ldns-signzone: Amend manpage for engine options.

diff --git a/examples/ldns-signzone.1 b/examples/ldns-signzone.1
index c33e15210f35860273de8f25545d1e2cc7f78501..9759a482e3a08b2c8fa663e1474e51502d02940f 100644 (file)
--- a/examples/ldns-signzone.1
+++ b/examples/ldns-signzone.1
@@ -1,4 +1,4 @@
-.TH ldns-signzone 1 "30 May 2005"
+.TH ldns-signzone 1 "13 March 2018"
 .SH NAME
 ldns-signzone \- sign a zonefile with DNSSEC data
 .SH SYNOPSIS
@@ -83,18 +83,18 @@ Use the EVP cryptographic engine with the given name for signing. This
 can have some extra options; see ENGINE OPTIONS for more information.
 
 .TP
-\fB-k\fR \fIid,int\fR
-Use the key with the given id as the signing key for algorithm int as
-a Zone signing key. This option is used when you use an OpenSSL
-engine, see ENGINE OPTIONS for more information.
-
-.TP
-\fB-K\fR \fIid,int\fR
+\fB-K\fR \fIalgorithm-id,key-id\fR
 
-Use the key with the given id as the signing key for algorithm int as
-a Key signing key. This options is used when you use an OpenSSL engine,
+Use the key `key-id' as the signing key for algorithm `algorithm-id' as
+a Key Signing Key (KSK). This option is used when you use an OpenSSL engine,
 see ENGINE OPTIONS for more information.
 
+.TP
+\fB-k\fR \fIalgorithm-id,key-id\fR
+Use the key `key-id' as the signing key for algorithm `algorithm-id' as
+a Zone Signing Key (ZSK). This option is used when you use an OpenSSL
+engine, see ENGINE OPTIONS for more information.
+
 .TP
 \fB-n\fR
 Use NSEC3 instead of NSEC.
@@ -121,11 +121,15 @@ Number of hash iterations
 .SH ENGINE OPTIONS
 You can modify the possible engines, if supported, by setting an
 OpenSSL configuration file. This is done through the environment
-variable OPENSSL_CONF. If you use \-E with a non-existent engine name,
-ldns-signzone will print a list of engines supported by your
-configuration.
+variable OPENSSL_CONF.
 
-The key options (\-k and \-K) work as follows; you specify a key id, and a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can be any of the following:
+The key options (\-k and \-K) work as follows: you specify a DNSSEC
+algorithm (using its symbolic name, for instance, RSASHA256
+or its numeric identifier, for instance, 8), followed by a comma
+and a key identifier (white space is not allowed between the
+algorithm and the comma and between the comma and the key identifier).
+
+The key identifier can be any of the following:
 
     <id>
     <slot>:<id>
@@ -138,6 +142,10 @@ Where '<id>' is the PKCS #11 key identifier in hexadecimal
 notation, '<label>' is the PKCS #11 human-readable label, and '<slot>'
 is the slot number where the token is present.
 
+More recent versions of OpenSSL engines may support
+the PKCS #11 URI scheme (RFC 7512),
+please consult your engine's documentation.
+
 If not already present, a DNSKEY RR is generated from the key
 data, and added to the zone.
 
@@ -152,8 +160,10 @@ file 'Knlnetlabs.nl.+005+12273.key'. If that is not present, generate
 one with default values from 'Knlnetlabs.nl.+005+12273.private'.
 
 
-.SH AUTHOR
+.SH AUTHORS
 Written by the ldns team as an example for ldns usage.
+.br
+Portions of engine support by Vadim Penzin <vadim@penzin.net>. 
 
 .SH REPORTING BUGS
 Report bugs to <ldns-team@nlnetlabs.nl>.