Update documentation on -E option

The -E option does not default to pkcs11 if --with-pkcs11 is set,
but always needs to be set explicitly.

bin/dnssec/dnssec-keyfromlabel.rst

@@ -76,9 +76,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use.
 
-   When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

bin/dnssec/dnssec-keygen.rst

@@ -103,9 +103,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

bin/dnssec/dnssec-revoke.rst

@@ -59,9 +59,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

bin/dnssec/dnssec-settime.rst

@@ -102,9 +102,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

bin/dnssec/dnssec-signzone.rst

@@ -69,9 +69,9 @@ Options
    This option specifies the hardware to use for cryptographic
    operations, such as a secure key store used for signing, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

bin/dnssec/dnssec-verify.rst

@@ -47,9 +47,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

bin/named/named.rst

@@ -72,9 +72,9 @@ Options
    When applicable, this option specifies the hardware to use for cryptographic
    operations, such as a secure key store used for signing.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

doc/man/dnssec-keyfromlabel.1in

@@ -76,9 +76,9 @@ versions, then the NSEC3 version is used; for example,
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use.
 .sp
-When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

doc/man/dnssec-keygen.1in

@@ -103,9 +103,9 @@ ECDSAP384SHA384, ED25519, and ED448.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

doc/man/dnssec-revoke.1in

@@ -59,9 +59,9 @@ This option prints version information.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

doc/man/dnssec-settime.1in

@@ -102,9 +102,9 @@ This option sets the debugging level.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

doc/man/dnssec-signzone.1in

@@ -69,9 +69,9 @@ The resulting file can be included in the original zone file with
 This option specifies the hardware to use for cryptographic
 operations, such as a secure key store used for signing, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

doc/man/dnssec-verify.1in

@@ -47,9 +47,9 @@ This option specifies the DNS class of the zone.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

doc/man/named.8in

@@ -72,9 +72,9 @@ in a process listing. The contents of \fBstring\fP are not examined.
 When applicable, this option specifies the hardware to use for cryptographic
 operations, such as a secure key store used for signing.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.