Generate DNSKEY record for specified key. \fIKey_spec\fP
+is like for \fBds\fP, if unspecified, all KSKs are used.
+.TP
+\fBdelete\fP \fIkey_spec\fP
+Remove the specified key from zone. If the key was not shared, it is also deleted from keystore.
+.TP
+\fBshare\fP \fIkey_ID\fP \fIzone_from\fP
+Import a key (specified by full key ID) from another zone as shared. After this, the key is
+owned by both zones equally.
+.UNINDENT
+.SS Commands related to Offline KSK feature
+.INDENT 0.0
+.TP
+\fBpregenerate\fP [\fItimestamp\-from\fP] \fItimestamp\-to\fP
+Pre\-generate ZSKs for use with offline KSK, for the specified period starting from now or specified time.
+This function also applies to non\-offline KSK keys.
+.TP
+\fBshow\-offline\fP [\fItimestamp\-from\fP] [\fItimestamp\-to\fP]
+Print pre\-generated offline key\-related records for specified time interval. If \fItimestamp_to\fP
+is omitted, it will be to infinity. If \fItimestamp\-from\fP is omitted, it will start from the
+beginning.
+.TP
+\fBdel\-offline\fP \fItimestamp\-from\fP \fItimestamp\-to\fP
+Delete pre\-generated offline key\-related records in specified time interval.
+.TP
+\fBdel\-all\-old\fP
+Delete old keys that are in state \(aqremoved\(aq. This function also applies to
+non\-offline KSK keys.
+.TP
+\fBgenerate\-ksr\fP [\fItimestamp\-from\fP] \fItimestamp\-to\fP
+Print to stdout KeySigningRequest based on pre\-generated ZSKs for specified time period.
+If \fItimestamp\-from\fP is omitted, timestamp of the last offline records set is used
+or now if no records available.
+.TP
+\fBsign\-ksr\fP \fIksr_file\fP
+Read KeySigningRequest from a text file, sign it using local keyset and print SignedKeyResponse to stdout.
+.TP
+\fBvalidate\-skr\fP \fIskr_file\fP
+Read SignedKeyResponse from a text file and validate the RRSIGs in it if not corrupt.
+.TP
+\fBimport\-skr\fP \fIskr_file\fP
+Read SignedKeyResponse from a text file and import the signatures for later use in zone. If some
+signatures have already been imported, they will be deleted for the period from beginning of the SKR
+to infinity.
+.UNINDENT
+.SS Generate arguments
+.sp
+Arguments are separated by space, each of them is in format \(aqname=value\(aq.
+.INDENT 0.0
+.TP
+\fBalgorithm\fP
+Either an algorithm number (e.g. 14), or text name without dashes (e.g. ECDSAP384SHA384).
+.TP
+\fBsize\fP
+Key length in bits.
+.TP
+\fBksk\fP
+If set to \fByes\fP, the key will be used for signing DNSKEY rrset. The generated key will also
+have the Secure Entry Point flag set to 1.
+.TP
+\fBzsk\fP
+If set to \fByes\fP, the key will be used for signing zone (except DNSKEY rrset). This flag can
+be set concurrently with the \fBksk\fP flag.
+.TP
+\fBsep\fP
+Overrides the standard setting of the Secure Entry Point flag.
+.UNINDENT
+.sp
+The following arguments are timestamps of key lifetime (see DNSSEC Key states):
+.INDENT 0.0
+.TP
+\fBpre_active\fP
+Key started to be used for signing, not published (only for algorithm rollover).
+.TP
+\fBpublish\fP
+Key published.
+.TP
+\fBready\fP
+Key is waiting for submission (only for KSK).
+.TP
+\fBactive\fP
+Key used for signing.
+.TP
+\fBretire_active\fP
+Key still used for signing, but another key is active (only for KSK or algorithm rollover).
+.TP
+\fBretire\fP
+Key still published, but no longer used for signing.
+.TP
+\fBpost_active\fP
+Key no longer published, but still used for signing (only for algorithm rollover).
+.TP
+\fBrevoke\fP
+Key revoked according to \fI\%RFC 5011\fP trust anchor roll\-over.
+.TP
+\fBremove\fP
+Key deleted.
+.UNINDENT
+.SS Timestamps
+.INDENT 0.0
+.TP
+0
+Zero timestamp means infinite future.
+.TP
+\fIUNIX_time\fP
+Positive number of seconds since 1970 UTC.
+.TP
+\fIYYYYMMDDHHMMSS\fP
+Date and time in this format without any punctuation.
+.TP
+\fIrelative_timestamp\fP
+A sign character (\fB+\fP, \fB\-\fP), a number, and an optional time unit
+(\fBy\fP, \fBmo\fP, \fBd\fP, \fBh\fP, \fBmi\fP, \fBs\fP). The default unit is one second.
+E.g. +1mi, \-2mo.
+.UNINDENT
+.SS Output timestamp formats
+.INDENT 0.0
+.TP
+(none)
+The timestamps are printed as UNIX timestamp.
+.TP
+\fBhuman\fP
+The timestamps are printed relatively to now using time units (e.g. \-2y5mo, +1h13s).
+.TP
+\fBiso\fP
+The timestamps are printed in the ISO8601 format (e.g. 2016\-12\-31T23:59:00).
+.UNINDENT
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH EXAMPLES
+.INDENT 0.0
+.IP 1. 3
+Generate new TSIG key:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr \-t my_name hmac\-sha384
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+Generate new DNSSEC key:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \e
+  ksk=true created=1488034625 publish=20170223205611 retire=+10mo remove=+1y
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 3. 3
+Import a DNSSEC key from BIND:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. import\-bind ~/bind/Kharbinge4d5.+007+63089.key
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 4. 3
+Configure key timing:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. set 4208 active=+2mi retire=+4mi remove=+5mi
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 5. 3
+Share a KSK from another zone:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9 another\-zone.com.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%RFC 6781\fP \- DNSSEC Operational Practices.
+\fI\%RFC 7583\fP \- DNSSEC Key Rollover Timing Considerations.
+.sp
+\fBknot.conf(5)\fP,
+\fBknotc(8)\fP,
+\fBknotd(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/khost.1in b/doc/man/khost.1in
new file mode 100644
index 0000000..d0f0e7c
--- /dev/null
+++ b/doc/man/khost.1in
@@ -0,0 +1,156 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KHOST" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+khost \- Simple DNS lookup utility
+.SH SYNOPSIS
+.sp
+\fBkhost\fP [\fIoptions\fP] \fIname\fP [\fIserver\fP]
+.SH DESCRIPTION
+.sp
+This utility sends a DNS query for the \fIname\fP to the \fIserver\fP and prints a reply
+in more user\-readable form. For more advanced DNS queries use kdig
+instead.
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIname\fP
+Is a domain name that is to be looked up. If the \fIname\fP is IPv4 or IPv6
+address the PTR query type is used.
+.TP
+\fIserver\fP
+Is a name or an address of the nameserver to send a query to.  The address
+can be specified using [address]:port notation. If no server is specified,
+the servers from \fB/etc/resolv.conf\fP are used.
+.UNINDENT
+.sp
+If no arguments are provided, \fBkhost\fP prints a short help.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-4\fP
+Use the IPv4 protocol only.
+.TP
+\fB\-6\fP
+Use the IPv6 protocol only.
+.TP
+\fB\-a\fP
+Send ANY query with verbose mode.
+.TP
+\fB\-d\fP
+Enable debug messages.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-r\fP
+Disable recursion.
+.TP
+\fB\-T\fP
+Use the TCP protocol.
+.TP
+\fB\-v\fP
+Enable verbose output.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.TP
+\fB\-w\fP
+Wait forever for the reply.
+.TP
+\fB\-c\fP \fIclass\fP
+Set the query class (e.g. CH, CLASS4). The default class is IN.
+.TP
+\fB\-t\fP \fItype\fP
+Set the query type (e.g. NS, IXFR=12345, TYPE65535). The default is to send 3
+queries (A, AAAA and MX).
+.TP
+\fB\-R\fP \fIretries\fP
+The number (>=0) of UDP retries to query a nameserver. The default is 1.
+.TP
+\fB\-W\fP \fIwait\fP
+The time to wait for a reply in seconds. This timeout applies to each query
+try. The default is 2 seconds.
+.UNINDENT
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH EXAMPLES
+.INDENT 0.0
+.IP 1. 3
+Get the A, AAAA and MX records for example.com:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ khost example.com
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+Get the reverse record for address 192.0.2.1:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ khost 192.0.2.1
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 3. 3
+Perform a verbose zone transfer for zone example.com:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ khost \-t AXFR \-v example.com
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+\fB/etc/resolv.conf\fP
+.SH SEE ALSO
+.sp
+\fBkdig(1)\fP, \fBknsupdate(1)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/kjournalprint.8in b/doc/man/kjournalprint.8in
new file mode 100644
index 0000000..2ff78e8
--- /dev/null
+++ b/doc/man/kjournalprint.8in
@@ -0,0 +1,120 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KJOURNALPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kjournalprint \- Knot DNS journal print utility
+.SH SYNOPSIS
+.sp
+\fBkjournalprint\fP [\fIconfig_option\fP \fIconfig_argument\fP] [\fIoption\fP\&...] \fIzone_name\fP
+.sp
+\fBkjournalprint\fP [\fIconfig_option\fP \fIconfig_argument\fP] \fB\-z\fP
+.SH DESCRIPTION
+.sp
+The program prints zone history stored in a journal database. As default,
+changes are colored for terminal.
+.SS Config options
+.INDENT 0.0
+.TP
+\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
+Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+.TP
+\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
+Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+The default configuration database, if exists, has a preference to the default
+configuration file.
+.TP
+\fB\-D\fP, \fB\-\-dir\fP \fIpath\fP
+Use specified journal database path and default configuration.
+.UNINDENT
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-z\fP, \fB\-\-zone\-list\fP
+Instead of reading the journal, display the list of zones in the DB.
+.TP
+\fB\-l\fP, \fB\-\-limit\fP \fIlimit\fP
+Limits the number of displayed changes.
+.TP
+\fB\-s\fP, \fB\-\-serial\fP \fIsoa\fP
+Start at a specific SOA serial.
+.TP
+\fB\-H\fP, \fB\-\-check\fP
+Enable additional journal semantic checks during printing.
+.TP
+\fB\-d\fP, \fB\-\-debug\fP
+Debug mode brief output.
+.TP
+\fB\-x\fP, \fB\-\-mono\fP
+Don\(aqt generate colorized output.
+.TP
+\fB\-n\fP, \fB\-\-no\-color\fP
+An alias for \fB\-x\fP\&. Use of this option is deprecated, it will be removed in the future.
+.TP
+\fB\-X\fP, \fB\-\-color\fP
+Force colorized output.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIzone_name\fP
+A name of the zone to print the history for.
+.UNINDENT
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH EXAMPLES
+.sp
+Last (most recent) 5 changes without colors:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kjournalprint \-nl 5 /var/lib/knot/journal example.com.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBknotd(8)\fP, \fBknot.conf(5)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
new file mode 100644
index 0000000..4ed939d
--- /dev/null
+++ b/doc/man/knot.conf.5in
@@ -0,0 +1,2499 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KNOT.CONF" "5" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knot.conf \- Knot DNS configuration file
+.SH DESCRIPTION
+.sp
+Configuration files for Knot DNS use simplified YAML format. Simplified means
+that not all of the features are supported.
+.sp
+For the description of configuration items, we have to declare a meaning of
+the following symbols:
+.INDENT 0.0
+.IP \(bu 2
+\fBINT\fP – Integer
+.IP \(bu 2
+\fBSTR\fP – Textual string
+.IP \(bu 2
+\fBHEXSTR\fP – Hexadecimal string (with \fB0x\fP prefix)
+.IP \(bu 2
+\fBBOOL\fP – Boolean value (\fBon\fP/\fBoff\fP or \fBtrue\fP/\fBfalse\fP)
+.IP \(bu 2
+\fBTIME\fP – Number of seconds, an integer with possible time multiplier suffix
+(\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600 or \fBd\fP ~ 24 * 3600)
+.IP \(bu 2
+\fBSIZE\fP – Number of bytes, an integer with possible size multiplier suffix
+(\fBB\fP ~ 1, \fBK\fP ~ 1024, \fBM\fP ~ 1024^2 or \fBG\fP ~ 1024^3)
+.IP \(bu 2
+\fBBASE64\fP – Base64 encoded string
+.IP \(bu 2
+\fBADDR\fP – IPv4 or IPv6 address
+.IP \(bu 2
+\fBDNAME\fP – Domain name
+.IP \(bu 2
+\fB\&...\fP – Multi\-valued item, order of the values is preserved
+.IP \(bu 2
+\fB[\fP \fB]\fP – Optional value
+.IP \(bu 2
+\fB|\fP – Choice
+.UNINDENT
+.sp
+The configuration consists of several fixed sections and optional module
+sections. There are 16 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP,
+\fBlog\fP, \fBstatistics\fP, \fBdatabase\fP, \fBkeystore\fP, \fBkey\fP, \fBremote\fP,
+\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBpolicy\fP, \fBtemplate\fP, \fBzone\fP).
+Module sections are prefixed with the \fBmod\-\fP prefix (e.g. \fBmod\-stats\fP).
+.sp
+Most of the sections (e.g. \fBzone\fP) are sequences of settings blocks. Each
+settings block begins with a unique identifier, which can be used as a reference
+from other sections (such an identifier must be defined in advance).
+.sp
+A multi\-valued item can be specified either as a YAML sequence:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+address: [10.0.0.1, 10.0.0.2]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+or as more single\-valued items each on an extra line:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+address: 10.0.0.1
+address: 10.0.0.2
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If an item value contains spaces or other special characters, it is necessary
+to enclose such a value within double quotes \fB"\fP \fB"\fP\&.
+.SH COMMENTS
+.sp
+A comment begins with a \fB#\fP character and is ignored during processing.
+Also each configuration section or sequence block allows a permanent
+comment using the \fBcomment\fP item which is stored in the server beside the
+configuration.
+.SH INCLUDING CONFIGURATION
+.sp
+Another configuration file or files, matching a pattern, can be included at
+the top level in the current file.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+include: STR
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS include
+.sp
+A path or a matching pattern specifying one or more files that are included
+at the place of the include option position in the configuration.
+If the path is not absolute, then it is considered to be relative to the
+current file. The pattern can be an arbitrary string meeting POSIX \fIglob\fP
+requirements, e.g. dir/*.conf. Matching files are processed in sorted order.
+.sp
+\fIDefault:\fP not set
+.SH MODULE SECTION
+.sp
+Dynamic modules loading configuration.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+If configured with non\-empty \fB\(ga\-\-with\-moduledir=path\(ga\fP parameter, all
+shared modules in this directory will be automatically loaded.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+module:
+  \- id: STR
+    file: STR
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A module identifier in the form of the \fBmod\-\fP prefix and module name suffix.
+.SS file
+.sp
+A path to a shared library file with the module implementation.
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+If the path is not absolute, the library is searched in the set of
+system directories. See \fBman dlopen\fP for more details.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB${libdir}/knot/modules\-${version}\fP/module_name.so
+(or \fB${path}\fP/module_name.so if configured with \fB\-\-with\-moduledir=path\fP)
+.SH SERVER SECTION
+.sp
+General options related to the server.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+server:
+    identity: [STR]
+    version: [STR]
+    nsid: [STR|HEXSTR]
+    rundir: STR
+    user: STR[:STR]
+    pidfile: STR
+    udp\-workers: INT
+    tcp\-workers: INT
+    background\-workers: INT
+    async\-start: BOOL
+    tcp\-idle\-timeout: TIME
+    tcp\-io\-timeout: INT
+    tcp\-remote\-io\-timeout: INT
+    tcp\-max\-clients: INT
+    tcp\-reuseport: BOOL
+    tcp\-fastopen: BOOL
+    quic\-max\-clients: INT
+    quic\-outbuf\-max\-size: SIZE
+    quic\-idle\-close\-timeout: TIME
+    remote\-pool\-limit: INT
+    remote\-pool\-timeout: TIME
+    remote\-retry\-delay: TIME
+    socket\-affinity: BOOL
+    udp\-max\-payload: SIZE
+    udp\-max\-payload\-ipv4: SIZE
+    udp\-max\-payload\-ipv6: SIZE
+    key\-file: STR
+    cert\-file: STR
+    edns\-client\-subnet: BOOL
+    answer\-rotation: BOOL
+    automatic\-acl: BOOL
+    proxy\-allowlist: ADDR[/INT] | ADDR\-ADDR ...
+    dbus\-event: none | running | zone\-updated | ksk\-submission | dnssec\-invalid ...
+    dbus\-init\-delay: TIME
+    listen: ADDR[@INT] ...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBCAUTION:\fP
+.INDENT 0.0
+.INDENT 3.5
+When you change configuration parameters dynamically or via configuration file
+reload, some parameters in the Server section require restarting the Knot server
+so that the changes take effect. See below for the details.
+.UNINDENT
+.UNINDENT
+.SS identity
+.sp
+An identity of the server returned in the response to the query for TXT
+record \fBid.server.\fP or \fBhostname.bind.\fP in the CHAOS class (\fI\%RFC 4892\fP).
+Set to an empty value to disable.
+.sp
+\fIDefault:\fP FQDN hostname
+.SS version
+.sp
+A version of the server software returned in the response to the query
+for TXT record \fBversion.server.\fP or \fBversion.bind.\fP in the CHAOS
+class (\fI\%RFC 4892\fP). Set to an empty value to disable.
+.sp
+\fIDefault:\fP server version
+.SS nsid
+.sp
+A DNS name server identifier (\fI\%RFC 5001\fP). Set to an empty value to disable.
+.sp
+\fIDefault:\fP FQDN hostname at the moment of the daemon start
+.SS rundir
+.sp
+A path for storing run\-time data (PID file, unix sockets, etc.).
+.sp
+Depending on the usage of this parameter, its change may require restart of the Knot
+server to take effect.
+.sp
+\fIDefault:\fP \fB${localstatedir}/run/knot\fP (configured with \fB\-\-with\-rundir=path\fP)
+.SS user
+.sp
+A system user with an optional system group (\fBuser:group\fP) under which the
+server is run after starting and binding to interfaces. Linux capabilities
+are employed if supported.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fBroot:root\fP
+.SS pidfile
+.sp
+A PID file location.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fI\%rundir\fP\fB/knot.pid\fP
+.SS udp\-workers
+.sp
+A number of UDP workers (threads) used to process incoming queries
+over UDP.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP equal to the number of online CPUs
+.SS tcp\-workers
+.sp
+A number of TCP workers (threads) used to process incoming queries
+over TCP.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP equal to the number of online CPUs, default value is at least 10
+.SS background\-workers
+.sp
+A number of workers (threads) used to execute background operations (zone
+loading, zone updates, etc.).
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP equal to the number of online CPUs, default value is at most 10
+.SS async\-start
+.sp
+If enabled, server doesn\(aqt wait for the zones to be loaded and starts
+responding immediately with SERVFAIL answers until the zone loads.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS tcp\-idle\-timeout
+.sp
+Maximum idle time (in seconds) between requests on an inbound TCP connection.
+It means if there is no activity on an inbound TCP connection during this limit,
+the connection is closed by the server.
+.sp
+\fIMinimum:\fP \fB1\fP
+.sp
+\fIDefault:\fP \fB10\fP
+.SS tcp\-io\-timeout
+.sp
+Maximum time (in milliseconds) to receive or send one DNS message over an inbound
+TCP connection. It means this limit applies to normal DNS queries and replies,
+incoming DDNS, and \fBoutgoing zone transfers\fP\&. The timeout is measured since some
+data is already available for processing.
+Set to 0 for infinity.
+.sp
+\fIDefault:\fP \fB500\fP (milliseconds)
+.sp
+\fBCAUTION:\fP
+.INDENT 0.0
+.INDENT 3.5
+In order to reduce the risk of Slow Loris attacks, it\(aqs recommended setting
+this limit as low as possible on public servers.
+.UNINDENT
+.UNINDENT
+.SS tcp\-remote\-io\-timeout
+.sp
+Maximum time (in milliseconds) to receive or send one DNS message over an outbound
+TCP connection which has already been established to a configured remote server.
+It means this limit applies to incoming zone transfers, sending NOTIFY,
+DDNS forwarding, and DS check or push. This timeout includes the time needed
+for a network round\-trip and for a query processing by the remote.
+Set to 0 for infinity.
+.sp
+\fIDefault:\fP \fB5000\fP (milliseconds)
+.SS tcp\-reuseport
+.sp
+If enabled, each TCP worker listens on its own socket and the OS kernel
+socket load balancing is employed using SO_REUSEPORT (or SO_REUSEPORT_LB
+on FreeBSD). Due to the lack of one shared socket, the server can offer
+higher response rate processing over TCP. However, in the case of
+time\-consuming requests (e.g. zone transfers of a TLD zone), enabled reuseport
+may result in delayed or not being responded client requests. So it is
+advisable to use this option on secondary servers.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS tcp\-fastopen
+.sp
+If enabled, use TCP Fast Open for outbound TCP communication (client side):
+incoming zone transfers, sending NOTIFY, and DDNS forwarding. This mode simplifies
+TCP handshake and can result in better networking performance. TCP Fast Open
+for inbound TCP communication (server side) isn\(aqt affected by this
+configuration as it\(aqs enabled automatically if supported by OS.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+The TCP Fast Open support must also be enabled on the OS level:
+.INDENT 0.0
+.IP \(bu 2
+Linux/macOS: ensure kernel parameter \fBnet.ipv4.tcp_fastopen\fP is \fB2\fP or
+\fB3\fP for server side, and \fB1\fP or \fB3\fP for client side.
+.IP \(bu 2
+FreeBSD: ensure kernel parameter \fBnet.inet.tcp.fastopen.server_enable\fP
+is \fB1\fP for server side, and \fBnet.inet.tcp.fastopen.client_enable\fP is
+\fB1\fP for client side.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS quic\-max\-clients
+.sp
+A maximum number of QUIC clients connected in parallel.
+.sp
+See also \fI\%quic\fP\&.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIMinimum:\fP \fB128\fP
+.sp
+\fIDefault:\fP \fB10000\fP (ten thousand)
+.SS quic\-outbuf\-max\-size
+.sp
+Maximum cumulative size of memory used for buffers of unACKed
+sent messages.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Set low if little memory is available (together with \fI\%quic\-max\-clients\fP
+since QUIC connections are memory\-heavy). Set to high value if outgoing zone
+transfers of big zone over QUIC are expected.
+.UNINDENT
+.UNINDENT
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIMinimum:\fP \fB1M\fP (1 MiB)
+.sp
+\fIDefault:\fP \fB100M\fP (100 MiB)
+.SS quic\-idle\-close\-timeout
+.sp
+Time in seconds, after which any idle QUIC connection is gracefully closed.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIMinimum:\fP \fB1\fP
+.sp
+\fIDefault:\fP \fB4\fP
+.SS remote\-pool\-limit
+.sp
+If nonzero, the server will keep up to this number of outgoing TCP connections
+open for later use. This is an optimization to avoid frequent opening of
+TCP connections to the same remote.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fB0\fP
+.SS remote\-pool\-timeout
+.sp
+The timeout in seconds after which the unused kept\-open outgoing TCP connections
+to remote servers are closed.
+.sp
+\fIDefault:\fP \fB5\fP
+.SS remote\-retry\-delay
+.sp
+When a connection attempt times out to some remote address, this information will be
+kept for this specified time (in milliseconds) and other connections to the same address won\(aqt
+be attempted. This prevents repetitive waiting for timeout on an unreachable remote.
+.sp
+\fIDefault:\fP \fB0\fP
+.SS socket\-affinity
+.sp
+If enabled and if SO_REUSEPORT is available on Linux, all configured network
+sockets are bound to UDP and TCP workers in order to increase the networking performance.
+This mode isn\(aqt recommended for setups where the number of network card queues
+is lower than the number of UDP or TCP workers.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS tcp\-max\-clients
+.sp
+A maximum number of TCP clients connected in parallel, set this below the file
+descriptor limit to avoid resource exhaustion.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+It is advisable to adjust the maximum number of open files per process in your
+operating system configuration.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP one half of the file descriptor limit for the server process
+.SS udp\-max\-payload
+.sp
+Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
+.sp
+\fIDefault:\fP \fB1232\fP
+.SS udp\-max\-payload\-ipv4
+.sp
+Maximum EDNS0 UDP payload size for IPv4.
+.sp
+\fIDefault:\fP \fB1232\fP
+.SS udp\-max\-payload\-ipv6
+.sp
+Maximum EDNS0 UDP payload size for IPv6.
+.sp
+\fIDefault:\fP \fB1232\fP
+.SS key\-file
+.sp
+Path to a server key PEM file which is used for DNS over QUIC communication.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP one\-time in\-memory key
+.SS cert\-file
+.sp
+Path to a server certificate PEM file which is used for DNS over QUIC communication.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP one\-time in\-memory certificate
+.SS edns\-client\-subnet
+.sp
+Enable or disable EDNS Client Subnet support. If enabled, responses to queries
+containing the EDNS Client Subnet option
+always contain a valid EDNS Client Subnet option according to \fI\%RFC 7871\fP\&.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS answer\-rotation
+.sp
+Enable or disable sorted\-rrset rotation in the answer section of normal replies.
+The rotation shift is simply determined by a query ID.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS automatic\-acl
+.sp
+If enabled, \fI\%automatic ACL\fP setting of
+configured remotes is considered when evaluating authorized operations.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS proxy\-allowlist
+.sp
+An ordered list of IP addresses, network subnets, or network ranges
+which are allowed as a source address of proxied DNS traffic over UDP.
+The supported proxy protocol is
+\fI\%haproxy PROXY v2\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+TCP is not supported.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS dbus\-event
+.sp
+Specification of server or zone states which emit a D\-Bus signal on the system
+bus. The bus name is \fBcz.nic.knotd\fP, the object path is \fB/cz/nic/knotd\fP, and
+the interface name is \fBcz.nic.knotd.events\fP\&.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnone\fP – No signal is emitted.
+.IP \(bu 2
+\fBrunning\fP – The signal \fBstarted\fP is emitted when the server is fully operational
+and the signal \fBstopped\fP is emitted at the beginning of the server shutdown.
+.IP \(bu 2
+\fBzone\-updated\fP – The signal \fBzone_updated\fP is emitted when a zone has been updated;
+the signal parameters are \fIzone name\fP and \fIzone SOA serial\fP\&.
+.IP \(bu 2
+\fBksk\-submission\fP – The signal \fBzone_ksk_submission\fP is emitted if there is
+a ready KSK present when the zone is signed; the signal parameters are
+\fIzone name\fP, \fIKSK keytag\fP, and \fIKSK KASP id\fP\&.
+.IP \(bu 2
+\fBdnssec\-invalid\fP – The signal \fBzone_dnssec_invalid\fP is emitted when DNSSEC
+validation fails; the signal parameter is \fIzone name\fP\&.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This function requires systemd version at least 221.
+.UNINDENT
+.UNINDENT
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fBnone\fP
+.SS dbus\-init\-delay
+.sp
+Time in seconds which the server waits upon D\-Bus initialization to ensure
+the D\-Bus client is ready to receive signals.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIMinimum:\fP \fB0\fP
+.sp
+\fIDefault:\fP \fB1\fP
+.SS listen
+.sp
+One or more IP addresses where the server listens for incoming queries.
+Optional port specification (default is 53) can be appended to each address
+using \fB@\fP separator. Use \fB0.0.0.0\fP for all configured IPv4 addresses or
+\fB::\fP for all configured IPv6 addresses. Filesystem path can be specified
+for listening on local unix SOCK_STREAM socket. Non\-local address binding
+is automatically enabled if supported by the operating system.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP not set
+.SH XDP SECTION
+.sp
+Various options related to XDP listening, especially TCP.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+xdp:
+    listen: STR[@INT] | ADDR[@INT] ...
+    udp: BOOL
+    tcp: BOOL
+    quic: BOOL
+    quic\-port: INT
+    quic\-log: BOOL
+    tcp\-max\-clients: INT
+    tcp\-inbuf\-max\-size: SIZE
+    tcp\-outbuf\-max\-size: SIZE
+    tcp\-idle\-close\-timeout: TIME
+    tcp\-idle\-reset\-timeout: TIME
+    tcp\-resend\-timeout: TIME
+    route\-check: BOOL
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBCAUTION:\fP
+.INDENT 0.0
+.INDENT 3.5
+When you change configuration parameters dynamically or via configuration file
+reload, some parameters in the XDP section require restarting the Knot server
+so that the changes take effect.
+.UNINDENT
+.UNINDENT
+.SS listen
+.sp
+One or more network device names (e.g. \fBens786f0\fP) on which the Mode XDP
+is enabled. Alternatively, an IP address can be used instead of a device name,
+but the server will still listen on all addresses belonging to the same interface!
+Optional port specification (default is 53) can be appended to each device name
+or address using \fB@\fP separator.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fBCAUTION:\fP
+.INDENT 0.0
+.INDENT 3.5
+If XDP workers only process regular DNS traffic over UDP, it is strongly
+recommended to also \fI\%listen\fP on the addresses which are
+intended to offer the DNS service, at least to fulfil the DNS requirement for
+working TCP.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS udp
+.sp
+If enabled, DNS over UDP is processed with XDP workers.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fBon\fP
+.SS tcp
+.sp
+If enabled, DNS over TCP traffic is processed with XDP workers.
+.sp
+The TCP stack limitations:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+Congestion control is not implemented.
+.IP \(bu 2
+Lost packets that do not contain TCP payload may not be resend.
+.IP \(bu 2
+Not optimized for transfers of non\-trivial zones.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS quic
+.sp
+If enabled, DNS over QUIC is processed with XDP workers.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS quic\-port
+.sp
+DNS over QUIC will listen on the interfaces configured by \fI\%listen\fP,
+but on different port, configured by this option.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fB853\fP
+.SS quic\-log
+.sp
+Triggers extensive logging of all QUIC protocol internals for every connection.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS tcp\-max\-clients
+.sp
+A maximum number of TCP clients connected in parallel.
+.sp
+\fIMinimum:\fP \fB1024\fP
+.sp
+\fIDefault:\fP \fB1000000\fP (one million)
+.SS tcp\-inbuf\-max\-size
+.sp
+Maximum cumulative size of memory used for buffers of incompletely
+received messages.
+.sp
+\fIMinimum:\fP \fB1M\fP (1 MiB)
+.sp
+\fIDefault:\fP \fB100M\fP (100 MiB)
+.SS tcp\-outbuf\-max\-size
+.sp
+Maximum cumulative size of memory used for buffers of unACKed
+sent messages.
+.sp
+\fIMinimum:\fP \fB1M\fP (1 MiB)
+.sp
+\fIDefault:\fP \fB100M\fP (100 MiB)
+.SS tcp\-idle\-close\-timeout
+.sp
+Time in seconds, after which any idle connection is gracefully closed.
+.sp
+\fIMinimum:\fP \fB1\fP
+.sp
+\fIDefault:\fP \fB10\fP
+.SS tcp\-idle\-reset\-timeout
+.sp
+Time in seconds, after which any idle connection is forcibly closed.
+.sp
+\fIMinimum:\fP \fB1\fP
+.sp
+\fIDefault:\fP \fB20\fP
+.SS tcp\-resend\-timeout
+.sp
+Resend outgoing data packets (with DNS response payload) if not ACKed
+before this timeout.
+.sp
+\fIMinimum:\fP \fB1\fP
+.sp
+\fIDefault:\fP \fB5\fP
+.SS route\-check
+.sp
+If enabled, routing information from the operating system is considered
+when processing every incoming DNS packet received over the XDP interface:
+.INDENT 0.0
+.IP \(bu 2
+If the outgoing interface of the corresponding DNS response differs from
+the incoming one, the packet is processed normally by UDP/TCP workers
+(XDP isn\(aqt used).
+.IP \(bu 2
+If the destination address is blackholed, unreachable, or prohibited,
+the DNS packet is dropped without any response.
+.IP \(bu 2
+The destination MAC address and possible VLAN tag for the response are taken
+from the routing system.
+.UNINDENT
+.sp
+If disabled, symmetrical routing is applied. It means that the query source
+MAC address is used as a response destination MAC address. Possible VLAN tag
+is preserved.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This mode requires forwarding enabled on the loopback interface
+(\fBsysctl \-w net.ipv4.conf.lo.forwarding=1\fP and \fBsysctl \-w net.ipv6.conf.lo.forwarding=1\fP).
+If forwarding is disabled, all incoming DNS packets are dropped!
+.sp
+Only VLAN 802.1Q is supported.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBoff\fP
+.SH CONTROL SECTION
+.sp
+Configuration of the server control interface.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+control:
+    listen: STR
+    timeout: TIME
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS listen
+.sp
+A UNIX socket path where the server listens for control commands.
+.sp
+\fIDefault:\fP \fI\%rundir\fP\fB/knot.sock\fP
+.SS timeout
+.sp
+Maximum time (in seconds) the control socket operations can take.
+Set to 0 for infinity.
+.sp
+\fIDefault:\fP \fB5\fP
+.SH LOG SECTION
+.sp
+Server can be configured to log to the standard output, standard error
+output, syslog (or systemd journal if systemd is enabled) or into an arbitrary
+file.
+.sp
+There are 6 logging severity levels:
+.INDENT 0.0
+.IP \(bu 2
+\fBcritical\fP – Non\-recoverable error resulting in server shutdown.
+.IP \(bu 2
+\fBerror\fP – Recoverable error, action should be taken.
+.IP \(bu 2
+\fBwarning\fP – Warning that might require user action.
+.IP \(bu 2
+\fBnotice\fP – Server notice or hint.
+.IP \(bu 2
+\fBinfo\fP – Informational message.
+.IP \(bu 2
+\fBdebug\fP – Debug or detailed message.
+.UNINDENT
+.sp
+In the case of a missing log section, \fBwarning\fP or more serious messages
+will be logged to both standard error output and syslog. The \fBinfo\fP and
+\fBnotice\fP messages will be logged to standard output.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+log:
+  \- target: stdout | stderr | syslog | STR
+    server: critical | error | warning | notice | info | debug
+    control: critical | error | warning | notice | info | debug
+    zone: critical | error | warning | notice | info | debug
+    any: critical | error | warning | notice | info | debug
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS target
+.sp
+A logging output.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBstdout\fP – Standard output.
+.IP \(bu 2
+\fBstderr\fP – Standard error output.
+.IP \(bu 2
+\fBsyslog\fP – Syslog or systemd journal.
+.IP \(bu 2
+\fIfile_name\fP – A specific file.
+.UNINDENT
+.sp
+With \fBsyslog\fP target, syslog service is used. However, if Knot DNS has been compiled
+with systemd support and operating system has been booted with systemd, systemd journal
+is used for logging instead of syslog.
+.SS server
+.sp
+Minimum severity level for messages related to general operation of the server to be
+logged.
+.sp
+\fIDefault:\fP not set
+.SS control
+.sp
+Minimum severity level for messages related to server control to be logged.
+.sp
+\fIDefault:\fP not set
+.SS zone
+.sp
+Minimum severity level for messages related to zones to be logged.
+.sp
+\fIDefault:\fP not set
+.SS any
+.sp
+Minimum severity level for all message types to be logged.
+.sp
+\fIDefault:\fP not set
+.SH STATS SECTION
+.sp
+Periodic server statistics dumping.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+statistics:
+    timer: TIME
+    file: STR
+    append: BOOL
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS timer
+.sp
+A period after which all available statistics metrics will by written to the
+\fI\%file\fP\&.
+.sp
+\fIDefault:\fP not set
+.SS file
+.sp
+A file path of statistics output in the YAML format.
+.sp
+\fIDefault:\fP \fI\%rundir\fP\fB/stats.yaml\fP
+.SS append
+.sp
+If enabled, the output will be appended to the \fI\%file\fP
+instead of file replacement.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SH DATABASE SECTION
+.sp
+Configuration of databases for zone contents, DNSSEC metadata, or event timers.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+database:
+    storage: STR
+    journal\-db: STR
+    journal\-db\-mode: robust | asynchronous
+    journal\-db\-max\-size: SIZE
+    kasp\-db: STR
+    kasp\-db\-max\-size: SIZE
+    timer\-db: STR
+    timer\-db\-max\-size: SIZE
+    catalog\-db: str
+    catalog\-db\-max\-size: SIZE
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS storage
+.sp
+A data directory for storing journal, KASP, and timer databases.
+.sp
+\fIDefault:\fP \fB${localstatedir}/lib/knot\fP (configured with \fB\-\-with\-storage=path\fP)
+.SS journal\-db
+.sp
+An explicit specification of the persistent journal database directory.
+Non\-absolute path (i.e. not starting with \fB/\fP) is relative to
+\fI\%storage\fP\&.
+.sp
+\fIDefault:\fP \fI\%storage\fP\fB/journal\fP
+.SS journal\-db\-mode
+.sp
+Specifies journal LMDB backend configuration, which influences performance
+and durability.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBrobust\fP – The journal database disk synchronization ensures database
+durability but is generally slower.
+.IP \(bu 2
+\fBasynchronous\fP – The journal database disk synchronization is optimized for
+better performance at the expense of lower database durability in the case of
+a crash. This mode is recommended on secondary servers with many zones.
+.UNINDENT
+.sp
+\fIDefault:\fP \fBrobust\fP
+.SS journal\-db\-max\-size
+.sp
+The hard limit for the journal database maximum size. There is no cleanup logic
+in journal to recover from reaching this limit. Journal simply starts refusing
+changes across all zones. Decreasing this value has no effect if it is lower
+than the actual database file size.
+.sp
+It is recommended to limit \fI\%journal\-max\-usage\fP
+per\-zone instead of \fI\%journal\-db\-max\-size\fP
+in most cases. Please keep this value larger than the sum of all zones\(aq
+journal usage limits. See more details regarding
+journal behaviour\&.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This value also influences server\(aqs usage of virtual memory.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB20G\fP (20 GiB), or \fB512M\fP (512 MiB) for 32\-bit
+.SS kasp\-db
+.sp
+An explicit specification of the KASP database directory.
+Non\-absolute path (i.e. not starting with \fB/\fP) is relative to
+\fI\%storage\fP\&.
+.sp
+\fIDefault:\fP \fI\%storage\fP\fB/keys\fP
+.SS kasp\-db\-max\-size
+.sp
+The hard limit for the KASP database maximum size.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This value also influences server\(aqs usage of virtual memory.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB500M\fP (500 MiB)
+.SS timer\-db
+.sp
+An explicit specification of the persistent timer database directory.
+Non\-absolute path (i.e. not starting with \fB/\fP) is relative to
+\fI\%storage\fP\&.
+.sp
+\fIDefault:\fP \fI\%storage\fP\fB/timers\fP
+.SS timer\-db\-max\-size
+.sp
+The hard limit for the timer database maximum size.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This value also influences server\(aqs usage of virtual memory.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB100M\fP (100 MiB)
+.SS catalog\-db
+.sp
+An explicit specification of the zone catalog database directory.
+Only useful if catalog\-zones are enabled.
+Non\-absolute path (i.e. not starting with \fB/\fP) is relative to
+\fI\%storage\fP\&.
+.sp
+\fIDefault:\fP \fI\%storage\fP\fB/catalog\fP
+.SS catalog\-db\-max\-size
+.sp
+The hard limit for the catalog database maximum size.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This value also influences server\(aqs usage of virtual memory.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB20G\fP (20 GiB), or \fB512M\fP (512 MiB) for 32\-bit
+.SH KEYSTORE SECTION
+.sp
+DNSSEC keystore configuration.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+keystore:
+  \- id: STR
+    backend: pem | pkcs11
+    config: STR
+    key\-label: BOOL
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A keystore identifier.
+.SS backend
+.sp
+A key storage backend type.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBpem\fP – PEM files.
+.IP \(bu 2
+\fBpkcs11\fP – PKCS #11 storage.
+.UNINDENT
+.sp
+\fIDefault:\fP \fBpem\fP
+.SS config
+.sp
+A backend specific configuration. A directory with PEM files (the path can
+be specified as a relative path to \fI\%kasp\-db\fP) or
+a configuration string for PKCS #11 storage (\fI<pkcs11\-url> <module\-path>\fP).
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Example configuration string for PKCS #11:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+"pkcs11:token=knot;pin\-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fI\%kasp\-db\fP\fB/keys\fP
+.SS key\-label
+.sp
+If enabled in combination with the PKCS #11 \fI\%backend\fP, generated keys
+are labeled in the form \fB<zone_name> KSK|ZSK\fP\&.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SH KEY SECTION
+.sp
+Shared TSIG keys used to authenticate communication with the server.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+key:
+  \- id: DNAME
+    algorithm: hmac\-md5 | hmac\-sha1 | hmac\-sha224 | hmac\-sha256 | hmac\-sha384 | hmac\-sha512
+    secret: BASE64
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A key name identifier.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This value MUST be exactly the same as the name of the TSIG key on the
+opposite primary/secondary server(s).
+.UNINDENT
+.UNINDENT
+.SS algorithm
+.sp
+A TSIG key algorithm. See
+\fI\%TSIG Algorithm Numbers\fP\&.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBhmac\-md5\fP
+.IP \(bu 2
+\fBhmac\-sha1\fP
+.IP \(bu 2
+\fBhmac\-sha224\fP
+.IP \(bu 2
+\fBhmac\-sha256\fP
+.IP \(bu 2
+\fBhmac\-sha384\fP
+.IP \(bu 2
+\fBhmac\-sha512\fP
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS secret
+.sp
+Shared key secret.
+.sp
+\fIDefault:\fP not set
+.SH REMOTE SECTION
+.sp
+Definitions of remote servers for outgoing connections (source of a zone
+transfer, target for a notification, etc.).
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+remote:
+  \- id: STR
+    address: ADDR[@INT] ...
+    via: ADDR[@INT] ...
+    key: key_id
+    block\-notify\-after\-transfer: BOOL
+    no\-edns: BOOL
+    automatic\-acl: BOOL
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A remote identifier.
+.SS address
+.sp
+An ordered list of destination IP addresses which are used for communication
+with the remote server. The addresses are tried in sequence until the
+remote is reached. Optional destination port (default is 53)
+can be appended to the address using \fB@\fP separator.
+.sp
+\fIDefault:\fP not set
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+If the remote is contacted and it refuses to perform requested action,
+no more addresses will be tried for this remote.
+.UNINDENT
+.UNINDENT
+.SS via
+.sp
+An ordered list of source IP addresses. The first address with the same family
+as the destination address is used as a source address for communication with
+the remote. This option can help if the server listens on more addresses.
+Optional source port (default is random) can be appended
+to the address using \fB@\fP separator.
+.sp
+\fIDefault:\fP not set
+.SS key
+.sp
+A \fI\%reference\fP to the TSIG key which is used to authenticate
+the communication with the remote server.
+.sp
+\fIDefault:\fP not set
+.SS block\-notify\-after\-transfer
+.sp
+When incoming AXFR/IXFR from this remote (as a primary server), suppress
+sending NOTIFY messages to all configured secondary servers.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS no\-edns
+.sp
+If enabled, no OPT record (EDNS) is inserted to outgoing requests to this
+remote server. This mode is necessary for communication with some broken
+implementations (e.g. Windows Server 2016).
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option effectively disables zone expire timer
+updates via EDNS EXPIRE option specified in \fI\%RFC 7314\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS automatic\-acl
+.sp
+If enabled, some authorized operations for the remote are automatically allowed
+based on the context:
+.INDENT 0.0
+.IP \(bu 2
+Incoming NOTIFY is allowed from the remote if it\(aqs configured as a
+\fI\%primary server\fP for the zone.
+.IP \(bu 2
+Outgoing zone transfer is allowed to the remote if it\(aqs configured as a
+\fI\%NOTIFY target\fP for the zone.
+.UNINDENT
+.sp
+Automatic ACL rules are evaluated before explicit \fI\%zone ACL\fP configuration.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This functionality requires global activation via
+\fI\%automatic\-acl\fP in the server section.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBon\fP
+.SH REMOTES SECTION
+.sp
+Definitions of groups of remote servers. Remote grouping can simplify the
+configuration.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+remotes:
+  \- id: STR
+    remote: remote_id ...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A remote group identifier.
+.SS remote
+.sp
+An ordered list of \fI\%references\fP to remote server definitions.
+.sp
+\fIDefault:\fP not set
+.SH ACL SECTION
+.sp
+Access control list rule definitions. An ACL rule is a description of one
+or more authorized operations (zone transfer request, zone change notification,
+and dynamic DNS update) which are allowed to be processed or denied.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+acl:
+  \- id: STR
+    address: ADDR[/INT] | ADDR\-ADDR ...
+    key: key_id ...
+    remote: remote_id | remotes_id ...
+    action: query | notify | transfer | update ...
+    deny: BOOL
+    update\-type: STR ...
+    update\-owner: key | zone | name
+    update\-owner\-match: sub\-or\-equal | equal | sub
+    update\-owner\-name: STR ...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+An ACL rule identifier.
+.SS address
+.sp
+An ordered list of IP addresses, network subnets, or network ranges. The query\(aqs
+source address must match one of them. If this item is not set, address match is not
+required.
+.sp
+\fIDefault:\fP not set
+.SS key
+.sp
+An ordered list of \fI\%reference\fPs to TSIG keys. The query must
+match one of them. If this item is not set, transaction authentication is not used.
+.sp
+\fIDefault:\fP not set
+.SS remote
+.sp
+An ordered list of references \fI\%remote\fP and
+\fI\%remotes\fP\&. The query must
+match one of the remotes. Specifically, one of the remote\(aqs addresses and remote\(aqs
+TSIG key if configured must match.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option cannot be specified along with the \fI\%address\fP or
+\fI\%key\fP option at one ACL item.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS action
+.sp
+An ordered list of allowed (or denied) actions.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBquery\fP – Allow regular DNS query. As normal queries are always allowed,
+this action is only useful in combination with \fI\%TSIG key\fP\&.
+.IP \(bu 2
+\fBnotify\fP – Allow incoming notify (NOTIFY).
+.IP \(bu 2
+\fBtransfer\fP – Allow zone transfer (AXFR, IXFR).
+.IP \(bu 2
+\fBupdate\fP – Allow zone updates (DDNS).
+.UNINDENT
+.sp
+\fIDefault:\fP \fBquery\fP
+.SS deny
+.sp
+If enabled, instead of allowing, deny the specified \fI\%action\fP,
+\fI\%address\fP, \fI\%key\fP, or combination if these
+items. If no action is specified, deny all actions.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS update\-type
+.sp
+A list of allowed types of Resource Records in a zone update. Every record in an update
+must match one of the specified types.
+.sp
+\fIDefault:\fP not set
+.SS update\-owner
+.sp
+This option restricts possible owners of Resource Records in a zone update by comparing
+them to either the \fI\%TSIG key\fP identity, the current zone name, or to a list of
+domain names given by the \fI\%update\-owner\-name\fP option.
+The comparison method is given by the \fI\%update\-owner\-match\fP option.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBkey\fP — The owner of each updated RR must match the identity of the TSIG key if used.
+.IP \(bu 2
+\fBname\fP — The owner of each updated RR must match at least one name in the
+\fI\%update\-owner\-name\fP list.
+.IP \(bu 2
+\fBzone\fP — The owner of each updated RR must match the current zone name.
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS update\-owner\-match
+.sp
+This option defines how the owners of Resource Records in an update are matched to the domain name(s)
+set by the \fI\%update\-owner\fP option.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBsub\-or\-equal\fP — The owner of each RR in an update must either be equal to
+or be a subdomain of at least one domain name set by \fI\%update\-owner\fP\&.
+.IP \(bu 2
+\fBequal\fP — The owner of each updated RR must be equal to at least one domain
+name set by \fI\%update\-owner\fP\&.
+.IP \(bu 2
+\fBsub\fP — The owner of each updated RR must be a subdomain of, but MUST NOT
+be equal to at least one domain name set by \fI\%update\-owner\fP\&.
+.UNINDENT
+.sp
+\fIDefault:\fP \fBsub\-or\-equal\fP
+.SS update\-owner\-name
+.sp
+A list of allowed owners of RRs in a zone update used with \fI\%update\-owner\fP
+set to \fBname\fP\&. Every listed owner name which is not FQDN (i.e. it doesn\(aqt end
+in a dot) is considered as if it was appended with the target zone name.
+Such a relative owner name specification allows better ACL rule reusability across
+multiple zones.
+.sp
+\fIDefault:\fP not set
+.SH SUBMISSION SECTION
+.sp
+Parameters of KSK submission checks.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+submission:
+  \- id: STR
+    parent: remote_id | remotes_id ...
+    check\-interval: TIME
+    timeout: TIME
+    parent\-delay: TIME
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A submission identifier.
+.SS parent
+.sp
+A list of references \fI\%remote\fP and \fI\%remotes\fP
+to parent\(aqs DNS servers to be checked for
+presence of corresponding DS records in the case of KSK submission. All of them must
+have a corresponding DS for the rollover to continue. If none is specified, the
+rollover must be pushed forward manually.
+.sp
+\fIDefault:\fP not set
+.sp
+\fBTIP:\fP
+.INDENT 0.0
+.INDENT 3.5
+A DNSSEC\-validating resolver can be set as a parent.
+.UNINDENT
+.UNINDENT
+.SS check\-interval
+.sp
+Interval for periodic checks of DS presence on parent\(aqs DNS servers, in the
+case of the KSK submission.
+.sp
+\fIDefault:\fP \fB1h\fP (1 hour)
+.SS timeout
+.sp
+After this time period (in seconds) the KSK submission is automatically considered
+successful, even if all the checks were negative or no parents are configured.
+Set to 0 for infinity.
+.sp
+\fIDefault:\fP \fB0\fP
+.SS parent\-delay
+.sp
+After successful parent DS check, wait for this period before continuing the next
+key roll\-over step. This delay shall cover the propagation delay of update in the
+parent zone.
+.sp
+\fIDefault:\fP \fB0\fP
+.SH POLICY SECTION
+.sp
+DNSSEC policy configuration.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+policy:
+  \- id: STR
+    keystore: keystore_id
+    manual: BOOL
+    single\-type\-signing: BOOL
+    algorithm: rsasha1 | rsasha1\-nsec3\-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519 | ed448
+    ksk\-size: SIZE
+    zsk\-size: SIZE
+    ksk\-shared: BOOL
+    dnskey\-ttl: TIME
+    zone\-max\-ttl: TIME
+    ksk\-lifetime: TIME
+    zsk\-lifetime: TIME
+    delete\-delay: TIME
+    propagation\-delay: TIME
+    rrsig\-lifetime: TIME
+    rrsig\-refresh: TIME
+    rrsig\-pre\-refresh: TIME
+    reproducible\-signing: BOOL
+    nsec3: BOOL
+    nsec3\-iterations: INT
+    nsec3\-opt\-out: BOOL
+    nsec3\-salt\-length: INT
+    nsec3\-salt\-lifetime: TIME
+    signing\-threads: INT
+    ksk\-submission: submission_id
+    ds\-push: remote_id | remotes_id ...
+    cds\-cdnskey\-publish: none | delete\-dnssec | rollover | always | double\-ds
+    cds\-digest\-type: sha256 | sha384
+    dnskey\-management: full | incremental
+    offline\-ksk: BOOL
+    unsafe\-operation: none | no\-check\-keyset | no\-update\-dnskey | no\-update\-nsec | no\-update\-expired ...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A policy identifier.
+.SS keystore
+.sp
+A \fI\%reference\fP to a keystore holding private key material
+for zones.
+.sp
+\fIDefault:\fP an imaginary keystore with all default values
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+A configured keystore called "default" won\(aqt be used unless explicitly referenced.
+.UNINDENT
+.UNINDENT
+.SS manual
+.sp
+If enabled, automatic key management is not used.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS single\-type\-signing
+.sp
+If enabled, Single\-Type Signing Scheme is used in the automatic key management
+mode.
+.sp
+\fIDefault:\fP \fBoff\fP (module onlinesign has default \fBon\fP)
+.SS algorithm
+.sp
+An algorithm of signing keys and issued signatures. See
+\fI\%DNSSEC Algorithm Numbers\fP\&.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBrsasha1\fP
+.IP \(bu 2
+\fBrsasha1\-nsec3\-sha1\fP
+.IP \(bu 2
+\fBrsasha256\fP
+.IP \(bu 2
+\fBrsasha512\fP
+.IP \(bu 2
+\fBecdsap256sha256\fP
+.IP \(bu 2
+\fBecdsap384sha384\fP
+.IP \(bu 2
+\fBed25519\fP
+.IP \(bu 2
+\fBed448\fP
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
+.sp
+Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+ and Nettle 3.6+.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBecdsap256sha256\fP
+.SS ksk\-size
+.sp
+A length of newly generated KSK or
+CSK keys.
+.sp
+\fIDefault:\fP \fB2048\fP (rsa*), \fB256\fP (ecdsap256), \fB384\fP (ecdsap384), \fB256\fP (ed25519),
+\fB456\fP (ed448)
+.SS zsk\-size
+.sp
+A length of newly generated ZSK keys.
+.sp
+\fIDefault:\fP see default for \fI\%ksk\-size\fP
+.SS ksk\-shared
+.sp
+If enabled, all zones with this policy assigned will share one or more KSKs.
+More KSKs can be shared during a KSK rollover.
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+As the shared KSK set is bound to the policy \fI\%id\fP, renaming the
+policy breaks this connection and new shared KSK set is initiated when
+a new KSK is needed.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS dnskey\-ttl
+.sp
+A TTL value for DNSKEY records added into zone apex.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Has influence over ZSK key lifetime.
+.UNINDENT
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+Ensure all DNSKEYs with updated TTL are propagated before any subsequent
+DNSKEY rollover starts.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP zone SOA TTL
+.SS zone\-max\-ttl
+.sp
+Declare (override) maximal TTL value among all the records in zone.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+It\(aqs generally recommended to override the maximal TTL computation by setting this
+explicitly whenever possible. It\(aqs required for DNSSEC Offline KSK and
+really reasonable when records are generated dynamically
+(e.g. by a module).
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP computed after zone is loaded
+.SS ksk\-lifetime
+.sp
+A period between KSK activation and the next rollover initiation.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+KSK key lifetime is also influenced by propagation\-delay, dnskey\-ttl,
+and KSK submission delay.
+.sp
+Zero (aka infinity) value causes no KSK rollover as a result.
+.sp
+This applies for CSK lifetime if single\-type\-signing is enabled.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB0\fP
+.SS zsk\-lifetime
+.sp
+A period between ZSK activation and the next rollover initiation.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+More exactly, this period is measured since a ZSK is activated,
+and after this, a new ZSK is generated to replace it within
+following roll\-over.
+.sp
+ZSK key lifetime is also influenced by propagation\-delay and dnskey\-ttl
+.sp
+Zero (aka infinity) value causes no ZSK rollover as a result.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB30d\fP (30 days)
+.SS delete\-delay
+.sp
+Once a key (KSK or ZSK) is rolled\-over and removed from the zone,
+keep it in the KASP database for at least this period before deleting it completely.
+This might be useful in some troubleshooting cases when resurrection
+is needed.
+.sp
+\fIDefault:\fP \fB0\fP
+.SS propagation\-delay
+.sp
+An extra delay added for each key rollover step. This value should be high
+enough to cover propagation of data from the primary server to all
+secondary servers, as well as the duration of signing routine itself and
+possible outages in signing and propagation infrastructure. In other words,
+this delay should ensure that within this period of time after planned
+change of the key set, all public\-facing secondaries will already serve
+new DNSKEY RRSet for sure.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Has influence over ZSK key lifetime.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB1h\fP (1 hour)
+.SS rrsig\-lifetime
+.sp
+A validity period of newly issued signatures.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+The RRSIG\(aqs signature inception time is set to 90 minutes in the past. This
+time period is not counted to the signature lifetime.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB14d\fP (14 days)
+.SS rrsig\-refresh
+.sp
+A period how long at least before a signature expiration the signature will be refreshed,
+in order to prevent expired RRSIGs on secondary servers or resolvers\(aq caches.
+.sp
+\fIDefault:\fP \fI\%propagation\-delay\fP + \fI\%zone\-max\-ttl\fP
+.SS rrsig\-pre\-refresh
+.sp
+A period how long at most before a signature refresh time the signature might be refreshed,
+in order to refresh RRSIGs in bigger batches on a frequently updated zone
+(avoid re\-sign event too often).
+.sp
+\fIDefault:\fP \fB1h\fP (1 hour)
+.SS reproducible\-signing
+.sp
+For ECDSA algorithms, generate RRSIG signatures deterministically (\fI\%RFC 6979\fP).
+Besides better theoretical cryptographic security, this mode allows significant
+speed\-up of loading signed (by the same method) zones. However, the zone signing
+is a bit slower.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS nsec3
+.sp
+Specifies if NSEC3 will be used instead of NSEC.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS nsec3\-iterations
+.sp
+A number of additional times the hashing is performed.
+.sp
+\fIDefault:\fP \fB0\fP
+.SS nsec3\-opt\-out
+.sp
+If set, NSEC3 records won\(aqt be created for insecure delegations.
+This speeds up the zone signing and reduces overall zone size.
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+NSEC3 with the Opt\-Out bit set no longer works as a proof of non\-existence
+in this zone.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS nsec3\-salt\-length
+.sp
+A length of a salt field in octets, which is appended to the original owner
+name before hashing.
+.sp
+\fIDefault:\fP \fB8\fP
+.SS nsec3\-salt\-lifetime
+.sp
+A validity period of newly issued salt field.
+.sp
+Zero value means infinity.
+.sp
+Special value \fI\-1\fP triggers re\-salt every time when active ZSK changes.
+This optimizes the number of big changes to the zone.
+.sp
+\fIDefault:\fP \fB30d\fP (30 days)
+.SS signing\-threads
+.sp
+When signing zone or update, use this number of threads for parallel signing.
+.sp
+Those are extra threads independent of \fI\%Background workers\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Some steps of the DNSSEC signing operation are not parallelized.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB1\fP (no extra threads)
+.SS ksk\-submission
+.sp
+A reference to \fI\%submission\fP section holding parameters of
+KSK submission checks.
+.sp
+\fIDefault:\fP not set
+.SS ds\-push
+.sp
+Optional references \fI\%remote\fP and \fI\%remotes\fP
+to authoritative DNS server of the
+parent\(aqs zone. The remote server must be configured to accept DS record
+updates via DDNS. Whenever a CDS record in the local zone is changed, the
+corresponding DS record is sent as a dynamic update (DDNS) to the parent
+DNS server. All previous DS records are deleted within the DDNS message.
+It\(aqs possible to manage both child and parent zones by the same Knot DNS server.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This feature requires \fI\%cds\-cdnskey\-publish\fP
+not to be set to \fBnone\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+The mentioned change to CDS record usually means that a KSK roll\-over is running
+and the new key being rolled\-in is in "ready" state already for the period of
+\fI\%propagation\-delay\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Module Onlinesign doesn\(aqt support DS push.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS cds\-cdnskey\-publish
+.sp
+Controls if and how shall the CDS and CDNSKEY be published in the zone.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnone\fP – Never publish any CDS or CDNSKEY records in the zone.
+.IP \(bu 2
+\fBdelete\-dnssec\fP – Publish special CDS and CDNSKEY records indicating turning off DNSSEC.
+.IP \(bu 2
+\fBrollover\fP – Publish CDS and CDNSKEY records for ready and not yet active KSK (submission phase of KSK rollover).
+.IP \(bu 2
+\fBalways\fP – Always publish one CDS and one CDNSKEY records for the current KSK.
+.IP \(bu 2
+\fBdouble\-ds\fP – Always publish up to two CDS and two CDNSKEY records for ready and/or active KSKs.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+If the zone keys are managed manually, the CDS and CDNSKEY rrsets may contain
+more records depending on the keys available.
+.UNINDENT
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+The \fBdouble\-ds\fP value does not trigger double\-DS roll\-over method. That method is
+only supported when performed manually, with unset \fI\%ksk\-submission\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBrollover\fP
+.SS cds\-digest\-type
+.sp
+Specify digest type for published CDS records.
+.sp
+\fIDefault:\fP \fBsha256\fP
+.SS dnskey\-management
+.sp
+Specify how the DNSKEY, CDNSKEY, and CDS RRSets at the zone apex are handled
+when (re\-)signing the zone.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBfull\fP – Upon every zone (re\-)sign, delete all unknown DNSKEY, CDNSKEY, and CDS
+records and keep just those that are related to the zone keys stored in the KASP database.
+.IP \(bu 2
+\fBincremental\fP – Keep unknown DNSKEY, CDNSKEY, and CDS records in the zone, and
+modify server\-managed records incrementally by employing changes in the KASP database.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Prerequisites for \fIincremental\fP:
+.INDENT 0.0
+.IP \(bu 2
+The Offline KSK isn\(aqt supported.
+.IP \(bu 2
+The \fI\%delete\-delay\fP is long enough to cover possible daemon
+shutdown (e.g. due to server maintenance).
+.IP \(bu 2
+Avoided manual deletion of keys with keymgr\&.
+.UNINDENT
+.sp
+Otherwise there might remain some DNSKEY records in the zone, belonging to
+deleted keys.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBfull\fP
+.SS offline\-ksk
+.sp
+Specifies if Offline KSK feature is enabled.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS unsafe\-operation
+.sp
+Turn off some DNSSEC safety features.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnone\fP – Nothing disabled.
+.IP \(bu 2
+\fBno\-check\-keyset\fP – Don\(aqt check active keys in present algorithms. This may
+lead to violation of \fI\%RFC 4035#section\-2.2\fP\&.
+.IP \(bu 2
+\fBno\-update\-dnskey\fP – Don\(aqt maintain/update DNSKEY, CDNSKEY, and CDS records
+in the zone apex according to KASP database. Juste leave them as they are in the zone.
+.IP \(bu 2
+\fBno\-update\-nsec\fP – Don\(aqt maintain/update NSEC/NSEC3 chain. Leave all the records
+as they are in the zone.
+.IP \(bu 2
+\fBno\-update\-expired\fP – Don\(aqt update expired RRSIGs.
+.UNINDENT
+.sp
+Multiple values may be specified.
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+This mode is intended for DNSSEC experts who understand the corresponding consequences.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBnone\fP
+.SH TEMPLATE SECTION
+.sp
+A template is shareable zone settings, which can simplify configuration by
+reducing duplicates. A special default template (with the \fIdefault\fP identifier)
+can be used for global zone configuration or as an implicit configuration
+if a zone doesn\(aqt have another template specified.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+template:
+  \- id: STR
+    global\-module: STR/STR ...
+    # All zone options (excluding \(aqtemplate\(aq item)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+If an item is explicitly specified both in the referenced template and
+the zone, the template item value is overridden by the zone item value.
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A template identifier.
+.SS global\-module
+.sp
+An ordered list of references to query modules in the form of \fImodule_name\fP or
+\fImodule_name/module_id\fP\&. These modules apply to all queries.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option is only available in the \fIdefault\fP template.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SH ZONE SECTION
+.sp
+Definition of zones served by the server.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+zone:
+  \- domain: DNAME
+    template: template_id
+    storage: STR
+    file: STR
+    master: remote_id | remotes_id ...
+    ddns\-master: remote_id
+    notify: remote_id | remotes_id ...
+    acl: acl_id ...
+    provide\-ixfr: BOOL
+    semantic\-checks: BOOL | soft
+    zonefile\-sync: TIME
+    zonefile\-load: none | difference | difference\-no\-serial | whole
+    journal\-content: none | changes | all
+    journal\-max\-usage: SIZE
+    journal\-max\-depth: INT
+    zone\-max\-size : SIZE
+    adjust\-threads: INT
+    dnssec\-signing: BOOL
+    dnssec\-validation: BOOL
+    dnssec\-policy: policy_id
+    ds\-push: remote_id | remotes_id ...
+    zonemd\-verify: BOOL
+    zonemd\-generate: none | zonemd\-sha384 | zonemd\-sha512 | remove
+    serial\-policy: increment | unixtime | dateserial
+    refresh\-min\-interval: TIME
+    refresh\-max\-interval: TIME
+    retry\-min\-interval: TIME
+    retry\-max\-interval: TIME
+    expire\-min\-interval: TIME
+    expire\-max\-interval: TIME
+    catalog\-role: none | interpret | generate | member
+    catalog\-template: template_id ...
+    catalog\-zone: DNAME
+    catalog\-group: STR
+    module: STR/STR ...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS domain
+.sp
+A zone name identifier.
+.SS template
+.sp
+A \fI\%reference\fP to a configuration template.
+.sp
+\fIDefault:\fP not set or \fBdefault\fP (if the template exists)
+.SS storage
+.sp
+A data directory for storing zone files.
+.sp
+\fIDefault:\fP \fB${localstatedir}/lib/knot\fP (configured with \fB\-\-with\-storage=path\fP)
+.SS file
+.sp
+A path to the zone file. Non\-absolute path (i.e. not starting with \fB/\fP) is
+relative to \fI\%storage\fP\&.
+It is also possible to use the following formatters:
+.INDENT 0.0
+.IP \(bu 2
+\fB%c[\fP\fIN\fP\fB]\fP or \fB%c[\fP\fIN\fP\fB\-\fP\fIM\fP\fB]\fP – Means the \fIN\fPth
+character or a sequence of characters beginning from the \fIN\fPth and ending
+with the \fIM\fPth character of the textual zone name (see \fB%s\fP). The
+indexes are counted from 0 from the left. All dots (including the terminal
+one) are considered. If the character is not available, the formatter has no effect.
+.IP \(bu 2
+\fB%l[\fP\fIN\fP\fB]\fP – Means the \fIN\fPth label of the textual zone name
+(see \fB%s\fP). The index is counted from 0 from the right (0 ~ TLD).
+If the label is not available, the formatter has no effect.
+.IP \(bu 2
+\fB%s\fP – Means the current zone name in the textual representation.
+The zone name doesn\(aqt include the terminating dot (the result for the root
+zone is the empty string!).
+.IP \(bu 2
+\fB%%\fP – Means the \fB%\fP character.
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+Beware of special characters which are escaped or encoded in the \eDDD form
+where DDD is corresponding decimal ASCII code.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fI\%storage\fP\fB/%s.zone\fP
+.SS master
+.sp
+An ordered list of references \fI\%remote\fP and
+\fI\%remotes\fP to zone primary servers
+(formerly known as master servers).
+.sp
+\fIDefault:\fP not set
+.SS ddns\-master
+.sp
+A \fI\%reference\fP to zone primary master. If not specified,
+the first \fI\%master\fP server is used.
+.sp
+\fIDefault:\fP not set
+.SS notify
+.sp
+An ordered list of references \fI\%remote\fP and
+\fI\%remotes\fP to secondary servers to which notify
+message is sent if the zone changes.
+.sp
+\fIDefault:\fP not set
+.SS acl
+.sp
+An ordered list of \fI\%references\fP to ACL rules which can allow
+or disallow zone transfers, updates or incoming notifies.
+.sp
+\fIDefault:\fP not set
+.SS provide\-ixfr
+.sp
+If disabled, the server is forced to respond with AXFR to IXFR queries.
+If enabled, IXFR requests are responded normally.
+.sp
+\fIDefault:\fP \fBon\fP
+.SS semantic\-checks
+.sp
+Selects if extra zone semantic checks are used or impacts of the mandatory checks.
+.sp
+There are several mandatory checks which are always enabled and cannot be turned
+off. An error in a mandatory check causes the zone not to be loaded. Most of
+the mandatory checks can be weakened by setting \fBsoft\fP, which allows the zone to
+be loaded even if the check fails.
+.sp
+If enabled, extra checks are used. These checks don\(aqt prevent the zone from loading.
+.sp
+The mandatory checks are applied to zone files, zone transfers, and updates via
+control interface. The extra checks are applied to zone files only!
+.sp
+Mandatory checks:
+.INDENT 0.0
+.IP \(bu 2
+Missing SOA record at the zone apex (\fI\%RFC 1034\fP) (*)
+.IP \(bu 2
+An extra record exists together with a CNAME record except for RRSIG and NSEC (\fI\%RFC 1034\fP)
+.IP \(bu 2
+Multiple CNAME records with the same owner exist (\fI\%RFC 1034\fP)
+.IP \(bu 2
+DNAME record having a record under it (\fI\%RFC 6672\fP)
+.IP \(bu 2
+Multiple DNAME records with the same owner exist (\fI\%RFC 6672\fP)
+.IP \(bu 2
+NS record exists together with a DNAME record (\fI\%RFC 6672\fP)
+.UNINDENT
+.sp
+(*) The marked check can\(aqt be weakened by the soft mode. All other mandatory checks
+are subject to the optional soft mode.
+.sp
+Extra checks:
+.INDENT 0.0
+.IP \(bu 2
+Missing NS record at the zone apex
+.IP \(bu 2
+Missing glue A or AAAA record
+.IP \(bu 2
+Invalid DS or NSEC3PARAM record
+.IP \(bu 2
+CDS or CDNSKEY inconsistency
+.IP \(bu 2
+All other DNSSEC checks executed during \fI\%dnssec\-validation\fP
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+The soft mode allows the refresh event to ignore a CNAME response to a SOA
+query (malformed message) and triggers a zone bootstrap instead.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS zonefile\-sync
+.sp
+The time after which the current zone in memory will be synced with a zone file
+on the disk (see \fI\%file\fP). The server will serve the latest
+zone even after a restart using zone journal, but the zone file on the disk will
+only be synced after \fBzonefile\-sync\fP time has expired (or after manual zone
+flush). This is applicable when the zone is updated via IXFR, DDNS or automatic
+DNSSEC signing. In order to completely disable automatic zone file synchronization,
+set the value to \-1. In that case, it is still possible to force a manual zone flush
+using the \fB\-f\fP option.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+If you are serving large zones with frequent updates where
+the immediate sync with a zone file is not desirable, increase the value.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB0\fP (immediate)
+.SS zonefile\-load
+.sp
+Selects how the zone file contents are applied during zone load.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnone\fP – The zone file is not used at all.
+.IP \(bu 2
+\fBdifference\fP – If the zone contents are already available during server start or reload,
+the difference is computed between them and the contents of the zone file. This difference
+is then checked for semantic errors and applied to the current zone contents.
+.IP \(bu 2
+\fBdifference\-no\-serial\fP – Same as \fBdifference\fP, but the SOA serial in the zone file is
+ignored, the server takes care of incrementing the serial automatically.
+.IP \(bu 2
+\fBwhole\fP – Zone contents are loaded from the zone file.
+.UNINDENT
+.sp
+When \fBdifference\fP is configured and there are no zone contents yet (cold start
+and no zone contents in the journal), it behaves the same way as \fBwhole\fP\&.
+.sp
+\fIDefault:\fP \fBwhole\fP
+.SS journal\-content
+.sp
+Selects how the journal shall be used to store zone and its changes.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnone\fP – The journal is not used at all.
+.IP \(bu 2
+\fBchanges\fP – Zone changes history is stored in journal.
+.IP \(bu 2
+\fBall\fP – Zone contents and history is stored in journal.
+.UNINDENT
+.sp
+\fIDefault:\fP \fBchanges\fP
+.SS journal\-max\-usage
+.sp
+Policy how much space in journal DB will the zone\(aqs journal occupy.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Journal DB may grow far above the sum of journal\-max\-usage across
+all zones, because of DB free space fragmentation.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB100M\fP (100 MiB)
+.SS journal\-max\-depth
+.sp
+Maximum history length of the journal.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Zone\-in\-journal changeset isn\(aqt counted to the limit.
+.UNINDENT
+.UNINDENT
+.sp
+\fIMinimum:\fP \fB2\fP
+.sp
+\fIDefault:\fP \fB20\fP
+.SS zone\-max\-size
+.sp
+Maximum size of the zone. The size is measured as size of the zone records
+in wire format without compression. The limit is enforced for incoming zone
+transfers and dynamic updates.
+.sp
+For incremental transfers (IXFR), the effective limit for the total size of
+the records in the transfer is twice the configured value. However the final
+size of the zone must satisfy the configured value.
+.sp
+\fIDefault:\fP unlimited
+.SS adjust\-threads
+.sp
+Parallelize internal zone adjusting procedures by using specified number of
+threads. This is useful with huge zones with NSEC3. Speedup observable at
+server startup and while processing NSEC3 re\-salt.
+.sp
+\fIDefault:\fP \fB1\fP (no extra threads)
+.SS dnssec\-signing
+.sp
+If enabled, automatic DNSSEC signing for the zone is turned on.
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS dnssec\-validation
+.sp
+If enabled, the zone contents are validated for being correctly signed
+(including NSEC/NSEC3 chain) with DNSSEC signatures every time the zone
+is loaded or changed (including AXFR/IXFR).
+.sp
+When the validation fails, the zone being loaded or update being applied
+is cancelled with an error, and either none or previous zone state is published.
+.sp
+List of DNSSEC checks:
+.INDENT 0.0
+.IP \(bu 2
+Every zone RRSet is correctly signed by at least one present DNSKEY.
+.IP \(bu 2
+DNSKEY RRSet is signed by KSK.
+.IP \(bu 2
+NSEC(3) RR exists for each name (unless opt\-out) with correct bitmap.
+.IP \(bu 2
+Every NSEC(3) RR is linked to the lexicographically next one.
+.UNINDENT
+.sp
+The validation is not affected by \fI\%dnssec\-policy\fP configuration,
+except for \fI\%signing\-threads\fP option, which specifies the number
+of threads for parallel validation.
+.sp
+\fIDefault:\fP not set
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Redundant or garbage NSEC3 records are ignored.
+.sp
+This mode is not compatible with \fI\%dnssec\-signing\fP\&.
+.UNINDENT
+.UNINDENT
+.SS dnssec\-policy
+.sp
+A \fI\%reference\fP to DNSSEC signing policy.
+.sp
+\fIDefault:\fP an imaginary policy with all default values
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+A configured policy called "default" won\(aqt be used unless explicitly referenced.
+.UNINDENT
+.UNINDENT
+.SS ds\-push
+.sp
+Per zone configuration of \fI\%ds\-push\fP\&. This option overrides possible
+per policy option.
+.sp
+\fIDefault:\fP not set
+.SS zonemd\-verify
+.sp
+On each zone load/update, verify that ZONEMD is present in the zone and valid.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Zone digest calculation may take much time and CPU on large zones.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBoff\fP
+.SS zonemd\-generate
+.sp
+On each zone update, calculate ZONEMD and put it into the zone.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnone\fP – No action regarding ZONEMD.
+.IP \(bu 2
+\fBzonemd\-sha384\fP – Generate ZONEMD using SHA384 algorithm.
+.IP \(bu 2
+\fBzonemd\-sha512\fP – Generate ZONEMD using SHA512 algorithm.
+.IP \(bu 2
+\fBremove\fP – Remove any ZONEMD from the zone apex.
+.UNINDENT
+.sp
+\fIDefault:\fP \fBnone\fP
+.SS serial\-policy
+.sp
+Specifies how the zone serial is updated after a dynamic update or
+automatic DNSSEC signing. If the serial is changed by the dynamic update,
+no change is made.
+.sp
+Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBincrement\fP – The serial is incremented according to serial number arithmetic.
+.IP \(bu 2
+\fBunixtime\fP – The serial is set to the current unix time.
+.IP \(bu 2
+\fBdateserial\fP – The 10\-digit serial (YYYYMMDDnn) is incremented, the first
+8 digits match the current iso\-date.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+If the resulting serial for \fBunixtime\fP or \fBdateserial\fP is lower than or
+equal to the current serial (this happens e.g. when migrating from other policy or
+frequent updates), the serial is incremented instead.
+.sp
+To avoid user confusion, use \fBdateserial\fP only if you expect at most
+100 updates per day per zone and \fBunixtime\fP only if you expect at most
+one update per second per zone.
+.sp
+Generated catalog zones use \fBunixtime\fP only.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fBincrement\fP (\fBunixtime\fP for generated catalog zones)
+.SS refresh\-min\-interval
+.sp
+Forced minimum zone refresh interval (in seconds) to avoid flooding primary server.
+.sp
+\fIMinimum:\fP \fB2\fP
+.sp
+\fIDefault:\fP \fB2\fP
+.SS refresh\-max\-interval
+.sp
+Forced maximum zone refresh interval (in seconds).
+.sp
+\fIDefault:\fP not set
+.SS retry\-min\-interval
+.sp
+Forced minimum zone retry interval (in seconds) to avoid flooding primary server.
+.sp
+\fIMinimum:\fP \fB1\fP
+.sp
+\fIDefault:\fP \fB1\fP
+.SS retry\-max\-interval
+.sp
+Forced maximum zone retry interval (in seconds).
+.sp
+\fIDefault:\fP not set
+.SS expire\-min\-interval
+.sp
+Forced minimum zone expire interval (in seconds) to avoid flooding primary server.
+.sp
+\fIMinimum:\fP \fB3\fP
+.sp
+\fIDefault:\fP \fB3\fP
+.SS expire\-max\-interval
+.sp
+Forced maximum zone expire interval (in seconds).
+.sp
+\fIDefault:\fP not set
+.SS catalog\-role
+.sp
+Trigger zone catalog feature. Possible values:
+.INDENT 0.0
+.IP \(bu 2
+\fBnone\fP – Not a catalog zone.
+.IP \(bu 2
+\fBinterpret\fP – A catalog zone which is loaded from a zone file or XFR,
+and member zones shall be configured based on its contents.
+.IP \(bu 2
+\fBgenerate\fP – A catalog zone whose contents are generated according to
+assigned member zones.
+.IP \(bu 2
+\fBmember\fP – A member zone that is assigned to one generated catalog zone.
+.UNINDENT
+.sp
+\fIDefault:\fP \fBnone\fP
+.SS catalog\-template
+.sp
+For the catalog member zones, the specified configuration template will be applied.
+.sp
+Multiple catalog templates may be defined. The first one is used unless the member zone
+has the \fIgroup\fP property defined, matching another catalog template.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option must be set if and only if \fI\%catalog\-role\fP is \fIinterpret\fP\&.
+.sp
+Nested catalog zones aren\(aqt supported. Therefore catalog templates can\(aqt use
+\fI\%catalog\-template\fP, \fI\%catalog\-role\fP, \fI\%catalog\-zone\fP,
+and \fI\%catalog\-group\fP options.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS catalog\-zone
+.sp
+Assign this member zone to specified generated catalog zone.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option must be set if and only if \fI\%catalog\-role\fP is \fImember\fP\&.
+.sp
+The referenced catalog zone must exist and have \fI\%catalog\-role\fP set to \fIgenerate\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS catalog\-group
+.sp
+Assign this member zone to specified catalog group (configuration template).
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option has effect if and only if \fI\%catalog\-role\fP is \fImember\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP not set
+.SS module
+.sp
+An ordered list of references to query modules in the form of \fImodule_name\fP or
+\fImodule_name/module_id\fP\&. These modules apply only to the current zone queries.
+.sp
+\fIDefault:\fP not set
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/knotc.8in b/doc/man/knotc.8in
new file mode 100644
index 0000000..9a88274
--- /dev/null
+++ b/doc/man/knotc.8in
@@ -0,0 +1,425 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KNOTC" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knotc \- Knot DNS control utility
+.SH SYNOPSIS
+.sp
+\fBknotc\fP [\fIparameters\fP] \fIaction\fP [\fIaction_args\fP]
+.SH DESCRIPTION
+.sp
+This program controls a running \fIknotd\fP process using a socket.
+.sp
+If an \fIaction\fP is specified, it is performed and \fIknotc\fP exits, otherwise the program
+is executed in the interactive mode.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
+Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+.TP
+\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
+Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+The default configuration database, if exists, has a preference to the default
+configuration file.
+.TP
+\fB\-m\fP, \fB\-\-max\-conf\-size\fP \fIMiB\fP
+Set maximum size of the configuration database
+(default is @conf_mapsize@ MiB, maximum 10000 MiB).
+.TP
+\fB\-s\fP, \fB\-\-socket\fP \fIpath\fP
+Use a control UNIX socket path (default is \fB@run_dir@/knot.sock\fP).
+.TP
+\fB\-t\fP, \fB\-\-timeout\fP \fIseconds\fP
+Use a control timeout in seconds. Set to 0 for infinity (default is 60).
+The control socket operations are also subject to the timeout
+parameter set on the server side in server\(aqs Control configuration section.
+.TP
+\fB\-b\fP, \fB\-\-blocking\fP
+Zone event trigger commands wait until the event is finished. Control timeout
+is set to infinity if not forced by explicit timeout specification.
+.TP
+\fB\-e\fP, \fB\-\-extended\fP
+Show extended output (even empty items in zone status).
+.TP
+\fB\-f\fP, \fB\-\-force\fP
+Forced operation. Overrides some checks.
+.TP
+\fB\-x\fP, \fB\-\-mono\fP
+Don\(aqt generate colorized output.
+.TP
+\fB\-X\fP, \fB\-\-color\fP
+Force colorized output in extended output or to a pipe.
+.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Enable debug output.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SS Actions
+.INDENT 0.0
+.TP
+\fBstatus\fP [\fIdetail\fP]
+Check if the server is running. Details are \fBversion\fP for the running
+server version, \fBworkers\fP for the numbers of worker threads,
+or \fBconfigure\fP for the configure summary.
+.TP
+\fBstop\fP
+Stop the server if running.
+.TP
+\fBreload\fP
+Reload the server configuration and modified zone files. All open zone
+transactions will be aborted!
+.TP
+\fBstats\fP [\fImodule\fP[\fB\&.\fP\fIcounter\fP]]
+Show global statistics counter(s). To print also counters with value 0, use
+force option.
+.TP
+\fBzone\-check\fP [\fIzone\fP\&...]
+Test if the server can load the zone. Semantic checks are executed if enabled
+in the configuration. If invoked with the force option, an error is returned
+when semantic check warning appears. (*)
+.TP
+\fBzone\-status\fP [\fIzone\fP\&...] [\fIfilter\fP]
+Show the zone status. Filters are \fB+role\fP, \fB+serial\fP, \fB+transaction\fP,
+\fB+events\fP, \fB+freeze\fP, and \fB+catalog\fP\&. Empty zone parameters are omitted,
+unless the \fB\-\-extended\fP option is used. A single dash in the output represents
+an unset value. Automatic colorization can be overruled using the \fB\-\-mono\fP and
+\fB\-\-color\fP options.
+.sp
+The color code is:
+\fIgreen\fP \- zone acts as a master / \fIred\fP \- zone acts as a slave,
+\fIbold font (highlited)\fP \- zone is active / \fInormal\fP \- zone is empty,
+\fIunderscored\fP \- zone is an interpreted catalog member.
+.TP
+\fBzone\-reload\fP [\fIzone\fP\&...]
+Trigger a zone reload from a disk without checking its modification time. For
+secondary zone, the refresh event from primary server(s) is scheduled;
+for primary zone, the notify event to secondary server(s) is scheduled. An open
+zone transaction will be aborted! If invoked with the force option, also zone
+modules will be re\-loaded, but blocking mode might not work reliably. (#)
+.TP
+\fBzone\-refresh\fP [\fIzone\fP\&...]
+Trigger a check for the zone serial on the zone\(aqs primary server. If
+the primary server has a newer zone, a transfer is scheduled. This command is
+valid for secondary zones. (#)
+.TP
+\fBzone\-retransfer\fP [\fIzone\fP\&...]
+Trigger a zone transfer from the zone\(aqs primary server. The server
+doesn\(aqt check the serial of the primary server\(aqs zone. This command is valid
+for secondary zones. (#)
+.TP
+\fBzone\-notify\fP [\fIzone\fP\&...]
+Trigger a NOTIFY message to all configured remotes. This can help in cases
+when previous NOTIFY had been lost or the secondary servers have been
+offline. (#)
+.TP
+\fBzone\-flush\fP [\fIzone\fP\&...] [\fB+outdir\fP \fIdirectory\fP]
+Trigger a zone journal flush to the configured zone file. If an output
+directory is specified, the current zone is immediately dumped (in the
+blocking mode) to a zone file in the specified directory. See
+\fI\%Notes\fP below about the directory permissions. (#)
+.TP
+\fBzone\-backup\fP [\fIzone\fP\&...] \fB+backupdir\fP \fIdirectory\fP [\fIfilter\fP\&...]
+Trigger a zone data and metadata backup to a specified directory.
+Available filters are \fB+zonefile\fP, \fB+journal\fP, \fB+timers\fP, \fB+kaspdb\fP,
+\fB+catalog\fP, and their negative counterparts \fB+nozonefile\fP, \fB+nojournal\fP,
+\fB+notimers\fP, \fB+nokaspdb\fP, and \fB+nocatalog\fP\&. With these filters set,
+zone contents, zone\(aqs journal, zone related timers, zone related data in the
+KASP database together with keys, and zone\(aqs catalog, respectively, are backed up,
+or omitted from the backup. By default, filters \fB+zonefile\fP, \fB+timers\fP,
+\fB+kaspdb\fP, \fB+catalog\fP, and \fB+nojournal\fP are set. Setting a filter
+for an item doesn\(aqt change default settings for other items. If zone flushing
+is disabled, original zone file is backed up instead of writing out zone
+contents to a file. See \fI\%Notes\fP below about the directory
+permissions. (#)
+.TP
+\fBzone\-restore\fP [\fIzone\fP\&...] \fB+backupdir\fP \fIdirectory\fP [\fIfilter\fP\&...]
+Trigger a zone data and metadata restore from a specified backup directory.
+Optional filters are equivalent to the same filters of \fBzone\-backup\fP\&.
+Restore from backups created by Knot DNS releases prior to 3.1 is possible
+with the force option. See \fI\%Notes\fP below about the directory
+permissions. (#)
+.TP
+\fBzone\-sign\fP [\fIzone\fP\&...]
+Trigger a DNSSEC re\-sign of the zone. Existing signatures will be dropped.
+This command is valid for zones with DNSSEC signing enabled. (#)
+.TP
+\fBzone\-keys\-load\fP [\fIzone\fP\&...]
+Trigger a load of DNSSEC keys and other signing material from KASP database
+(which might have been altered manually). If suitable, re\-sign the zone
+afterwards (keeping valid signatures intact). (#)
+.TP
+\fBzone\-key\-rollover\fP \fIzone\fP \fIkey_type\fP
+Trigger immediate key rollover. Publish new key and start a key rollover,
+even when the key has a lifetime to go. Key type can be \fBksk\fP (also for CSK)
+or \fBzsk\fP\&. This command is valid for zones with DNSSEC signing and automatic
+key management enabled. Note that complete key rollover consists of several steps
+and the blocking mode relates to the initial one only! (#)
+.TP
+\fBzone\-ksk\-submitted\fP \fIzone\fP\&...
+Use when the zone\(aqs KSK rollover is in submission phase. By calling this command
+the user confirms manually that the parent zone contains DS record for the new
+KSK in submission phase and the old KSK can be retired. (#)
+.TP
+\fBzone\-freeze\fP [\fIzone\fP\&...]
+Trigger a zone freeze. All running events will be finished and all new and pending
+(planned) zone\-changing events (load, refresh, update, flush, and DNSSEC signing)
+will be held up until the zone is thawed. (#)
+.TP
+\fBzone\-thaw\fP [\fIzone\fP\&...]
+Trigger dismissal of zone freeze. (#)
+.TP
+\fBzone\-xfr\-freeze\fP [\fIzone\fP\&...]
+Temporarily disable outgoing AXFR/IXFR for the zone(s). (#)
+.TP
+\fBzone\-xfr\-thaw\fP [\fIzone\fP\&...]
+Dismiss outgoing XFR freeze. (#)
+.TP
+\fBzone\-read\fP \fIzone\fP [\fIowner\fP [\fItype\fP]]
+Get zone data that are currently being presented.
+.TP
+\fBzone\-begin\fP \fIzone\fP\&...
+Begin a zone transaction.
+.TP
+\fBzone\-commit\fP \fIzone\fP\&...
+Commit the zone transaction. All changes are applied to the zone.
+.TP
+\fBzone\-abort\fP \fIzone\fP\&...
+Abort the zone transaction. All changes are discarded.
+.TP
+\fBzone\-diff\fP \fIzone\fP
+Get zone changes within the transaction.
+.TP
+\fBzone\-get\fP \fIzone\fP [\fIowner\fP [\fItype\fP]]
+Get zone data within the transaction.
+.TP
+\fBzone\-set\fP \fIzone\fP \fIowner\fP [\fIttl\fP] \fItype\fP \fIrdata\fP
+Add zone record within the transaction. The first record in a rrset
+requires a ttl value specified.
+.TP
+\fBzone\-unset\fP \fIzone\fP \fIowner\fP [\fItype\fP [\fIrdata\fP]]
+Remove zone data within the transaction.
+.TP
+\fBzone\-purge\fP \fIzone\fP\&... [\fB+orphan\fP] [\fIfilter\fP\&...]
+Purge zone data, zone file, journal, timers, and/or KASP data of specified zones.
+Available filters are \fB+expire\fP, \fB+zonefile\fP, \fB+journal\fP, \fB+timers\fP,
+\fB+kaspdb\fP, and \fB+catalog\fP\&. If no filter is specified, all filters are enabled.
+If the zone is no longer configured, add \fB+orphan\fP parameter (zone file cannot
+be purged in this case). When purging orphans, always check the server log for
+possible errors. This command always requires the force option. (#)
+.TP
+\fBzone\-stats\fP \fIzone\fP [\fImodule\fP[\fB\&.\fP\fIcounter\fP]]
+Show zone statistics counter(s). To print also counters with value 0, use
+force option.
+.TP
+\fBconf\-init\fP
+Initialize the configuration database. If the database doesn\(aqt exist yet,
+execute this command as an intended user to ensure the server is permitted
+to access the database (e.g. \fIsudo \-u knot knotc conf\-init\fP). (*)
+.TP
+\fBconf\-check\fP
+Check the server configuration. (*)
+.TP
+\fBconf\-import\fP \fIfilename\fP
+Import a configuration file into the configuration database. If the database
+doesn\(aqt exist yet, execute this command as an intended user to ensure the server
+is permitted to access the database (e.g. \fIsudo \-u knot knotc conf\-import ...\fP).
+Also ensure the server is not using the configuration database at the same time! (*)
+.TP
+\fBconf\-export\fP [\fIfilename\fP]
+Export the configuration database into a config file or stdout. (*)
+.TP
+\fBconf\-list\fP [\fIitem\fP]
+List the configuration database sections or section items.
+.TP
+\fBconf\-read\fP [\fIitem\fP]
+Read the item from the active configuration database.
+.TP
+\fBconf\-begin\fP
+Begin a writing configuration database transaction. Only one transaction
+can be opened at a time.
+.TP
+\fBconf\-commit\fP
+Commit the configuration database transaction.
+.TP
+\fBconf\-abort\fP
+Rollback the configuration database transaction.
+.TP
+\fBconf\-diff\fP [\fIitem\fP]
+Get the item difference in the transaction.
+.TP
+\fBconf\-get\fP [\fIitem\fP]
+Get the item data from the transaction.
+.TP
+\fBconf\-set\fP \fIitem\fP [\fIdata\fP\&...]
+Set the item data in the transaction.
+.TP
+\fBconf\-unset\fP [\fIitem\fP] [\fIdata\fP\&...]
+Unset the item data in the transaction.
+.UNINDENT
+.SS Notes
+.sp
+Empty or \fB\-\-\fP \fIzone\fP parameter means all zones or all zones with a transaction.
+.sp
+Use \fB@\fP \fIowner\fP to denote the zone name.
+.sp
+Type \fIitem\fP parameter in the form of \fIsection\fP[\fB[\fP\fIid\fP\fB]\fP][\fB\&.\fP\fIname\fP].
+.sp
+(*) indicates a local operation which requires a configuration.
+.sp
+(#) indicates an optionally blocking operation.
+.sp
+The \fB\-b\fP and \fB\-f\fP options can be placed right after the command name.
+.sp
+Responses returned by \fIknotc\fP commands depend on the mode:
+.INDENT 0.0
+.IP \(bu 2
+In the blocking mode, \fIknotc\fP reports if an error occurred during processing
+of the command by the server. If an error is reported, a more detailed information
+about the failure can usually be found in the server log.
+.IP \(bu 2
+In the non\-blocking (default) mode, \fIknotc\fP doesn\(aqt report processing errors.
+The \fIOK\fP response to triggering commands means that the command has been successfully
+sent to the server. To verify if the operation succeeded, it\(aqs necessary to
+check the server log.
+.UNINDENT
+.sp
+Actions \fBzone\-flush\fP, \fBzone\-backup\fP, and \fBzone\-restore\fP are carried out by
+the \fIknotd\fP process. The directory specified must be accessible to the user account
+that \fIknotd\fP runs under and if the directory already exists, its permissions must be
+appropriate for that user account.
+.SS Interactive mode
+.sp
+The utility provides interactive mode with basic line editing functionality,
+command completion, and command history.
+.sp
+Interactive mode behavior can be customized in \fI~/.editrc\fP\&. Refer to
+\fBeditrc(5)\fP for details.
+.sp
+Command history is saved in \fI~/.knotc_history\fP\&.
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH EXAMPLES
+.SS Reload the whole server configuration
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc reload
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Flush the example.com and example.org zones
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc zone\-flush example.com example.org
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Get the current server configuration
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc conf\-read server
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Get the list of the current zones
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc conf\-read zone.domain
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Get the primary servers for the example.com zone
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc conf\-read \(aqzone[example.com].master\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Add example.org zone with a zonefile location
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc conf\-begin
+$ knotc conf\-set \(aqzone[example.org]\(aq
+$ knotc conf\-set \(aqzone[example.org].file\(aq \(aq/var/zones/example.org.zone\(aq
+$ knotc conf\-commit
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Get the SOA record for each configured zone
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knotc zone\-read \-\- @ SOA
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBknotd(8)\fP, \fBknot.conf(5)\fP, \fBeditrc(5)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/knotd.8in b/doc/man/knotd.8in
new file mode 100644
index 0000000..d4d18a3
--- /dev/null
+++ b/doc/man/knotd.8in
@@ -0,0 +1,90 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KNOTD" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knotd \- Knot DNS server daemon
+.SH SYNOPSIS
+.sp
+\fBknotd\fP [\fIparameters\fP]
+.SH DESCRIPTION
+.sp
+Knot DNS is a high\-performance authoritative DNS server. The \fIknotd\fP program is
+the DNS server daemon.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
+Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+.TP
+\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
+Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+The default configuration database, if exists, has a preference to the default
+configuration file.
+.TP
+\fB\-m\fP, \fB\-\-max\-conf\-size\fP \fIMiB\fP
+Set maximum size of the configuration database
+(default is @conf_mapsize@ MiB, maximum 10000 MiB).
+.TP
+\fB\-s\fP, \fB\-\-socket\fP \fIpath\fP
+Use a remote control UNIX socket path (default is \fB@run_dir@/knot.sock\fP).
+.TP
+\fB\-d\fP, \fB\-\-daemonize\fP [\fIdirectory\fP]
+Run the server as a daemon. New root directory may be specified
+(default is \fB/\fP).
+.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Enable debug output.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SS Signals
+.sp
+If the \fIknotd\fP process receives a SIGHUP signal, it reloads its configuration and
+reopens the log files, if they are configured. When \fIknotd\fP receives a SIGUSR1
+signal, it reloads all configured zones. Upon receiving a SIGINT signal, \fIknotd\fP
+exits.
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH SEE ALSO
+.sp
+\fBknot.conf(5)\fP, \fBknotc(8)\fP, \fBkeymgr(8)\fP,
+\fBkjournalprint(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/knsec3hash.1in b/doc/man/knsec3hash.1in
new file mode 100644
index 0000000..624f99d
--- /dev/null
+++ b/doc/man/knsec3hash.1in
@@ -0,0 +1,93 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KNSEC3HASH" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knsec3hash \- Simple utility to compute NSEC3 hash
+.SH SYNOPSIS
+.sp
+\fBknsec3hash\fP \fIsalt\fP \fIalgorithm\fP \fIiterations\fP \fIname\fP
+.sp
+\fBknsec3hash\fP \fIalgorithm\fP \fIflags\fP \fIiterations\fP \fIsalt\fP \fIname\fP
+.SH DESCRIPTION
+.sp
+This utility generates a NSEC3 hash for a given domain name and parameters of NSEC3 hash.
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIsalt\fP
+Specifies a binary salt encoded as a hexadecimal string.
+.TP
+\fIalgorithm\fP
+Specifies a hashing algorithm by number. Currently, the only supported algorithm is SHA\-1 (number 1).
+.TP
+\fIiterations\fP
+Specifies the number of additional iterations of the hashing algorithm.
+.TP
+\fIname\fP
+Specifies the domain name to be hashed.
+.UNINDENT
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH EXAMPLES
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knsec3hash 1 0 10 c01dcafe knot\-dns.cz
+7PTVGE7QV67EM61ROS9238P5RAKR2DM7 (salt=c01dcafe, hash=1, iterations=10)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knsec3hash \- 1 0 net
+A1RT98BS5QGC9NFI51S9HCI47ULJG6JH (salt=\-, hash=1, iterations=0)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%RFC 5155\fP – DNS Security (DNSSEC) Hashed Authenticated Denial of Existence.
+.sp
+\fBknotc(8)\fP, \fBknotd(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/knsupdate.1in b/doc/man/knsupdate.1in
new file mode 100644
index 0000000..49438ad
--- /dev/null
+++ b/doc/man/knsupdate.1in
@@ -0,0 +1,211 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KNSUPDATE" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knsupdate \- Dynamic DNS update utility
+.SH SYNOPSIS
+.sp
+\fBknsupdate\fP [\fIoptions\fP] [\fIfilename\fP]
+.SH DESCRIPTION
+.sp
+This utility sends Dynamic DNS update messages to a DNS server. Update content
+is read from a file (if the parameter \fIfilename\fP is given) or from the standard
+input.
+.sp
+The format of updates is textual and is made up of commands. Every command is
+placed on the separate line of the input. Lines starting with a semicolon are
+comments and are not processed.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-d\fP
+Enable debug messages.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-k\fP \fIkeyfile\fP
+Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file should contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
+.TP
+\fB\-p\fP \fIport\fP
+Set the port to use for connections to the server (if not explicitly specified
+in the update). The default is 53.
+.TP
+\fB\-r\fP \fIretries\fP
+The number of retries for UDP requests. The default is 3.
+.TP
+\fB\-t\fP \fItimeout\fP
+The total timeout (for all UDP update tries) of the update request in seconds.
+The default is 12. If set to zero, the timeout is infinite.
+.TP
+\fB\-v\fP
+Use a TCP connection.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.TP
+\fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
+Use the TSIG key with a name \fIname\fP to authenticate the request. The \fIalg\fP
+part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies
+the shared secret encoded in Base64.
+.UNINDENT
+.SS Commands
+.INDENT 0.0
+.TP
+\fBserver\fP \fIname\fP [\fIport\fP]
+Specifies a receiving server of the dynamic update message. The \fIname\fP parameter
+can be either a host name or an IP address. If the \fIport\fP is not specified,
+the default port is used. The default port value can be controlled using
+the \fB\-p\fP program option.
+.TP
+\fBlocal\fP \fIaddress\fP [\fIport\fP]
+Specifies outgoing \fIaddress\fP and \fIport\fP\&. If no local is specified, the
+address and port are set by the system automatically. The default port number
+is 0.
+.TP
+\fBzone\fP \fIname\fP
+Specifies that all updates are done within a zone \fIname\fP\&. The zone name doesn\(aqt
+have a default and must be set explicitly.
+.TP
+\fBorigin\fP \fIname\fP
+Specifies fully qualified domain name suffix which is appended to non\-fqd
+owners in update commands. The default is the terminal label (\fB\&.\fP).
+.TP
+\fBclass\fP \fIname\fP
+Sets \fIname\fP as the default class for all updates. If not used, the default
+class is IN.
+.TP
+\fBttl\fP \fIvalue\fP
+Sets \fIvalue\fP as the default TTL (in seconds). If not used, the default value
+is 3600.
+.TP
+\fBkey\fP [\fIalg\fP:]\fIname\fP \fIkey\fP
+Specifies the TSIG \fIkey\fP named \fIname\fP to authenticate the request. An optional
+\fIalg\fP algorithm can be specified. This command has the same effect as
+the program option \fB\-y\fP\&.
+.TP
+[\fBprereq\fP] \fBnxdomain\fP \fIname\fP
+Adds a prerequisite for a non\-existing record owned by \fIname\fP\&.
+.TP
+[\fBprereq\fP] \fByxdomain\fP \fIname\fP
+Adds a prerequisite for an existing record owned by \fIname\fP\&.
+.TP
+[\fBprereq\fP] \fBnxrrset\fP \fIname\fP [\fIclass\fP] \fItype\fP
+Adds a prerequisite for a non\-existing record of the \fItype\fP owned by \fIname\fP\&.
+Internet \fIclass\fP is expected.
+.TP
+[\fBprereq\fP] \fByxrrset\fP \fIname\fP [\fIclass\fP] \fItype\fP [\fIdata\fP]
+Adds a prerequisite for an existing record of the \fItype\fP owned by \fIname\fP
+with optional \fIdata\fP\&. Internet \fIclass\fP is expected.
+.TP
+[\fBupdate\fP] \fBadd\fP \fIname\fP [\fIttl\fP] [\fIclass\fP] \fItype\fP \fIdata\fP
+Adds a request to add a new resource record into the zone.
+Please note that if the \fIname\fP is not fully qualified domain name, the
+current origin name is appended to it.
+.TP
+[\fBupdate\fP] \fBdel\fP[\fBete\fP] \fIname\fP [\fIttl\fP] [\fIclass\fP] [\fItype\fP] [\fIdata\fP]
+Adds a request to remove all (or matching \fIclass\fP, \fItype\fP or \fIdata\fP)
+resource records from the zone. There is the same requirement for the \fIname\fP
+parameter as in \fBupdate add\fP command. The \fIttl\fP item is ignored.
+.TP
+\fBshow\fP
+Displays current content of the update message.
+.TP
+\fBsend\fP
+Sends the current update message and cleans the list of updates.
+.TP
+\fBanswer\fP
+Displays the last answer from the server.
+.TP
+\fBdebug\fP
+Enable debugging. This command has the same meaning as the \fB\-d\fP program option.
+.TP
+\fBexit\fP
+End the program.
+.UNINDENT
+.SH NOTES
+.sp
+Options \fB\-k\fP and \fB\-y\fP can not be used simultaneously.
+.sp
+Dnssec\-keygen keyfile format is not supported. Use \fBkeymgr(8)\fP instead.
+.sp
+Zone name/server guessing is not supported if the zone name/server is not specified.
+.sp
+Empty line doesn\(aqt send the update.
+.SS Interactive mode
+.sp
+The utility provides interactive mode with basic line editing functionality,
+command completion, and command history.
+.sp
+Interactive mode behavior can be customized in \fI~/.editrc\fP\&. Refer to
+\fBeditrc(5)\fP for details.
+.sp
+Command history is saved in \fI~/.knsupdate_history\fP\&.
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH EXAMPLES
+.INDENT 0.0
+.IP 1. 3
+Send one update of the zone example.com to the server 192.168.1.1. The update
+contains two new records:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ knsupdate
+knsupdate> server 192.168.1.1
+knsupdate> zone example.com.
+knsupdate> origin example.com.
+knsupdate> ttl 3600
+knsupdate> add test1.example.com. 7200 A 192.168.2.2
+knsupdate> add test2 TXT "hello"
+knsupdate> show
+knsupdate> send
+knsupdate> answer
+knsupdate> exit
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBkdig(1)\fP, \fBkhost(1)\fP, \fBkeymgr(8)\fP, \fBeditrc(5)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/kxdpgun.8in b/doc/man/kxdpgun.8in
new file mode 100644
index 0000000..3304838
--- /dev/null
+++ b/doc/man/kxdpgun.8in
@@ -0,0 +1,241 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KXDPGUN" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kxdpgun \- XDP-powered DNS benchmarking tool
+.SH SYNOPSIS
+.sp
+\fBkxdpgun\fP [\fIoptions\fP] \fB\-i\fP \fIfilename\fP \fItargetIP\fP
+.SH DESCRIPTION
+.sp
+Powerful generator of DNS traffic, sending and receiving packets through XDP.
+.sp
+Queries are generated according to a textual file which is read sequentially
+in a loop until a configured duration elapses. The order of queries is not
+guaranteed. Responses are received (unless disabled) and counted, but not
+checked against queries.
+.sp
+The number of parallel threads is autodetected according to the number of queues
+configured for the network interface.
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-t\fP, \fB\-\-duration\fP \fIseconds\fP
+Duration of traffic generation, specified as a decimal number in seconds
+(default is 5.0).
+.TP
+\fB\-T\fP, \fB\-\-tcp\fP[\fB=\fP\fIdebug_mode\fP]
+Send queries over TCP. See the list of optional debug modes below.
+.TP
+\fB\-U\fP, \fB\-\-quic\fP[\fB=\fP\fIdebug_mode\fP]
+Send queries over QUIC. See the list of optional debug modes below.
+.TP
+\fB\-Q\fP, \fB\-\-qps\fP \fIqueries\fP
+Number of queries\-per\-second (approximately) to be sent (default is 1000).
+The program is not optimized for low speeds at which it may lose
+communication packets. The recommended minimum speed is 2 packets per thread
+(Rx/Tx queue).
+.TP
+\fB\-b\fP, \fB\-\-batch\fP \fIsize\fP
+Send more queries in a batch. Improves QPS but may affect the counterpart\(aqs
+packet loss (default is 10 for UDP and 1 for TCP/QUIC).
+.TP
+\fB\-r\fP, \fB\-\-drop\fP
+Drop incoming responses. Improves QPS, but disables response statistics.
+.TP
+\fB\-p\fP, \fB\-\-port\fP \fInumber\fP
+Remote destination port (default is 53 for UDP/TCP, 853 for QUIC).
+.TP
+\fB\-F\fP, \fB\-\-affinity\fP \fIcpu_spec\fP
+CPU affinity for all threads specified in the format [<cpu_start>][s<cpu_step>],
+where <cpu_start> is the CPU ID for the first thread and <cpu_step> is the
+CPU ID increment for next thread (default is 0s1).
+.TP
+\fB\-i\fP, \fB\-\-infile\fP \fIfilename\fP
+Path to a file with query templates.
+.TP
+\fB\-I\fP, \fB\-\-interface\fP \fIinterface\fP
+Network interface for outgoing communication. This can be useful in situations
+when the interfaces are in a bond for example.
+.TP
+\fB\-l\fP, \fB\-\-local\fP \fIlocalIP\fP[\fB/\fP\fIprefix\fP]
+Override the auto\-detected source IP address. If an address range is specified
+instead, various IPs from the range will be used for different queries uniformly
+(address range not supported in the QUIC mode).
+.TP
+\fItargetIP\fP
+The IPv4 or IPv6 address of remote destination.
+.TP
+\fB\-L\fP, \fB\-\-mac\-local\fP
+Override auto\-detected local MAC address.
+.TP
+\fB\-R\fP, \fB\-\-mac\-remote\fP
+Override auto\-detected remote MAC address.
+.TP
+\fB\-v\fP, \fB\-\-vlan\fP \fIid\fP
+Add VLAN 802.1Q header with the given id. VLAN offloading should be disabled.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SS Queries file format
+.sp
+Each line describes a query in the form:
+.sp
+\fIquery_name\fP \fIquery_type\fP [\fIflags\fP]
+.sp
+Where \fIquery_name\fP is a domain name to be queried, \fIquery_type\fP is a record type
+name, and \fIflags\fP is a single character:
+.sp
+\fBE\fP Send query with EDNS.
+.sp
+\fBD\fP Request DNSSEC (EDNS + DO flag).
+.SS TCP/QUIC debug modes
+.INDENT 0.0
+.TP
+\fB0\fP
+Perform full handshake for all connections (QUIC only).
+.TP
+\fB1\fP
+Just send SYN (Initial) and receive SYN\-ACK (Handshake).
+.TP
+\fB2\fP
+Perform TCP/QUIC handshake and don\(aqt send anything, allow close initiated by counterpart.
+.TP
+\fB3\fP
+Perform TCP/QUIC handshake and don\(aqt react further.
+.TP
+\fB5\fP
+Send incomplete query (N\-1 bytes) and don\(aqt react further.
+.TP
+\fB7\fP
+Send query and don\(aqt ACK the response or anything further.
+.TP
+\fB8\fP
+Don\(aqt close the connection and ignore close by counterpart (TCP only).
+.TP
+\fB9\fP
+Operate normally except for not ACKing the final FIN+ACK (TCP only).
+.UNINDENT
+.SS Signals
+.sp
+Sending USR1 signal to a running process triggers current statistics dump
+to the standard output.
+.SH NOTES
+.sp
+Linux kernel 4.18+ is required.
+.sp
+The utility has to be executed under root or with these capabilities:
+CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_ADMIN, CAP_IPC_LOCK, and CAP_SYS_RESOURCE
+(Linux < 5.11).
+.sp
+The utility allocates source UDP/TCP ports from the range 2000\-65535.
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH EXAMPLES
+.sp
+Manually created queries file:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+abc6.example.com. AAAA
+nxdomain.example.com. A
+notzone. A
+a.example.com. NS E
+ab.example.com. A D
+abcd.example.com. DS D
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Queries file generated from a zone file (Knot DNS format):
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+cat ZONE_FILE | awk "{print \e$1,\e$3}" | grep \-E "(NS|DS|A|AAAA|PTR|MX|SOA)$" | sort \-u \-R > queries.txt
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Basic usage:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+# kxdpgun \-i ~/queries.txt 2001:DB8::1
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fIUsing UDP with increased batch size\fP:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+# kxdpgun \-t 20 \-Q 1000000 \-i ~/queries.txt \-b 20 \-p 8853 192.0.2.1
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fIUsing TCP\fP:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+# kxdpgun \-t 20 \-Q 100000 \-i ~/queries.txt \-T \-p 8853 192.0.2.1
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBkdig(1)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/kzonecheck.1in b/doc/man/kzonecheck.1in
new file mode 100644
index 0000000..6f8a834
--- /dev/null
+++ b/doc/man/kzonecheck.1in
@@ -0,0 +1,88 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KZONECHECK" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kzonecheck \- Knot DNS zone check tool
+.SH SYNOPSIS
+.sp
+\fBkzonecheck\fP [\fIoptions\fP] \fIfilename\fP
+.SH DESCRIPTION
+.sp
+The utility checks zone file syntax and runs semantic checks on the zone
+content. The executed checks are the same as the checks run by the Knot
+DNS server.
+.sp
+Please, refer to the \fBsemantic\-checks\fP configuration option in
+\fBknot.conf(5)\fP for the full list of available semantic checks.
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIfilename\fP
+Path to the zone file to be checked. For reading from \fBstdin\fP use \fB/dev/stdin\fP
+or just \fB\-\fP\&.
+.UNINDENT
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-o\fP, \fB\-\-origin\fP \fIorigin\fP
+Zone origin. If not specified, the origin is determined from the file name
+(possibly removing the \fB\&.zone\fP suffix).
+.TP
+\fB\-d\fP, \fB\-\-dnssec\fP \fBon\fP|\fBoff\fP
+Also check DNSSEC\-related records. The default is to decide based on the
+existence of a RRSIG for SOA.
+.TP
+\fB\-t\fP, \fB\-\-time\fP \fItime\fP
+Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS
+format, or [+/\-]\fItime\fP[unit] format, where unit can be \fBY\fP, \fBM\fP,
+\fBD\fP, \fBh\fP, \fBm\fP, or \fBs\fP\&. Default is current UNIX timestamp.
+.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Enable debug output.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH SEE ALSO
+.sp
+\fBknotd(8)\fP, \fBknot.conf(5)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/kzonesign.1in b/doc/man/kzonesign.1in
new file mode 100644
index 0000000..32a2095
--- /dev/null
+++ b/doc/man/kzonesign.1in
@@ -0,0 +1,95 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KZONESIGN" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kzonesign \- DNSSEC signing utility
+.SH SYNOPSIS
+.sp
+\fBkzonesign\fP [\fIconfig_option\fP \fIconfig_argument\fP] [\fIoptions\fP] \fIzone_name\fP
+.SH DESCRIPTION
+.sp
+This utility reads the zone\(aqs zone file, signs the zone according to given
+configuration, and writes the signed zone file back. An alternative mode
+is DNSSEC validation of the given zone. The signing or validation
+can run in parallel if enabled in the configuration (see policy.signing\-threads
+and zone.adjust\-threads).
+.SS Config options
+.INDENT 0.0
+.TP
+\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
+Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+.TP
+\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
+Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+The default configuration database, if exists, has a preference to the default
+configuration file.
+.UNINDENT
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-o\fP, \fB\-\-outdir\fP \fIdir_name\fP
+Write the output zone file to the specified directory instead of the configured one.
+.TP
+\fB\-r\fP, \fB\-\-rollover\fP
+Allow key roll\-overs and NSEC3 re\-salt. In order to finish possible KSK submission,
+set the KSK\(aqs \fBactive\fP timestamp to now (\fB+0\fP) using keymgr\&.
+.TP
+\fB\-v\fP, \fB\-\-verify\fP
+Instead of (re\-)signing the zone, just verify that the zone is correctly signed.
+.TP
+\fB\-t\fP, \fB\-\-time\fP \fItimestamp\fP
+Sign/verify the zone (and roll the keys if necessary) as if it was at the time
+specified by timestamp.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version.
+.UNINDENT
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIzone_name\fP
+A name of the zone to be signed.
+.UNINDENT
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH SEE ALSO
+.sp
+\fBknot.conf(5)\fP, \fBkeymgr(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2023, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man_kcatalogprint.rst b/doc/man_kcatalogprint.rst
new file mode 100644
index 0000000..0fb5088
--- /dev/null
+++ b/doc/man_kcatalogprint.rst
@@ -0,0 +1,54 @@
+.. highlight:: console
+
+kcatalogprint – Knot DNS catalog print utility
+==============================================
+
+Synopsis
+--------
+
+:program:`kcatalogprint` [*config_option* *config_argument*] [*option*]
+
+Description
+-----------
+
+The program prints zone catalog stored in a catalog database.
+
+Config options
+..............
+
+**-c**, **--config** *file*
+  Use a textual configuration file (default is :file:`@config_dir@/knot.conf`).
+
+**-C**, **--confdb** *directory*
+  Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`).
+  The default configuration database, if exists, has a preference to the default
+  configuration file.
+
+**-D**, **--dir** *path*
+  Use specified catalog database path and default configuration.
+
+Options
+.......
+
+**-a**, **--catalog**
+  Filter the output by catalog zone name.
+
+**-m**, **--member**
+  Filter the output by member zone name.
+
+**-h**, **--help**
+  Print the program help.
+
+**-V**, **--version**
+  Print the program version.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+See Also
+--------
+
+:manpage:`knotd(8)`, :manpage:`knot.conf(5)`.
diff --git a/doc/man_kdig.rst b/doc/man_kdig.rst
new file mode 100644
index 0000000..122fefa
--- /dev/null
+++ b/doc/man_kdig.rst
@@ -0,0 +1,392 @@
+.. highlight:: console
+
+``kdig`` – Advanced DNS lookup utility
+======================================
+
+Synopsis
+--------
+
+:program:`kdig` [*common-settings*] [*query* [*settings*]]...
+
+:program:`kdig` **-h**
+
+Description
+-----------
+
+This utility sends one or more DNS queries to a nameserver. Each query can have
+individual *settings*, or it can be specified globally via *common-settings*,
+which must precede *query* specification.
+
+Parameters
+..........
+
+*query*
+  *name* | **-q** *name* | **-x** *address* | **-G** *tapfile*
+
+*common-settings*, *settings*
+  [*query_class*] [*query_type*] [**@**\ *server*]... [*options*]
+
+*name*
+  Is a domain name that is to be looked up.
+
+*server*
+  Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query
+  to. An additional port can be specified using address:port ([address]:port
+  for IPv6 address), address@port, or address#port notation. A value which begins
+  with '/' character is considered an absolute UNIX socket path. If no server is
+  specified, the servers from :file:`/etc/resolv.conf` are used.
+
+If no arguments are provided, :program:`kdig` sends NS query for the root
+zone.
+
+Query classes
+.............
+
+A *query_class* can be either a DNS class name (IN, CH) or generic class
+specification **CLASS**\ *XXXXX* where *XXXXX* is a corresponding decimal
+class number. The default query class is IN.
+
+Query types
+...........
+
+A *query_type* can be either a DNS resource record type
+(A, AAAA, NS, SOA, DNSKEY, ANY, etc.) or one of the following:
+
+**TYPE**\ *XXXXX*
+  Generic query type specification where *XXXXX* is a corresponding decimal
+  type number.
+
+**AXFR**
+  Full zone transfer request.
+
+**IXFR=**\ *serial*
+  Incremental zone transfer request for specified SOA serial number
+  (i.e. all zone updates since the specified zone version are to be returned).
+
+**NOTIFY=**\ *serial*
+  Notify message with a SOA serial hint specified.
+
+**NOTIFY**
+  Notify message with a SOA serial hint unspecified.
+
+The default query type is A.
+
+Options
+.......
+
+**-4**
+  Use the IPv4 protocol only.
+
+**-6**
+  Use the IPv6 protocol only.
+
+**-b** *address*
+  Set the source IP address of the query to *address*. The address must be a
+  valid address for local interface or :: or 0.0.0.0. An optional port
+  can be specified in the same format as the *server* value.
+
+**-c** *class*
+  An explicit *query_class* specification. See possible values above.
+
+**-d**
+  Enable debug messages.
+
+**-h**, **--help**
+  Print the program help.
+
+**-k** *keyfile*
+  Use the TSIG key stored in a file *keyfile* to authenticate the request. The
+  file must contain the key in the same format as accepted by the
+  **-y** option.
+
+**-p** *port*
+  Set the nameserver port number or service name to send a query to. The default
+  port is 53.
+
+**-q** *name*
+  Set the query name. An explicit variant of *name* specification. If no *name*
+  is provided, empty question section is set.
+
+**-t** *type*
+  An explicit *query_type* specification. See possible values above.
+
+**-V**, **--version**
+  Print the program version.
+
+**-x** *address*
+  Send a reverse (PTR) query for IPv4 or IPv6 *address*. The correct name, class
+  and type is set automatically.
+
+**-y** [*alg*:]\ *name*:*key*
+  Use the TSIG key named *name* to authenticate the request. The *alg*
+  part specifies the algorithm (the default is hmac-sha256) and *key* specifies
+  the shared secret encoded in Base64.
+
+**-E** *tapfile*
+  Export a dnstap trace of the query and response messages received to the
+  file *tapfile*.
+
+**-G** *tapfile*
+  Generate message output from a previously saved dnstap file *tapfile*.
+
+**+**\ [\ **no**\ ]\ **multiline**
+  Wrap long records to more lines and improve human readability.
+
+**+**\ [\ **no**\ ]\ **short**
+  Show record data only.
+
+**+**\ [\ **no**\ ]\ **generic**
+  Use the generic representation format when printing resource record types
+  and data.
+
+**+**\ [\ **no**\ ]\ **crypto**
+  Display the DNSSEC keys and signatures values in base64, instead of omitting them.
+
+**+**\ [\ **no**\ ]\ **aaflag**
+  Set the AA flag.
+
+**+**\ [\ **no**\ ]\ **tcflag**
+  Set the TC flag.
+
+**+**\ [\ **no**\ ]\ **rdflag**
+  Set the RD flag.
+
+**+**\ [\ **no**\ ]\ **recurse**
+  Same as **+**\ [\ **no**\ ]\ **rdflag**
+
+**+**\ [\ **no**\ ]\ **raflag**
+  Set the RA flag.
+
+**+**\ [\ **no**\ ]\ **zflag**
+  Set the zero flag bit.
+
+**+**\ [\ **no**\ ]\ **adflag**
+  Set the AD flag.
+
+**+**\ [\ **no**\ ]\ **cdflag**
+  Set the CD flag.
+
+**+**\ [\ **no**\ ]\ **dnssec**
+  Set the DO flag.
+
+**+**\ [\ **no**\ ]\ **all**
+  Show all packet sections.
+
+**+**\ [\ **no**\ ]\ **qr**
+  Show the query packet.
+
+**+**\ [\ **no**\ ]\ **header**
+  Show the packet header.
+
+**+**\ [\ **no**\ ]\ **comments**
+  Show commented section names.
+
+**+**\ [\ **no**\ ]\ **opt**
+  Show the EDNS pseudosection.
+
+**+**\ [\ **no**\ ]\ **opttext**
+  Try to show unknown EDNS options as text.
+
+**+**\ [\ **no**\ ]\ **question**
+  Show the question section.
+
+**+**\ [\ **no**\ ]\ **answer**
+  Show the answer section.
+
+**+**\ [\ **no**\ ]\ **authority**
+  Show the authority section.
+
+**+**\ [\ **no**\ ]\ **additional**
+  Show the additional section.
+
+**+**\ [\ **no**\ ]\ **tsig**
+  Show the TSIG pseudosection.
+
+**+**\ [\ **no**\ ]\ **stats**
+  Show trailing packet statistics.
+
+**+**\ [\ **no**\ ]\ **class**
+  Show the DNS class.
+
+**+**\ [\ **no**\ ]\ **ttl**
+  Show the TTL value.
+
+**+**\ [\ **no**\ ]\ **tcp**
+  Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).
+
+**+**\ [\ **no**\ ]\ **fastopen**
+  Use TCP Fast Open.
+
+**+**\ [\ **no**\ ]\ **ignore**
+  Don't use TCP automatically if a truncated reply is received.
+
+**+**\ [\ **no**\ ]\ **keepopen**
+  Keep TCP connection open for the following query if it has the same connection
+  configuration. This applies to +tcp, +tls, and +https operations. The connection
+  is considered in the context of a single kdig call only.
+
+**+**\ [\ **no**\ ]\ **tls**
+  Use TLS with the Opportunistic privacy profile (:rfc:`7858#section-4.1`).
+
+**+**\ [\ **no**\ ]\ **tls-ca**\[\ =\ *FILE*\]
+  Use TLS with a certificate validation. Certification authority certificates
+  are loaded from the specified PEM file (default is system certificate storage
+  if no argument is provided).
+  Can be specified multiple times. If the +tls-hostname option is not provided,
+  the name of the target server (if specified) is used for strict authentication.
+
+**+**\ [\ **no**\ ]\ **tls-pin**\ =\ *BASE64*
+  Use TLS with the Out-of-Band key-pinned privacy profile (:rfc:`7858#section-4.2`).
+  The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo.
+  Can be specified multiple times.
+
+**+**\ [\ **no**\ ]\ **tls-hostname**\ =\ *STR*
+  Use TLS with a remote server hostname check.
+
+**+**\ [\ **no**\ ]\ **tls-sni**\ =\ *STR*
+  Use TLS with a Server Name Indication.
+
+**+**\ [\ **no**\ ]\ **tls-keyfile**\ =\ *FILE*
+  Use TLS with a client keyfile.
+
+**+**\ [\ **no**\ ]\ **tls-certfile**\ =\ *FILE*
+  Use TLS with a client certfile.
+
+**+**\ [\ **no**\ ]\ **tls-ocsp-stapling**\[\ =\ *H*\]
+  Use TLS with a valid stapled OCSP response for the server certificate
+  (%u or specify hours). OCSP responses older than the specified period are
+  considered invalid.
+
+**+**\ [\ **no**\ ]\ **https**\[\ =\ *URL*\]
+  Use HTTPS (DNS-over-HTTPS) in wire format (:rfc:`1035#section-4.2.1`).
+  It is also possible to specify URL=\[authority\]\[/path\] where request
+  will be sent to. Any leading scheme and authority indicator (i.e. //) are ignored.
+  Authority might also be specified as the *server* (using the parameter `@`).
+  If *path* is specified and *authority* is missing, then the *server*
+  is used as authority together with the specified *path*.
+  Library *libnghttp2* is required.
+
+**+**\ [\ **no**\ ]\ **https-get**
+  Use HTTPS with HTTP/GET method instead of the default HTTP/POST method.
+  Library *libnghttp2* is required.
+
+**+**\ [\ **no**\ ]\ **quic**
+  Use QUIC (DNS-over-QUIC).
+
+**+**\ [\ **no**\ ]\ **nsid**
+  Request the nameserver identifier (NSID).
+
+**+**\ [\ **no**\ ]\ **bufsize**\ =\ *B*
+  Set EDNS buffer size in bytes (default is 4096 bytes).
+
+**+**\ [\ **no**\ ]\ **padding**\[\ =\ *B*\]
+  Use EDNS(0) padding option to pad queries, optionally to a specific
+  size. The default is to pad queries with a sensible amount when using
+  +tls, and not to pad at all when queries are sent without TLS.  With
+  no argument (i.e., just +padding) pad every query with a sensible
+  amount regardless of the use of TLS. With +nopadding, never pad.
+
+**+**\ [\ **no**\ ]\ **alignment**\[\ =\ *B*\]
+  Align the query to B\-byte-block message using the EDNS(0) padding option
+  (default is no or 128 if no argument is specified).
+
+**+**\ [\ **no**\ ]\ **subnet**\ =\ *SUBN*
+  Set EDNS(0) client subnet SUBN=addr/prefix.
+
+**+**\ [\ **no**\ ]\ **edns**\[\ =\ *N*\]
+  Use EDNS version (default is 0).
+
+**+**\ [\ **no**\ ]\ **timeout**\ =\ *T*
+  Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout
+  applies to each query attempt. Zero value or *notimeout* is interpreted as
+  infinity.
+
+**+**\ [\ **no**\ ]\ **retry**\ =\ *N*
+  Set the number (>=0) of UDP retries (default is 2). This doesn't apply to
+  AXFR/IXFR.
+
+**+**\ [\ **no**\ ]\ **expire**
+  Sets the EXPIRE EDNS option.
+
+**+**\ [\ **no**\ ]\ **cookie**\[\ =\ *HEX*\]
+  Attach EDNS(0) cookie to the query.
+
+**+**\ [\ **no**\ ]\ **badcookie**
+  Repeat a query with the correct cookie.
+
+**+**\ [\ **no**\ ]\ **ednsopt**\[\ =\ *CODE*\[:*HEX*\]\]
+  Send custom EDNS option. The *CODE* is EDNS option code in decimal, *HEX*
+  is an optional hex encoded string to use as EDNS option value. This argument
+  can be used multiple times. +noednsopt clears all EDNS options specified by
+  +ednsopt.
+
+**+**\ [\ **no**\ ]\ **proxy**\ =\ *SRC_ADDR*\[#\ *SRC_PORT*\]-*DST_ADDR*\[#\ *DST_PORT*\]
+  Add PROXYv2 header with the specified source and destination addresses to the query.
+  The default source port is 0 and destination port 53.
+
+**+**\ [\ **no**\ ]\ **json**
+  Use JSON for output encoding (RFC 8427).
+
+**+noidn**
+  Disable the IDN transformation to ASCII and vice versa. IDN support depends
+  on libidn availability during project building! If used in *common-settings*,
+  all IDN transformations are disabled. If used in the individual query *settings*,
+  transformation from ASCII is disabled on output for the particular query. Note
+  that IDN transformation does not preserve domain name letter case.
+
+Notes
+-----
+
+Options **-k** and **-y** can not be used simultaneously.
+
+Dnssec-keygen keyfile format is not supported. Use :manpage:`keymgr(8)` instead.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+Examples
+--------
+
+1. Get A records for example.com::
+
+     $ kdig example.com A
+
+2. Perform AXFR for zone example.com from the server 192.0.2.1::
+
+     $ kdig example.com -t AXFR @192.0.2.1
+
+3. Get A records for example.com from 192.0.2.1 and reverse lookup for address
+   2001:DB8::1 from 192.0.2.2. Both using the TCP protocol::
+
+     $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
+
+4. Get SOA record for example.com, use TLS, use system certificates, check
+   for specified hostname, check for certificate pin, and print additional
+   debug info::
+
+     $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
+       +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
+
+5. DNS over HTTPS examples (various DoH implementations)::
+
+     $ kdig @1.1.1.1 +https example.com.
+     $ kdig @193.17.47.1 +https=/doh example.com.
+     $ kdig @8.8.4.4 +https +https-get example.com.
+     $ kdig @8.8.8.8 +https +tls-hostname=dns.google +fastopen example.com.
+
+6. More queries share one DoT connection::
+
+     $ kdig @1.1.1.1 +tls +keepopen abc.example.com A mail.example.com AAAA
+
+Files
+-----
+
+:file:`/etc/resolv.conf`
+
+See Also
+--------
+
+:manpage:`khost(1)`, :manpage:`knsupdate(1)`, :manpage:`keymgr(8)`.
diff --git a/doc/man_keymgr.rst b/doc/man_keymgr.rst
new file mode 100644
index 0000000..77f8e1a
--- /dev/null
+++ b/doc/man_keymgr.rst
@@ -0,0 +1,292 @@
+.. highlight:: console
+
+``keymgr`` – Key management utility
+===================================
+
+Synopsis
+--------
+
+:program:`keymgr` [*config_option* *config_argument*] [*option*...] *zone_name* *command* *argument*...
+
+:program:`keymgr` [*config_option* *config_argument*] **-l**
+
+:program:`keymgr` **-t** *parameter*...
+
+Description
+-----------
+
+The :program:`keymgr` utility serves for manual key management in Knot DNS server.
+
+Functions for DNSSEC keys and KASP (Key And Signature Policy)
+management are provided.
+
+The DNSSEC and KASP configuration is stored in a so called KASP database.
+The database is backed by LMDB.
+
+Config options
+..............
+
+**-c**, **--config** *file*
+  Use a textual configuration file (default is :file:`@config_dir@/knot.conf`).
+
+**-C**, **--confdb** *directory*
+  Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`).
+  The default configuration database, if exists, has a preference to the default
+  configuration file.
+
+**-D**, **--dir** *path*
+  Use specified KASP database path and default configuration.
+
+Options
+.......
+
+**-t**, **--tsig** *tsig_name* [*tsig_algorithm* [*tsig_bits*]]
+  Generates a TSIG key. TSIG algorithm can be specified by string (default: hmac-sha256),
+  bit length of the key by number (default: optimal length given by algorithm). The generated
+  TSIG key is only displayed on `stdout`: the command does not create a file, nor include the
+  key in a keystore.
+
+**-e**, **--extended**
+  Extended output (listing of keys with full description).
+
+**-j**, **--json**
+  Print the zones or keys in JSON format.
+
+**-l**, **--list**
+  Print the list of zones that have at least one key stored in the configured KASP
+  database.
+
+**-x**, **--mono**
+  Don't generate colorized output.
+
+**-X**, **--color**
+  Force colorized output in the normal mode.
+
+**-h**, **--help**
+  Print the program help.
+
+**-V**, **--version**
+  Print the program version.
+
+.. NOTE::
+   Keymgr runs with the same user privileges as configured for :doc:`knotd<man_knotd>`.
+   For example, if keymgr is run as ``root``, but the configured :ref:`user<server_user>`
+   is ``knot``, it won't be able to read files (PEM files, KASP database, ...) readable
+   only by ``root``.
+
+Commands
+........
+
+**list** [*timestamp_format*]
+  Prints the list of key IDs and parameters of keys belonging to the zone.
+
+**generate** [*arguments*...]
+  Generates new DNSSEC key and stores it in KASP database. Prints the key ID.
+  This action takes some number of arguments (see below). Values for unspecified arguments are taken
+  from corresponding policy (if *-c* or *-C* options used) or from Knot policy defaults.
+
+**import-bind** *BIND_key_file*
+  Imports a BIND-style key into KASP database (converting it to PEM format).
+  Takes one argument: path to BIND key file (private or public, but both MUST exist).
+
+**import-pub** *BIND_pubkey_file*
+  Imports a public key into KASP database. This key won't be rolled over nor used for signing.
+  Takes one argument: path to BIND public key file.
+
+**import-pem** *PEM_file* [*arguments*...]
+  Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be
+  specified (mainly algorithm, timers...) because they are not contained in the PEM format.
+
+**import-pkcs11** *key_id* [*arguments*...]
+  Imports a DNSSEC key from PKCS #11 storage. The key parameters (same as for the generate action) need to be
+  specified (mainly algorithm, timers...) because they are not available. In fact, no key
+  data is imported, only KASP database metadata is created.
+
+**nsec3-salt** [*new_salt*]
+  Prints the current NSEC3 salt used for signing. If *new_salt* is specified, the salt is overwritten.
+  The salt is printed and expected in hexadecimal, or dash if empty.
+
+**local-serial** [*new_serial*]
+  Print SOA serial stored in KASP database when using on-secondary DNSSEC signing.
+  If *new_serial* is specified, the serial is overwritten. After updating the serial, expire the zone
+  (**zone-purge +expire +zonefile +journal**) if the server is running, or remove corresponding zone file
+  and journal contents if the server is stopped.
+
+**master-serial** [*new_serial*]
+  Print SOA serial of the remote master stored in KASP database when using on-secondary DNSSEC signing.
+  If *new_serial* is specified, the serial is overwritten (not recommended).
+
+**set** *key_spec* [*arguments*...]
+  Changes a timing argument (or ksk/zsk) of an existing key to a new value. *Key_spec* is either the
+  key tag or a prefix of the key ID, with an optional *[id=|keytag=]* prefix; *arguments* 
+  are like for **generate**, but just the related ones.
+
+**ds** [*key_spec*]
+  Generate DS record (all digest algorithms together) for specified key. *Key_spec*
+  is like for **set**, if unspecified, all KSKs are used.
+
+**dnskey** [*key_spec*]
+  Generate DNSKEY record for specified key. *Key_spec*
+  is like for **ds**, if unspecified, all KSKs are used.
+
+**delete** *key_spec*
+  Remove the specified key from zone. If the key was not shared, it is also deleted from keystore.
+
+**share** *key_ID* *zone_from*
+  Import a key (specified by full key ID) from another zone as shared. After this, the key is
+  owned by both zones equally.
+
+Commands related to Offline KSK feature
+.......................................
+
+**pregenerate** [*timestamp-from*] *timestamp-to*
+  Pre-generate ZSKs for use with offline KSK, for the specified period starting from now or specified time.
+  This function also applies to non-offline KSK keys.
+
+**show-offline** [*timestamp-from*] [*timestamp-to*]
+  Print pre-generated offline key-related records for specified time interval. If *timestamp_to*
+  is omitted, it will be to infinity. If *timestamp-from* is omitted, it will start from the
+  beginning.
+
+**del-offline** *timestamp-from* *timestamp-to*
+  Delete pre-generated offline key-related records in specified time interval.
+
+**del-all-old**
+  Delete old keys that are in state 'removed'. This function also applies to
+  non-offline KSK keys.
+
+**generate-ksr** [*timestamp-from*] *timestamp-to*
+  Print to stdout KeySigningRequest based on pre-generated ZSKs for specified time period.
+  If *timestamp-from* is omitted, timestamp of the last offline records set is used
+  or now if no records available.
+
+**sign-ksr** *ksr_file*
+  Read KeySigningRequest from a text file, sign it using local keyset and print SignedKeyResponse to stdout.
+
+**validate-skr** *skr_file*
+  Read SignedKeyResponse from a text file and validate the RRSIGs in it if not corrupt.
+
+**import-skr** *skr_file*
+  Read SignedKeyResponse from a text file and import the signatures for later use in zone. If some
+  signatures have already been imported, they will be deleted for the period from beginning of the SKR
+  to infinity.
+
+Generate arguments
+..................
+
+Arguments are separated by space, each of them is in format 'name=value'.
+
+**algorithm**
+  Either an algorithm number (e.g. 14), or text name without dashes (e.g. ECDSAP384SHA384).
+
+**size**
+  Key length in bits.
+
+**ksk**
+  If set to **yes**, the key will be used for signing DNSKEY rrset. The generated key will also
+  have the Secure Entry Point flag set to 1.
+
+**zsk**
+  If set to **yes**, the key will be used for signing zone (except DNSKEY rrset). This flag can
+  be set concurrently with the **ksk** flag.
+
+**sep**
+  Overrides the standard setting of the Secure Entry Point flag.
+
+The following arguments are timestamps of key lifetime (see :ref:`DNSSEC Key states`):
+
+**pre_active**
+  Key started to be used for signing, not published (only for algorithm rollover).
+
+**publish**
+  Key published.
+
+**ready**
+  Key is waiting for submission (only for KSK).
+
+**active**
+  Key used for signing.
+
+**retire_active**
+  Key still used for signing, but another key is active (only for KSK or algorithm rollover).
+
+**retire**
+  Key still published, but no longer used for signing.
+
+**post_active**
+  Key no longer published, but still used for signing (only for algorithm rollover).
+
+**revoke**
+  Key revoked according to :rfc:`5011` trust anchor roll-over.
+
+**remove**
+  Key deleted.
+
+Timestamps
+..........
+
+0
+  Zero timestamp means infinite future.
+
+*UNIX_time*
+  Positive number of seconds since 1970 UTC.
+
+*YYYYMMDDHHMMSS*
+  Date and time in this format without any punctuation.
+
+*relative_timestamp*
+  A sign character (**+**, **-**), a number, and an optional time unit
+  (**y**, **mo**, **d**, **h**, **mi**, **s**). The default unit is one second.
+  E.g. +1mi, -2mo.
+
+Output timestamp formats
+........................
+
+(none)
+  The timestamps are printed as UNIX timestamp.
+
+**human**
+  The timestamps are printed relatively to now using time units (e.g. -2y5mo, +1h13s).
+
+**iso**
+  The timestamps are printed in the ISO8601 format (e.g. 2016-12-31T23:59:00).
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+Examples
+--------
+
+1. Generate new TSIG key::
+
+    $ keymgr -t my_name hmac-sha384
+
+2. Generate new DNSSEC key::
+
+    $ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \
+      ksk=true created=1488034625 publish=20170223205611 retire=+10mo remove=+1y
+
+3. Import a DNSSEC key from BIND::
+
+    $ keymgr example.com. import-bind ~/bind/Kharbinge4d5.+007+63089.key
+
+4. Configure key timing::
+
+    $ keymgr example.com. set 4208 active=+2mi retire=+4mi remove=+5mi
+
+5. Share a KSK from another zone::
+
+    $ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9 another-zone.com.
+
+See Also
+--------
+
+:rfc:`6781` - DNSSEC Operational Practices.
+:rfc:`7583` - DNSSEC Key Rollover Timing Considerations.
+
+:manpage:`knot.conf(5)`,
+:manpage:`knotc(8)`,
+:manpage:`knotd(8)`.
diff --git a/doc/man_khost.rst b/doc/man_khost.rst
new file mode 100644
index 0000000..76fa9c8
--- /dev/null
+++ b/doc/man_khost.rst
@@ -0,0 +1,108 @@
+.. highlight:: console
+
+``khost`` – Simple DNS lookup utility
+=====================================
+
+Synopsis
+--------
+
+:program:`khost` [*options*] *name* [*server*]
+
+Description
+-----------
+
+This utility sends a DNS query for the *name* to the *server* and prints a reply
+in more user-readable form. For more advanced DNS queries use :doc:`kdig<man_kdig>`
+instead.
+
+Parameters
+..........
+
+*name*
+  Is a domain name that is to be looked up. If the *name* is IPv4 or IPv6
+  address the PTR query type is used.
+
+*server*
+  Is a name or an address of the nameserver to send a query to.  The address
+  can be specified using [address]:port notation. If no server is specified,
+  the servers from :file:`/etc/resolv.conf` are used.
+
+If no arguments are provided, :program:`khost` prints a short help.
+
+Options
+.......
+
+**-4**
+  Use the IPv4 protocol only.
+
+**-6**
+  Use the IPv6 protocol only.
+
+**-a**
+  Send ANY query with verbose mode.
+
+**-d**
+  Enable debug messages.
+
+**-h**, **--help**
+  Print the program help.
+
+**-r**
+  Disable recursion.
+
+**-T**
+  Use the TCP protocol.
+
+**-v**
+  Enable verbose output.
+
+**-V**, **--version**
+  Print the program version.
+
+**-w**
+  Wait forever for the reply.
+
+**-c** *class*
+  Set the query class (e.g. CH, CLASS4). The default class is IN.
+
+**-t** *type*
+  Set the query type (e.g. NS, IXFR=12345, TYPE65535). The default is to send 3
+  queries (A, AAAA and MX).
+
+**-R** *retries*
+  The number (>=0) of UDP retries to query a nameserver. The default is 1.
+
+**-W** *wait*
+  The time to wait for a reply in seconds. This timeout applies to each query
+  try. The default is 2 seconds.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+Examples
+--------
+
+1. Get the A, AAAA and MX records for example.com::
+
+     $ khost example.com
+
+2. Get the reverse record for address 192.0.2.1::
+
+     $ khost 192.0.2.1
+
+3. Perform a verbose zone transfer for zone example.com::
+
+     $ khost -t AXFR -v example.com
+
+Files
+-----
+
+:file:`/etc/resolv.conf`
+
+See Also
+--------
+
+:manpage:`kdig(1)`, :manpage:`knsupdate(1)`.
diff --git a/doc/man_kjournalprint.rst b/doc/man_kjournalprint.rst
new file mode 100644
index 0000000..0753ae3
--- /dev/null
+++ b/doc/man_kjournalprint.rst
@@ -0,0 +1,88 @@
+.. highlight:: console
+
+``kjournalprint`` – Knot DNS journal print utility
+==================================================
+
+Synopsis
+--------
+
+:program:`kjournalprint` [*config_option* *config_argument*] [*option*...] *zone_name*
+
+:program:`kjournalprint` [*config_option* *config_argument*] **-z**
+
+Description
+-----------
+
+The program prints zone history stored in a journal database. As default,
+changes are colored for terminal.
+
+Config options
+..............
+
+**-c**, **--config** *file*
+  Use a textual configuration file (default is :file:`@config_dir@/knot.conf`).
+
+**-C**, **--confdb** *directory*
+  Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`).
+  The default configuration database, if exists, has a preference to the default
+  configuration file.
+
+**-D**, **--dir** *path*
+  Use specified journal database path and default configuration.
+
+Options
+.......
+
+**-z**, **--zone-list**
+  Instead of reading the journal, display the list of zones in the DB.
+
+**-l**, **--limit** *limit*
+  Limits the number of displayed changes.
+
+**-s**, **--serial** *soa*
+  Start at a specific SOA serial.
+
+**-H**, **--check**
+  Enable additional journal semantic checks during printing.
+
+**-d**, **--debug**
+  Debug mode brief output.
+
+**-x**, **--mono**
+  Don't generate colorized output.
+
+**-n**, **--no-color**
+  An alias for **-x**. Use of this option is deprecated, it will be removed in the future.
+
+**-X**, **--color**
+  Force colorized output.
+
+**-h**, **--help**
+  Print the program help.
+
+**-V**, **--version**
+  Print the program version.
+
+Parameters
+..........
+
+*zone_name*
+  A name of the zone to print the history for.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+Examples
+--------
+
+Last (most recent) 5 changes without colors::
+
+  $ kjournalprint -nl 5 /var/lib/knot/journal example.com.
+
+See Also
+--------
+
+:manpage:`knotd(8)`, :manpage:`knot.conf(5)`.
diff --git a/doc/man_knotc.rst b/doc/man_knotc.rst
new file mode 100644
index 0000000..2b7d95e
--- /dev/null
+++ b/doc/man_knotc.rst
@@ -0,0 +1,377 @@
+.. highlight:: console
+
+``knotc`` – Knot DNS control utility
+====================================
+
+Synopsis
+--------
+
+:program:`knotc` [*parameters*] *action* [*action_args*]
+
+Description
+-----------
+
+This program controls a running `knotd` process using a socket.
+
+If an *action* is specified, it is performed and `knotc` exits, otherwise the program
+is executed in the interactive mode.
+
+Options
+.......
+
+**-c**, **--config** *file*
+  Use a textual configuration file (default is :file:`@config_dir@/knot.conf`).
+
+**-C**, **--confdb** *directory*
+  Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`).
+  The default configuration database, if exists, has a preference to the default
+  configuration file.
+
+**-m**, **--max-conf-size** *MiB*
+  Set maximum size of the configuration database
+  (default is @conf_mapsize@ MiB, maximum 10000 MiB).
+
+**-s**, **--socket** *path*
+  Use a control UNIX socket path (default is :file:`@run_dir@/knot.sock`).
+
+**-t**, **--timeout** *seconds*
+  Use a control timeout in seconds. Set to 0 for infinity (default is 60).
+  The control socket operations are also subject to the :ref:`timeout<control_timeout>`
+  parameter set on the server side in server's Control configuration section.
+
+**-b**, **--blocking**
+  Zone event trigger commands wait until the event is finished. Control timeout
+  is set to infinity if not forced by explicit timeout specification.
+
+**-e**, **--extended**
+  Show extended output (even empty items in zone status).
+
+**-f**, **--force**
+  Forced operation. Overrides some checks.
+
+**-x**, **--mono**
+  Don't generate colorized output.
+
+**-X**, **--color**
+  Force colorized output in extended output or to a pipe.
+
+**-v**, **--verbose**
+  Enable debug output.
+
+**-h**, **--help**
+  Print the program help.
+
+**-V**, **--version**
+  Print the program version.
+
+Actions
+.......
+
+**status** [*detail*]
+  Check if the server is running. Details are **version** for the running
+  server version, **workers** for the numbers of worker threads,
+  or **configure** for the configure summary.
+
+**stop**
+  Stop the server if running.
+
+**reload**
+  Reload the server configuration and modified zone files. All open zone
+  transactions will be aborted!
+
+**stats** [*module*\ [\ **.**\ *counter*\ ]]
+  Show global statistics counter(s). To print also counters with value 0, use
+  force option.
+
+**zone-check** [*zone*...]
+  Test if the server can load the zone. Semantic checks are executed if enabled
+  in the configuration. If invoked with the force option, an error is returned
+  when semantic check warning appears. (*)
+
+**zone-status** [*zone*...] [*filter*]
+  Show the zone status. Filters are **+role**, **+serial**, **+transaction**,
+  **+events**, **+freeze**, and **+catalog**. Empty zone parameters are omitted,
+  unless the **--extended** option is used. A single dash in the output represents
+  an unset value. Automatic colorization can be overruled using the **--mono** and
+  **--color** options.
+
+  The color code is:
+  *green* - zone acts as a master / *red* - zone acts as a slave,
+  *bold font (highlited)* - zone is active / *normal* - zone is empty,
+  *underscored* - zone is an interpreted catalog member.
+
+**zone-reload** [*zone*...]
+  Trigger a zone reload from a disk without checking its modification time. For
+  secondary zone, the refresh event from primary server(s) is scheduled;
+  for primary zone, the notify event to secondary server(s) is scheduled. An open
+  zone transaction will be aborted! If invoked with the force option, also zone
+  modules will be re-loaded, but blocking mode might not work reliably. (#)
+
+**zone-refresh** [*zone*...]
+  Trigger a check for the zone serial on the zone's primary server. If
+  the primary server has a newer zone, a transfer is scheduled. This command is
+  valid for secondary zones. (#)
+
+**zone-retransfer** [*zone*...]
+  Trigger a zone transfer from the zone's primary server. The server
+  doesn't check the serial of the primary server's zone. This command is valid
+  for secondary zones. (#)
+
+**zone-notify** [*zone*...]
+  Trigger a NOTIFY message to all configured remotes. This can help in cases
+  when previous NOTIFY had been lost or the secondary servers have been
+  offline. (#)
+
+**zone-flush** [*zone*...] [**+outdir** *directory*]
+  Trigger a zone journal flush to the configured zone file. If an output
+  directory is specified, the current zone is immediately dumped (in the
+  blocking mode) to a zone file in the specified directory. See
+  :ref:`Notes<notes>` below about the directory permissions. (#)
+
+**zone-backup** [*zone*...] **+backupdir** *directory* [*filter*...]
+  Trigger a zone data and metadata backup to a specified directory.
+  Available filters are **+zonefile**, **+journal**, **+timers**, **+kaspdb**,
+  **+catalog**, and their negative counterparts **+nozonefile**, **+nojournal**,
+  **+notimers**, **+nokaspdb**, and **+nocatalog**. With these filters set,
+  zone contents, zone's journal, zone related timers, zone related data in the
+  KASP database together with keys, and zone's catalog, respectively, are backed up,
+  or omitted from the backup. By default, filters **+zonefile**, **+timers**,
+  **+kaspdb**, **+catalog**, and **+nojournal** are set. Setting a filter
+  for an item doesn't change default settings for other items. If zone flushing
+  is disabled, original zone file is backed up instead of writing out zone
+  contents to a file. See :ref:`Notes<notes>` below about the directory
+  permissions. (#)
+
+**zone-restore** [*zone*...] **+backupdir** *directory* [*filter*...]
+  Trigger a zone data and metadata restore from a specified backup directory.
+  Optional filters are equivalent to the same filters of **zone-backup**.
+  Restore from backups created by Knot DNS releases prior to 3.1 is possible
+  with the force option. See :ref:`Notes<notes>` below about the directory
+  permissions. (#)
+
+**zone-sign** [*zone*...]
+  Trigger a DNSSEC re-sign of the zone. Existing signatures will be dropped.
+  This command is valid for zones with DNSSEC signing enabled. (#)
+
+**zone-keys-load** [*zone*...]
+  Trigger a load of DNSSEC keys and other signing material from KASP database
+  (which might have been altered manually). If suitable, re-sign the zone
+  afterwards (keeping valid signatures intact). (#)
+
+**zone-key-rollover** *zone* *key_type*
+  Trigger immediate key rollover. Publish new key and start a key rollover,
+  even when the key has a lifetime to go. Key type can be **ksk** (also for CSK)
+  or **zsk**. This command is valid for zones with DNSSEC signing and automatic
+  key management enabled. Note that complete key rollover consists of several steps
+  and the blocking mode relates to the initial one only! (#)
+
+**zone-ksk-submitted** *zone*...
+  Use when the zone's KSK rollover is in submission phase. By calling this command
+  the user confirms manually that the parent zone contains DS record for the new
+  KSK in submission phase and the old KSK can be retired. (#)
+
+**zone-freeze** [*zone*...]
+  Trigger a zone freeze. All running events will be finished and all new and pending
+  (planned) zone-changing events (load, refresh, update, flush, and DNSSEC signing)
+  will be held up until the zone is thawed. (#)
+
+**zone-thaw** [*zone*...]
+  Trigger dismissal of zone freeze. (#)
+
+**zone-xfr-freeze** [*zone*...]
+  Temporarily disable outgoing AXFR/IXFR for the zone(s). (#)
+
+**zone-xfr-thaw** [*zone*...]
+  Dismiss outgoing XFR freeze. (#)
+
+**zone-read** *zone* [*owner* [*type*]]
+  Get zone data that are currently being presented.
+
+**zone-begin** *zone*...
+  Begin a zone transaction.
+
+**zone-commit** *zone*...
+  Commit the zone transaction. All changes are applied to the zone.
+
+**zone-abort** *zone*...
+  Abort the zone transaction. All changes are discarded.
+
+**zone-diff** *zone*
+  Get zone changes within the transaction.
+
+**zone-get** *zone* [*owner* [*type*]]
+  Get zone data within the transaction.
+
+**zone-set** *zone* *owner* [*ttl*] *type* *rdata*
+  Add zone record within the transaction. The first record in a rrset
+  requires a ttl value specified.
+
+**zone-unset** *zone* *owner* [*type* [*rdata*]]
+  Remove zone data within the transaction.
+
+**zone-purge** *zone*... [**+orphan**] [*filter*...]
+  Purge zone data, zone file, journal, timers, and/or KASP data of specified zones.
+  Available filters are **+expire**, **+zonefile**, **+journal**, **+timers**,
+  **+kaspdb**, and **+catalog**. If no filter is specified, all filters are enabled.
+  If the zone is no longer configured, add **+orphan** parameter (zone file cannot
+  be purged in this case). When purging orphans, always check the server log for
+  possible errors. This command always requires the force option. (#)
+
+**zone-stats** *zone* [*module*\ [\ **.**\ *counter*\ ]]
+  Show zone statistics counter(s). To print also counters with value 0, use
+  force option.
+
+**conf-init**
+  Initialize the configuration database. If the database doesn't exist yet,
+  execute this command as an intended user to ensure the server is permitted
+  to access the database (e.g. *sudo -u knot knotc conf-init*). (*)
+
+**conf-check**
+  Check the server configuration. (*)
+
+**conf-import** *filename*
+  Import a configuration file into the configuration database. If the database
+  doesn't exist yet, execute this command as an intended user to ensure the server
+  is permitted to access the database (e.g. *sudo -u knot knotc conf-import ...*).
+  Also ensure the server is not using the configuration database at the same time! (*)
+
+**conf-export** [*filename*]
+  Export the configuration database into a config file or stdout. (*)
+
+**conf-list** [*item*]
+  List the configuration database sections or section items.
+
+**conf-read** [*item*]
+  Read the item from the active configuration database.
+
+**conf-begin**
+  Begin a writing configuration database transaction. Only one transaction
+  can be opened at a time.
+
+**conf-commit**
+  Commit the configuration database transaction.
+
+**conf-abort**
+  Rollback the configuration database transaction.
+
+**conf-diff** [*item*]
+  Get the item difference in the transaction.
+
+**conf-get** [*item*]
+  Get the item data from the transaction.
+
+**conf-set** *item* [*data*...]
+  Set the item data in the transaction.
+
+**conf-unset** [*item*] [*data*...]
+  Unset the item data in the transaction.
+
+.. _notes:
+
+Notes
+.....
+
+Empty or **--** *zone* parameter means all zones or all zones with a transaction.
+
+Use **@** *owner* to denote the zone name.
+
+Type *item* parameter in the form of *section*\ [**[**\ *id*\ **]**\ ][**.**\ *name*].
+
+(*) indicates a local operation which requires a configuration.
+
+(\#) indicates an optionally blocking operation.
+
+The **-b** and **-f** options can be placed right after the command name.
+
+Responses returned by `knotc` commands depend on the mode:
+
+- In the blocking mode, `knotc` reports if an error occurred during processing
+  of the command by the server. If an error is reported, a more detailed information
+  about the failure can usually be found in the server log.
+
+- In the non-blocking (default) mode, `knotc` doesn't report processing errors.
+  The `OK` response to triggering commands means that the command has been successfully
+  sent to the server. To verify if the operation succeeded, it's necessary to
+  check the server log.
+
+Actions **zone-flush**, **zone-backup**, and **zone-restore** are carried out by
+the `knotd` process. The directory specified must be accessible to the user account
+that `knotd` runs under and if the directory already exists, its permissions must be
+appropriate for that user account.
+
+Interactive mode
+................
+
+The utility provides interactive mode with basic line editing functionality,
+command completion, and command history.
+
+Interactive mode behavior can be customized in `~/.editrc`. Refer to
+:manpage:`editrc(5)` for details.
+
+Command history is saved in `~/.knotc_history`.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+Examples
+--------
+
+Reload the whole server configuration
+.....................................
+
+::
+
+  $ knotc reload
+
+Flush the example.com and example.org zones
+...........................................
+
+::
+
+  $ knotc zone-flush example.com example.org
+
+Get the current server configuration
+....................................
+
+::
+
+  $ knotc conf-read server
+
+Get the list of the current zones
+.................................
+
+::
+
+  $ knotc conf-read zone.domain
+
+Get the primary servers for the example.com zone
+................................................
+
+::
+
+  $ knotc conf-read 'zone[example.com].master'
+
+Add example.org zone with a zonefile location
+.............................................
+
+::
+
+  $ knotc conf-begin
+  $ knotc conf-set 'zone[example.org]'
+  $ knotc conf-set 'zone[example.org].file' '/var/zones/example.org.zone'
+  $ knotc conf-commit
+
+Get the SOA record for each configured zone
+...........................................
+
+::
+
+  $ knotc zone-read -- @ SOA
+
+See Also
+--------
+
+:manpage:`knotd(8)`, :manpage:`knot.conf(5)`, :manpage:`editrc(5)`.
diff --git a/doc/man_knotd.rst b/doc/man_knotd.rst
new file mode 100644
index 0000000..0dd5a66
--- /dev/null
+++ b/doc/man_knotd.rst
@@ -0,0 +1,66 @@
+.. highlight:: console
+
+``knotd`` – Knot DNS server daemon
+==================================
+
+Synopsis
+--------
+
+:program:`knotd` [*parameters*]
+
+Description
+-----------
+
+Knot DNS is a high-performance authoritative DNS server. The `knotd` program is
+the DNS server daemon.
+
+Options
+.......
+
+**-c**, **--config** *file*
+  Use a textual configuration file (default is :file:`@config_dir@/knot.conf`).
+
+**-C**, **--confdb** *directory*
+  Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`).
+  The default configuration database, if exists, has a preference to the default
+  configuration file.
+
+**-m**, **--max-conf-size** *MiB*
+  Set maximum size of the configuration database
+  (default is @conf_mapsize@ MiB, maximum 10000 MiB).
+
+**-s**, **--socket** *path*
+  Use a remote control UNIX socket path (default is :file:`@run_dir@/knot.sock`).
+
+**-d**, **--daemonize** [*directory*]
+  Run the server as a daemon. New root directory may be specified
+  (default is :file:`/`).
+
+**-v**, **--verbose**
+  Enable debug output.
+
+**-h**, **--help**
+  Print the program help.
+
+**-V**, **--version**
+  Print the program version.
+
+Signals
+.......
+
+If the `knotd` process receives a SIGHUP signal, it reloads its configuration and
+reopens the log files, if they are configured. When `knotd` receives a SIGUSR1
+signal, it reloads all configured zones. Upon receiving a SIGINT signal, `knotd`
+exits.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+See Also
+--------
+
+:manpage:`knot.conf(5)`, :manpage:`knotc(8)`, :manpage:`keymgr(8)`,
+:manpage:`kjournalprint(8)`.
diff --git a/doc/man_knsec3hash.rst b/doc/man_knsec3hash.rst
new file mode 100644
index 0000000..7684e90
--- /dev/null
+++ b/doc/man_knsec3hash.rst
@@ -0,0 +1,57 @@
+.. highlight:: console
+
+``knsec3hash`` – NSEC hash computation utility
+==============================================
+
+Synopsis
+--------
+
+:program:`knsec3hash` *salt* *algorithm* *iterations* *name*
+
+:program:`knsec3hash` *algorithm* *flags* *iterations* *salt* *name*
+
+Description
+-----------
+
+This utility generates a NSEC3 hash for a given domain name and parameters of NSEC3 hash.
+
+Parameters
+..........
+
+*salt*
+  Specifies a binary salt encoded as a hexadecimal string.
+
+*algorithm*
+  Specifies a hashing algorithm by number. Currently, the only supported algorithm is SHA-1 (number 1).
+
+*iterations*
+  Specifies the number of additional iterations of the hashing algorithm.
+
+*name*
+  Specifies the domain name to be hashed.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+Examples
+--------
+
+::
+
+  $ knsec3hash 1 0 10 c01dcafe knot-dns.cz
+  7PTVGE7QV67EM61ROS9238P5RAKR2DM7 (salt=c01dcafe, hash=1, iterations=10)
+
+::
+
+  $ knsec3hash - 1 0 net
+  A1RT98BS5QGC9NFI51S9HCI47ULJG6JH (salt=-, hash=1, iterations=0)
+
+See Also
+--------
+
+:rfc:`5155` – DNS Security (DNSSEC) Hashed Authenticated Denial of Existence.
+
+:manpage:`knotc(8)`, :manpage:`knotd(8)`.
diff --git a/doc/man_knsupdate.rst b/doc/man_knsupdate.rst
new file mode 100644
index 0000000..552a00c
--- /dev/null
+++ b/doc/man_knsupdate.rst
@@ -0,0 +1,181 @@
+.. highlight:: console
+
+``knsupdate`` – Dynamic DNS update utility
+==========================================
+
+Synopsis
+--------
+
+:program:`knsupdate` [*options*] [*filename*]
+
+Description
+-----------
+
+This utility sends Dynamic DNS update messages to a DNS server. Update content
+is read from a file (if the parameter *filename* is given) or from the standard
+input.
+
+The format of updates is textual and is made up of commands. Every command is
+placed on the separate line of the input. Lines starting with a semicolon are
+comments and are not processed.
+
+Options
+.......
+
+**-d**
+  Enable debug messages.
+
+**-h**, **--help**
+  Print the program help.
+
+**-k** *keyfile*
+  Use the TSIG key stored in a file *keyfile* to authenticate the request. The
+  file should contain the key in the same format, which is accepted by the
+  **-y** option.
+
+**-p** *port*
+  Set the port to use for connections to the server (if not explicitly specified
+  in the update). The default is 53.
+
+**-r** *retries*
+  The number of retries for UDP requests. The default is 3.
+
+**-t** *timeout*
+  The total timeout (for all UDP update tries) of the update request in seconds.
+  The default is 12. If set to zero, the timeout is infinite.
+
+**-v**
+  Use a TCP connection.
+
+**-V**, **--version**
+  Print the program version.
+
+**-y** [*alg*:]\ *name*:*key*
+  Use the TSIG key with a name *name* to authenticate the request. The *alg*
+  part specifies the algorithm (the default is hmac-sha256) and *key* specifies
+  the shared secret encoded in Base64.
+
+Commands
+........
+
+**server** *name* [*port*]
+  Specifies a receiving server of the dynamic update message. The *name* parameter
+  can be either a host name or an IP address. If the *port* is not specified,
+  the default port is used. The default port value can be controlled using
+  the **-p** program option.
+
+**local** *address* [*port*]
+  Specifies outgoing *address* and *port*. If no local is specified, the
+  address and port are set by the system automatically. The default port number
+  is 0.
+
+**zone** *name*
+  Specifies that all updates are done within a zone *name*. The zone name doesn't
+  have a default and must be set explicitly.
+
+**origin** *name*
+  Specifies fully qualified domain name suffix which is appended to non-fqd
+  owners in update commands. The default is the terminal label (**.**).
+
+**class** *name*
+  Sets *name* as the default class for all updates. If not used, the default
+  class is IN.
+
+**ttl** *value*
+  Sets *value* as the default TTL (in seconds). If not used, the default value
+  is 3600.
+
+**key** [*alg*:]\ *name* *key*
+  Specifies the TSIG *key* named *name* to authenticate the request. An optional
+  *alg* algorithm can be specified. This command has the same effect as
+  the program option **-y**.
+
+[**prereq**] **nxdomain** *name*
+  Adds a prerequisite for a non-existing record owned by *name*.
+
+[**prereq**] **yxdomain** *name*
+  Adds a prerequisite for an existing record owned by *name*.
+
+[**prereq**] **nxrrset** *name* [*class*] *type*
+  Adds a prerequisite for a non-existing record of the *type* owned by *name*.
+  Internet *class* is expected.
+
+[**prereq**] **yxrrset** *name* [*class*] *type* [*data*]
+  Adds a prerequisite for an existing record of the *type* owned by *name*
+  with optional *data*. Internet *class* is expected.
+
+[**update**] **add** *name* [*ttl*] [*class*] *type* *data*
+  Adds a request to add a new resource record into the zone.
+  Please note that if the *name* is not fully qualified domain name, the
+  current origin name is appended to it.
+
+[**update**] **del**\[**ete**] *name* [*ttl*] [*class*] [*type*] [*data*]
+  Adds a request to remove all (or matching *class*, *type* or *data*)
+  resource records from the zone. There is the same requirement for the *name*
+  parameter as in **update add** command. The *ttl* item is ignored.
+
+**show**
+  Displays current content of the update message.
+
+**send**
+  Sends the current update message and cleans the list of updates.
+
+**answer**
+  Displays the last answer from the server.
+
+**debug**
+  Enable debugging. This command has the same meaning as the **-d** program option.
+
+**exit**
+  End the program.
+
+Notes
+-----
+
+Options **-k** and **-y** can not be used simultaneously.
+
+Dnssec-keygen keyfile format is not supported. Use :manpage:`keymgr(8)` instead.
+
+Zone name/server guessing is not supported if the zone name/server is not specified.
+
+Empty line doesn't send the update.
+
+Interactive mode
+................
+
+The utility provides interactive mode with basic line editing functionality,
+command completion, and command history.
+
+Interactive mode behavior can be customized in `~/.editrc`. Refer to
+:manpage:`editrc(5)` for details.
+
+Command history is saved in `~/.knsupdate_history`.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+Examples
+--------
+
+1. Send one update of the zone example.com to the server 192.168.1.1. The update
+   contains two new records::
+
+     $ knsupdate
+     knsupdate> server 192.168.1.1
+     knsupdate> zone example.com.
+     knsupdate> origin example.com.
+     knsupdate> ttl 3600
+     knsupdate> add test1.example.com. 7200 A 192.168.2.2
+     knsupdate> add test2 TXT "hello"
+     knsupdate> show
+     knsupdate> send
+     knsupdate> answer
+     knsupdate> exit
+
+See Also
+--------
+
+:manpage:`kdig(1)`, :manpage:`khost(1)`, :manpage:`keymgr(8)`, :manpage:`editrc(5)`.
diff --git a/doc/man_kxdpgun.rst b/doc/man_kxdpgun.rst
new file mode 100644
index 0000000..bb6c917
--- /dev/null
+++ b/doc/man_kxdpgun.rst
@@ -0,0 +1,183 @@
+.. highlight:: console
+
+``kxdpgun`` – DNS benchmarking tool
+===================================
+
+Synopsis
+--------
+
+:program:`kxdpgun` [*options*] **-i** *filename* *targetIP*
+
+Description
+-----------
+
+Powerful generator of DNS traffic, sending and receiving packets through XDP.
+
+Queries are generated according to a textual file which is read sequentially
+in a loop until a configured duration elapses. The order of queries is not
+guaranteed. Responses are received (unless disabled) and counted, but not
+checked against queries.
+
+The number of parallel threads is autodetected according to the number of queues
+configured for the network interface.
+
+Options
+.......
+
+**-t**, **--duration** *seconds*
+  Duration of traffic generation, specified as a decimal number in seconds
+  (default is 5.0).
+
+**-T**, **--tcp**\[\ **=**\ *debug_mode*\]
+  Send queries over TCP. See the list of optional debug modes below.
+
+**-U**, **--quic**\[\ **=**\ *debug_mode*\]
+  Send queries over QUIC. See the list of optional debug modes below.
+
+**-Q**, **--qps** *queries*
+  Number of queries-per-second (approximately) to be sent (default is 1000).
+  The program is not optimized for low speeds at which it may lose
+  communication packets. The recommended minimum speed is 2 packets per thread
+  (Rx/Tx queue).
+
+**-b**, **--batch** *size*
+  Send more queries in a batch. Improves QPS but may affect the counterpart's
+  packet loss (default is 10 for UDP and 1 for TCP/QUIC).
+
+**-r**, **--drop**
+  Drop incoming responses. Improves QPS, but disables response statistics.
+
+**-p**, **--port** *number*
+  Remote destination port (default is 53 for UDP/TCP, 853 for QUIC).
+
+**-F**, **--affinity** *cpu_spec*
+  CPU affinity for all threads specified in the format [<cpu_start>][s<cpu_step>],
+  where <cpu_start> is the CPU ID for the first thread and <cpu_step> is the
+  CPU ID increment for next thread (default is 0s1).
+
+**-i**, **--infile** *filename*
+  Path to a file with query templates.
+
+**-I**, **--interface** *interface*
+  Network interface for outgoing communication. This can be useful in situations
+  when the interfaces are in a bond for example.
+
+**-l**, **--local** *localIP*\ [**/**\ *prefix*]
+  Override the auto-detected source IP address. If an address range is specified
+  instead, various IPs from the range will be used for different queries uniformly
+  (address range not supported in the QUIC mode).
+
+*targetIP*
+  The IPv4 or IPv6 address of remote destination.
+
+**-L**, **--mac-local**
+  Override auto-detected local MAC address.
+
+**-R**, **--mac-remote**
+  Override auto-detected remote MAC address.
+
+**-v**, **--vlan** *id*
+  Add VLAN 802.1Q header with the given id. VLAN offloading should be disabled.
+
+**-h**, **--help**
+  Print the program help.
+
+**-V**, **--version**
+  Print the program version.
+
+Queries file format
+...................
+
+Each line describes a query in the form:
+
+*query_name* *query_type* [*flags*]
+
+Where *query_name* is a domain name to be queried, *query_type* is a record type
+name, and *flags* is a single character:
+
+**E** Send query with EDNS.
+
+**D** Request DNSSEC (EDNS + DO flag).
+
+TCP/QUIC debug modes
+....................
+
+**0**
+  Perform full handshake for all connections (QUIC only).
+
+**1**
+  Just send SYN (Initial) and receive SYN-ACK (Handshake).
+
+**2**
+  Perform TCP/QUIC handshake and don't send anything, allow close initiated by counterpart.
+
+**3**
+  Perform TCP/QUIC handshake and don't react further.
+
+**5**
+  Send incomplete query (N-1 bytes) and don't react further.
+
+**7**
+  Send query and don't ACK the response or anything further.
+
+**8**
+  Don't close the connection and ignore close by counterpart (TCP only).
+
+**9**
+  Operate normally except for not ACKing the final FIN+ACK (TCP only).
+
+Signals
+.......
+
+Sending USR1 signal to a running process triggers current statistics dump
+to the standard output.
+
+Notes
+-----
+
+Linux kernel 4.18+ is required.
+
+The utility has to be executed under root or with these capabilities:
+CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_ADMIN, CAP_IPC_LOCK, and CAP_SYS_RESOURCE
+(Linux < 5.11).
+
+The utility allocates source UDP/TCP ports from the range 2000-65535.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+Examples
+--------
+
+Manually created queries file::
+
+  abc6.example.com. AAAA
+  nxdomain.example.com. A
+  notzone. A
+  a.example.com. NS E
+  ab.example.com. A D
+  abcd.example.com. DS D
+
+Queries file generated from a zone file (Knot DNS format)::
+
+  cat ZONE_FILE | awk "{print \$1,\$3}" | grep -E "(NS|DS|A|AAAA|PTR|MX|SOA)$" | sort -u -R > queries.txt
+
+Basic usage::
+
+  # kxdpgun -i ~/queries.txt 2001:DB8::1
+
+*Using UDP with increased batch size*::
+
+  # kxdpgun -t 20 -Q 1000000 -i ~/queries.txt -b 20 -p 8853 192.0.2.1
+
+*Using TCP*::
+
+  # kxdpgun -t 20 -Q 100000 -i ~/queries.txt -T -p 8853 192.0.2.1
+
+See Also
+--------
+
+:manpage:`kdig(1)`.
diff --git a/doc/man_kzonecheck.rst b/doc/man_kzonecheck.rst
new file mode 100644
index 0000000..b81bcd5
--- /dev/null
+++ b/doc/man_kzonecheck.rst
@@ -0,0 +1,62 @@
+.. highlight:: console
+
+``kzonecheck`` – Knot DNS zone file checking tool
+=================================================
+
+Synopsis
+--------
+
+:program:`kzonecheck` [*options*] *filename*
+
+Description
+-----------
+
+The utility checks zone file syntax and runs semantic checks on the zone
+content. The executed checks are the same as the checks run by the Knot
+DNS server.
+
+Please, refer to the ``semantic-checks`` configuration option in
+:manpage:`knot.conf(5)` for the full list of available semantic checks.
+
+Parameters
+..........
+
+*filename*
+  Path to the zone file to be checked. For reading from **stdin** use **/dev/stdin**
+  or just **-**.
+
+Options
+.......
+
+**-o**, **--origin** *origin*
+  Zone origin. If not specified, the origin is determined from the file name
+  (possibly removing the ``.zone`` suffix).
+
+**-d**, **--dnssec** **on**\|\ **off**
+  Also check DNSSEC-related records. The default is to decide based on the
+  existence of a RRSIG for SOA.
+
+**-t**, **--time** *time*
+  Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS
+  format, or [+/-]\ *time*\ [unit] format, where unit can be **Y**, **M**,
+  **D**, **h**, **m**, or **s**. Default is current UNIX timestamp.
+
+**-v**, **--verbose**
+  Enable debug output.
+
+**-h**, **--help**
+  Print the program help.
+
+**-V**, **--version**
+  Print the program version.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+See Also
+--------
+
+:manpage:`knotd(8)`, :manpage:`knot.conf(5)`.
diff --git a/doc/man_kzonesign.rst b/doc/man_kzonesign.rst
new file mode 100644
index 0000000..c9143f0
--- /dev/null
+++ b/doc/man_kzonesign.rst
@@ -0,0 +1,69 @@
+.. highlight:: console
+
+``kzonesign`` – DNSSEC signing utility
+======================================
+
+Synopsis
+--------
+
+:program:`kzonesign` [*config_option* *config_argument*] [*options*] *zone_name*
+
+Description
+-----------
+
+This utility reads the zone's zone file, signs the zone according to given
+configuration, and writes the signed zone file back. An alternative mode
+is DNSSEC validation of the given zone. The signing or validation
+can run in parallel if enabled in the configuration (see policy.signing-threads
+and zone.adjust-threads).
+
+Config options
+..............
+
+**-c**, **--config** *file*
+  Use a textual configuration file (default is :file:`@config_dir@/knot.conf`).
+
+**-C**, **--confdb** *directory*
+  Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`).
+  The default configuration database, if exists, has a preference to the default
+  configuration file.
+
+Options
+.......
+
+**-o**, **--outdir** *dir_name*
+  Write the output zone file to the specified directory instead of the configured one.
+
+**-r**, **--rollover**
+  Allow key roll-overs and NSEC3 re-salt. In order to finish possible KSK submission,
+  set the KSK's **active** timestamp to now (**+0**) using :doc:`keymgr<man_keymgr>`.
+
+**-v**, **--verify**
+  Instead of (re-)signing the zone, just verify that the zone is correctly signed.
+
+**-t**, **--time** *timestamp*
+  Sign/verify the zone (and roll the keys if necessary) as if it was at the time
+  specified by timestamp.
+
+**-h**, **--help**
+  Print the program help.
+
+**-V**, **--version**
+  Print the program version.
+
+Parameters
+..........
+
+*zone_name*
+  A name of the zone to be signed.
+
+Exit values
+-----------
+
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+
+See Also
+--------
+
+:manpage:`knot.conf(5)`, :manpage:`keymgr(8)`.