diff --git a/CHANGES b/CHANGES
index e33f4ce336..f9221315d3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4066. [doc] Reorganize options in the dig man page. [RT #38516]
+
4065. [test] Additional RFC 5011 tests. [RT #38569]
4064. [contrib] dnssec-keyset.sh: Generates a specified number
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index c444723163..b3ec8b490e 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -217,127 +217,204 @@
OPTIONS
-
- The option sets the source IP address of the query
- to address. This must be a valid
- address on
- one of the host's network interfaces or "0.0.0.0" or "::". An optional
- port
- may be specified by appending "#<port>"
-
+
+
+ -4
+
+
+ Use IPv4 only.
+
+
+
-
- The default query class (IN for internet) is overridden by the
- option. class is
- any valid
- class, such as HS for Hesiod records or CH for Chaosnet records.
-
+
+ -6
+
+
+ Use IPv6 only.
+
+
+
-
- The option makes dig
- operate
- in batch mode by reading a list of lookup requests to process from the
- file filename. The file contains a
- number of
- queries, one per line. Each entry in the file should be organized in
- the same way they would be presented as queries to
- dig using the command-line interface.
-
+
+ -b address#port
+
+
+ Set the source IP address of the query.
+ The address must be a valid address on
+ one of the host's network interfaces, or "0.0.0.0" or "::". An
+ optional port may be specified by appending "#<port>"
+
+
+
-
- The option enables memory usage debugging.
-
-
+
+ -c class
+
+
+ Set the query class. The
+ default class is IN; other classes
+ are HS for Hesiod records or CH for Chaosnet records.
+
+
+
-
- If a non-standard port number is to be queried, the
- option is used. port# is
- the port number that dig will send its
- queries
- instead of the standard DNS port number 53. This option would be used
- to test a name server that has been configured to listen for queries
- on a non-standard port number.
-
+
+ -f file
+
+
+ Batch mode: dig reads a list of lookup
+ requests to process from the
+ given file. Each line in the file
+ should be organized in the same way they would be
+ presented as queries to
+ dig using the command-line interface.
+
+
+
-
- The option forces dig
- to only
- use IPv4 query transport. The option forces
- dig to only use IPv6 query transport.
-
+
+ -i
+
+
+ Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
+ domain, which is no longer in use. Obsolete bit string
+ label queries (RFC2874) are not attempted.
+
+
+
-
- The option sets the query type to
- type. It can be any valid query type
- which is
- supported in BIND 9. The default query type is "A", unless the
- option is supplied to indicate a reverse lookup.
- A zone transfer can be requested by specifying a type of AXFR. When
- an incremental zone transfer (IXFR) is required,
- type is set to ixfr=N.
- The incremental zone transfer will contain the changes made to the zone
- since the serial number in the zone's SOA record was
- N.
-
+
+ -k keyfile
+
+
+ Sign queries using TSIG using a key read from the given file.
+ Key files can be generated using
+
+ tsig-keygen8
+ .
+ When using TSIG authentication with dig,
+ the name server that is queried needs to know the key and
+ algorithm that is being used. In BIND, this is done by
+ providing appropriate key
+ and server statements in
+ named.conf.
+
+
+
-
- The option sets the query name to
- name. This is useful to distinguish the
- name from other arguments.
-
+
+ -m
+
+
+ Enable memory usage debugging.
+
+
+
+
-
- The causes dig to
- print the version number and exit.
-
+
+ -p port
+
+
+ Send the query to a non-standard port on the server,
+ instead of the defaut port 53. This option would be used
+ to test a name server that has been configured to listen
+ for queries on a non-standard port number.
+
+
+
-
- Reverse lookups — mapping addresses to names — are simplified by the
- option. addr is
- an IPv4
- address in dotted-decimal notation, or a colon-delimited IPv6 address.
- When this option is used, there is no need to provide the
- name, class and
- type arguments. dig
- automatically performs a lookup for a name like
- 11.12.13.10.in-addr.arpa and sets the
- query type and
- class to PTR and IN respectively. By default, IPv6 addresses are
- looked up using nibble format under the IP6.ARPA domain.
- To use the older RFC1886 method using the IP6.INT domain
- specify the option. Bit string labels (RFC2874)
- are now experimental and are not attempted.
-
+
+ -q name
+
+
+ The domain name to query. This is useful to distinguish
+ the name from other arguments.
+
+
+
-
- To sign the DNS queries sent by dig and
- their
- responses using transaction signatures (TSIG), specify a TSIG key file
- using the option. You can also specify the TSIG
- key itself on the command line using the option;
- hmac is the type of the TSIG, default HMAC-MD5,
- name is the name of the TSIG key and
- key is the actual key. The key is a
- base-64
- encoded string, typically generated by
-
- dnssec-keygen8
- .
+
+ -t type
+
+
+ The resource record type to query. It can be any valid query type
+ which is
+ supported in BIND 9. The default query type is "A", unless the
+ option is supplied to indicate a reverse lookup.
+ A zone transfer can be requested by specifying a type of AXFR. When
+ an incremental zone transfer (IXFR) is required, set the
+ type to ixfr=N.
+ The incremental zone transfer will contain the changes
+ made to the zone since the serial number in the zone's SOA
+ record was
+ N.
+
+
+
- Caution should be taken when using the option on
- multi-user systems as the key can be visible in the output from
-
- ps1
-
- or in the shell's history file. When
- using TSIG authentication with dig, the name
- server that is queried needs to know the key and algorithm that is
- being used. In BIND, this is done by providing appropriate
- key and server statements in
- named.conf.
-
+
+ -v
+
+
+ Print the version number and exit.
+
+
+
+
+ -x addr
+
+
+ Simplified reverse lookups, for mapping addresses to
+ names. The addr is an IPv4 address
+ in dotted-decimal notation, or a colon-delimited IPv6
+ address. When the is used, there is no
+ need to provide
+ the name, class
+ and type
+ arguments. dig automatically performs a
+ lookup for a name like
+ 94.2.0.192.in-addr.arpa and sets the
+ query type and class to PTR and IN respectively. IPv6
+ addresses are looked up using nibble format under the
+ IP6.ARPA domain (but see also the
+ option).
+
+
+
+
+
+ -y hmac:keyname:secret
+
+
+ Sign queries using TSIG with the given authentication key.
+ keyname is the name of the key, and
+ secret is the base64 encoded shared secret.
+ hmac is the name of the key algorithm;
+ valid choices are hmac-md5,
+ hmac-sha1, hmac-sha224,
+ hmac-sha256, hmac-sha384, or
+ hmac-sha512. If hmac
+ is not specified, the default is hmac-md5.
+
+
+ NOTE: You should use the option and
+ avoid the option, because
+ with the shared secret is supplied as
+ a command line argument in clear text. This may be visible
+ in the output from
+
+ ps1
+
+ or in a history file maintained by the user's shell.
+
+
+
+
+