Regenerate man-page (#3530)

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>

man/coredns-sign.7

@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.miek.nl
-.TH "COREDNS-SIGN" 7 "November 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-SIGN" 7 "December 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -10,8 +10,7 @@
 The \fIsign\fP plugin is used to sign (see RFC 6781) zones. In this process DNSSEC resource records are
 added. The signatures that sign the resource records sets have an expiration date, this means the
 signing process must be repeated before this expiration data is reached. Otherwise the zone's data
-will go BAD (RFC 4035, Section 5.5). The \fIsign\fP plugin takes care of this. \fISign\fP works, but has
-a couple of limitations, see the "Bugs" section.
+will go BAD (RFC 4035, Section 5.5). The \fIsign\fP plugin takes care of this.
 
 .PP
 Only NSEC is supported, \fIsign\fP does not support NSEC3.
@@ -43,9 +42,12 @@ the signature only has 14 days left before expiring.
 
 Both these dates are only checked on the SOA's signature(s).
 .IP \(bu 4
-Create signatures that have an inception of -3 hours (minus a jitter between 0 and 18 hours)
+Create RRSIGs that have an inception of -3 hours (minus a jitter between 0 and 18 hours)
 and a expiration of +32 days for every given DNSKEY.
 .IP \(bu 4
+Add NSEC records for all names in the zone. The TTL for these is the negative cache TTL from the
+SOA record.
+.IP \(bu 4
 Add or replace \fIall\fP apex CDS/CDNSKEY records with the ones derived from the given keys. For
 each key two CDS are created one with SHA1 and another with SHA256.
 .IP \(bu 4
@@ -54,8 +56,8 @@ overwrite \fIany\fP previous serial number.
 
 
 .PP
-Thus there are two ways that dictate when a zone is signed. Normally every 6 days (plus jitter) it
-will be resigned. If for some reason we fail this check, the 14 days before expiring kicks in.
+There are two ways that dictate when a zone is signed. Normally every 6 days (plus jitter) it will
+be resigned. If for some reason we fail this check, the 14 days before expiring kicks in.
 
 .PP
 Keys are named (following BIND9): \fB\fCK<name>+<alg>+<id>.key\fR and \fB\fCK<name>+<alg>+<id>.private\fR.
@@ -200,8 +202,8 @@ This will lead to \fB\fCdb.example.org\fR be signed \fItwice\fP, as this entire
 you have specified the origins \fB\fCexample.org\fR and \fB\fCexample.net\fR in the server block.
 
 .PP
-Forcibly resigning a zone can be accomplished by removing the signed zone file (CoreDNS will keep on
-serving it from memory), and sending SIGUSR1 to the process to make it reload and resign the zone
+Forcibly resigning a zone can be accomplished by removing the signed zone file (CoreDNS will keep
+on serving it from memory), and sending SIGUSR1 to the process to make it reload and resign the zone
 file.
 
 .SH "ALSO SEE"
@@ -210,11 +212,17 @@ The DNSSEC RFCs: RFC 4033, RFC 4034 and RFC 4035. And the BCP on DNSSEC, RFC 678
 manual pages coredns-keygen(1) and dnssec-keygen(8). And the \fIfile\fP plugin's documentation.
 
 .PP
-Coredns-keygen can be found at https://github.com/coredns/coredns-utils
-\[la]https://github.com/coredns/coredns-utils\[ra] in the coredns-keygen directory.
+Coredns-keygen can be found at
+https://github.com/coredns/coredns-utils
+\[la]https://github.com/coredns/coredns-utils\[ra] in the
+coredns-keygen directory.
+
+.PP
+Other useful DNSSEC tools can be found in ldns
+\[la]https://nlnetlabs.nl/projects/ldns/about/\[ra], e.g.
+\fB\fCldns-key2ds\fR to create DS records from DNSKEYs.
 
 .SH "BUGS"
 .PP
-\fB\fCkeys directory\fR is not implemented. Glue records are currently signed, and no DS records are added
-for child zones.
+\fB\fCkeys directory\fR is not implemented.