Initial support for set tsig-store-path and set publication-nameserver.

doc/manual/build/man/dnst-key2ds.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "DNST-KEY2DS" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "DNST-KEY2DS" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 dnst-key2ds \- Generate DS RRs from the DNSKEYs in a keyfile
 .SH SYNOPSIS

doc/manual/build/man/dnst-keygen.1

@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "DNST-KEYGEN" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "DNST-KEYGEN" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 dnst-keygen \- Generate a new key pair for a domain name
 .SH SYNOPSIS

doc/manual/build/man/dnst-keyset.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "DNST-KEYSET" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "DNST-KEYSET" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 dnst-keyset \- Manage DNSSEC signing keys for a domain
 .SH SYNOPSIS
@@ -214,8 +214,9 @@ For the \fBReportDnskeyPropagated\fP and \fBReportDsPropagated\fP actions, each
 the queried to see if the DNSKEY RRset or DS RRset match
 the KSKs.
 The \fBReportRrsigPropagated\fP action is more complex.
-First the entire zone is transferred from the primary nameserver listed in the
-SOA record.
+First the entire zone is transferred from the nameservers specified via
+\fBset publication\-nameservers\fP, or if not set form the primary nameserver
+listed in the SOA record.
 Then all relevant signatures are checked if they have the expected key tags.
 The maximum TTL in the zone is recorded to be reported.
 Finally, all addresses of listed nameservers are checked to see if they
@@ -804,6 +805,63 @@ to be updated.
 This command can, for example, alert the operator or use an API provided
 by the parent zone to update the DS records automatically.
 .IP \(bu 2
+tsig\-store\-path
+.sp
+Set the path to a TSIG key store file to use.
+.sp
+Keys defined in the store file must use one of the following algorithms:
+.INDENT 2.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+hmac\-sha1
+.IP \(bu 2
+hmac\-sha256
+.IP \(bu 2
+hmac\-sha384
+.IP \(bu 2
+hmac\-sha512
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+Currently there is no way to create this file using \fBdnst keyset\fP\&.
+The file is in JSON format and defines zero or more TSIG keys as
+entries in a map. The example below defines a single TSIG key with name
+\fBtsig\-zonedata\-ch\-public\-21\-03\fP using algorithm \fBhmac\-sha512\fP with a
+base64 encoded secret.
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.EX
+{
+  \(dqversion\(dq: \(dqv1\(dq,
+  \(dqmap\(dq: {
+    \(dqtsig\-zonedata\-ch\-public\-21\-01\(dq: {
+      \(dqalg\(dq: \(dqhmac\-sha512\(dq,
+      \(dqdata\(dq: \(dqstZw...iJ3Q==\(dq
+    }
+  }
+}
+.EE
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+publication\-nameservers
+.sp
+Set the nameservers to transfer from when checking a zone.
+.sp
+If no nameserver values are specified the default behaviour of querying
+the primary nameserver defined in the SOA record will be used.
+.sp
+Nameservers should be specified as space separated
+arguments, each nameserver being one argument in the form:
+.INDENT 2.0
+.INDENT 3.5
+<IP_ADDR>:<PORT>[^<TSIG_KEY_NAME>]
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
 fake\-time
 .sp
 Set the \(aqwall clock\(aq time to be used for testing.

doc/manual/build/man/dnst-notify.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "DNST-NOTIFY" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "DNST-NOTIFY" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 dnst-notify \- Send a NOTIFY message to a list of name servers
 .SH SYNOPSIS

doc/manual/build/man/dnst-nsec3-hash.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "DNST-NSEC3-HASH" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "DNST-NSEC3-HASH" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 dnst-nsec3-hash \- Print out the NSEC3 hash of a domain name
 .SH SYNOPSIS

doc/manual/build/man/dnst-signzone.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "DNST-SIGNZONE" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "DNST-SIGNZONE" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 dnst-signzone \- Sign the zone with the given key(s)
 .SH SYNOPSIS

doc/manual/build/man/dnst-update.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "DNST-UPDATE" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "DNST-UPDATE" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 dnst-update \- Send a dynamic update packet to update an IP (or delete all existing IPs) for a domain name
 .SH SYNOPSIS

doc/manual/build/man/dnst.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "DNST" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "DNST" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 dnst \- DNS Management Tools
 .SH SYNOPSIS

doc/manual/build/man/ldns-key2ds.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "LDNS-KEY2DS" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "LDNS-KEY2DS" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 ldns-key2ds \- Generate DS RRs from the DNSKEYs in a keyfile
 .SH SYNOPSIS

doc/manual/build/man/ldns-keygen.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "LDNS-KEYGEN" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "LDNS-KEYGEN" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 ldns-keygen \- Generate a new key pair for a domain name
 .SH SYNOPSIS

doc/manual/build/man/ldns-notify.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "LDNS-NOTIFY" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "LDNS-NOTIFY" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 ldns-notify \- Send a NOTIFY message to a list of name servers
 .SH SYNOPSIS

doc/manual/build/man/ldns-nsec3-hash.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "LDNS-NSEC3-HASH" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "LDNS-NSEC3-HASH" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 ldns-nsec3-hash \- Print out the NSEC3 hash of a domain name
 .SH SYNOPSIS

doc/manual/build/man/ldns-signzone.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "LDNS-SIGNZONE" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "LDNS-SIGNZONE" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 ldns-signzone \- Sign the zone with the given key(s)
 .SH SYNOPSIS

doc/manual/build/man/ldns-update.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "LDNS-UPDATE" "1" "Apr 07, 2026" "0.2.0-alpha1" "dnst"
+.TH "LDNS-UPDATE" "1" "Apr 09, 2026" "0.2.0-alpha1" "dnst"
 .SH NAME
 ldns-update \- Send a dynamic update packet to update an IP (or delete all existing IPs) for a domain name
 .SH SYNOPSIS

doc/manual/source/man/dnst-keyset.rst

@@ -198,8 +198,9 @@ For the ``ReportDnskeyPropagated`` and ``ReportDsPropagated`` actions, each addr
 the queried to see if the DNSKEY RRset or DS RRset match
 the KSKs.
 The ``ReportRrsigPropagated`` action is more complex.
-First the entire zone is transferred from the primary nameserver listed in the
-SOA record.
+First the entire zone is transferred from the nameservers specified via
+``set publication-nameservers``, or if not set form the primary nameserver
+listed in the SOA record.
 Then all relevant signatures are checked if they have the expected key tags.
 The maximum TTL in the zone is recorded to be reported.
 Finally, all addresses of listed nameservers are checked to see if they
@@ -784,6 +785,47 @@ The keyset subcommand provides the following commands:
     This command can, for example, alert the operator or use an API provided
     by the parent zone to update the DS records automatically.
 
+  * tsig-store-path
+
+    Set the path to a TSIG key store file to use.
+
+    Keys defined in the store file must use one of the following algorithms:
+
+      - hmac-sha1
+      - hmac-sha256
+      - hmac-sha384
+      - hmac-sha512
+
+    Currently there is no way to create this file using ``dnst keyset``.
+    The file is in JSON format and defines zero or more TSIG keys as
+    entries in a map. The example below defines a single TSIG key with name
+    ``tsig-zonedata-ch-public-21-03`` using algorithm ``hmac-sha512`` with a
+    base64 encoded secret.
+
+    .. code-block:: json
+
+       {
+         "version": "v1",
+         "map": {
+           "tsig-zonedata-ch-public-21-01": {
+             "alg": "hmac-sha512",
+             "data": "stZw...iJ3Q=="
+           }
+         }
+       }
+
+  * publication-nameservers
+
+    Set the nameservers to transfer from when checking a zone.
+
+    If no nameserver values are specified the default behaviour of querying
+    the primary nameserver defined in the SOA record will be used.
+
+    Nameservers should be specified as space separated
+    arguments, each nameserver being one argument in the form:
+
+      <IP_ADDR>:<PORT>[^<TSIG_KEY_NAME>]
+
   * fake-time
 
     Set the 'wall clock' time to be used for testing.