chore(docs): regenerate man pages (#7971)

man/coredns-dnssec.7

@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.miek.nl
-.TH "COREDNS-DNSSEC" 7 "March 2021" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-DNSSEC" 7 "March 2026" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -20,7 +20,7 @@ This plugin can only be used once per Server Block.
 
 .nf
 dnssec [ZONES... ] {
-    key file KEY...
+    key file|aws\_secretsmanager KEY...
     cache\_capacity CAPACITY
 }
 
@@ -39,10 +39,13 @@ ZSK/KSK split. All signing operations are done online.
 Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm
 is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is \fInot\fP supported.
 
+.PP
+As the \fIdnssec\fP plugin can't see the original TTL of the RRSets it signs, it will always use 3600s
+as the value.
+
 .PP
 If multiple \fIdnssec\fP plugins are specified in the same zone, the last one specified will be
-used (See bugs
-\[la]#bugs\[ra]).
+used.
 
 .IP \(bu 4
 \fBZONES\fP zones that should be signed. If empty, the zones from the configuration block
@@ -62,6 +65,36 @@ generated public key \fB\fCKexample.org+013+45330.key\fR
 generated private key \fB\fCKexample.org+013+45330.private\fR
 
 .RE
+.IP \(bu 4
+\fB\fCkey aws_secretsmanager\fR indicates that \fBKEY\fP secret(s) should be read from AWS Secrets Manager. Secret
+names or ARNs may be used. After generating the keys as described in the \fB\fCkey file\fR section, you can
+store them in AWS Secrets Manager using the following AWS CLI v2 command:
+
+
+.PP
+.RS
+
+.nf
+  aws secretsmanager create\-secret \-\-name "Kexample.org.+013+45330" \\
+  \-\-description "DNSSEC keys for example.org" \\
+  \-\-secret\-string "$(jq \-n \-\-arg key "$(cat Kexample.org.+013+45330.key)" \\
+  \-\-arg private "$(cat Kexample.org.+013+45330.private)" \\
+  '{key: $key, private: $private}')"
+
+.fi
+.RE
+
+.PP
+This command reads the contents of the \fB\fC.key\fR and \fB\fC.private\fR files, constructs a JSON object, and stores it
+  as a new secret in AWS Secrets Manager with the specified name and description. CoreDNS will then fetch
+  the key data from AWS Secrets Manager when using the \fB\fCkey aws_secretsmanager\fR directive.
+
+.PP
+AWS SDK for Go V2
+\[la]https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials\[ra] is used
+  for authentication with AWS Secrets Manager. Make sure the provided AWS credentials have the necessary
+  permissions (e.g., \fB\fCsecretsmanager:GetSecretValue\fR) to access the specified secrets in AWS Secrets Manager.
+
 .IP \(bu 4
 \fB\fCcache_capacity\fR indicates the capacity of the cache. The dnssec plugin uses a cache to store
 RRSIGs. The default for \fBCAPACITY\fP is 10000.
@@ -100,6 +133,24 @@ example.org {
 .fi
 .RE
 
+.PP
+Sign responses for \fB\fCexample.org\fR with the key stored in AWS Secrets Manager under the secret name
+"Kexample.org.+013+45330".
+
+.PP
+.RS
+
+.nf
+example.org {
+    dnssec {
+        key aws\_secretsmanager Kexample.org.+013+45330
+    }
+    whoami
+}
+
+.fi
+.RE
+
 .PP
 Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".