17 files changed, 34 insertions, 79 deletions

diff --git a/man/coredns-clouddns.7 b/man/coredns-clouddns.7
index 4783e028d..7265aecc2 100644
--- a/man/coredns-clouddns.7
+++ b/man/coredns-clouddns.7
@@ -37,19 +37,15 @@ Therefore, for a non-existing resource record, SOA response will be from the rig
 .IP \(bu 4
 \fBPROJECT_ID\fP the project ID of the Google Cloud project.
 .IP \(bu 4
-\fBHOSTED\fIZONE\fPNAME\fP the name of the hosted zone that contains the resource record sets to be
+\fBHOSTED_ZONE_NAME\fP the name of the hosted zone that contains the resource record sets to be
 accessed.
 .IP \(bu 4
-\fB\fCcredentials\fR is used for reading the credential file.
-.IP \(bu 4
-\fBFILENAME\fP GCP credentials file path (normally a .json file).
+\fB\fCcredentials\fR is used for reading the credential file from \fBFILENAME\fP (normally a .json file).
 .IP \(bu 4
 \fB\fCfallthrough\fR If zone matches and no record can be generated, pass request to the next plugin.
 If \fB[ZONES...]\fP is omitted, then fallthrough happens for all zones for which the plugin is
 authoritative. If specific zones are listed (for example \fB\fCin-addr.arpa\fR and \fB\fCip6.arpa\fR), then
 only queries for those zones will be subject to fallthrough.
-.IP \(bu 4
-\fBZONES\fP zones it should be authoritative for. If empty, the zones from the configuration block
 
 
 .SH "EXAMPLES"
diff --git a/man/coredns-health.7 b/man/coredns-health.7
index c8567a2e1..17b535bc5 100644
--- a/man/coredns-health.7
+++ b/man/coredns-health.7
@@ -8,7 +8,7 @@
 .SH "DESCRIPTION"
 .PP
 Enabled process wide health endpoint. When CoreDNS is up and running this returns a 200 OK HTTP
-status code. The health is exported, by default, on port 8080/health .
+status code. The health is exported, by default, on port 8080/health.
 
 .SH "SYNTAX"
 .PP
diff --git a/man/coredns-kubernetes.7 b/man/coredns-kubernetes.7
index 21596ed94..c494b3068 100644
--- a/man/coredns-kubernetes.7
+++ b/man/coredns-kubernetes.7
@@ -357,5 +357,5 @@ It may take one of the three values:
 
 .SH "BUGS"
 .PP
-The duration metric only supports the "headless\fIwith\fPselector" service currently.
+The duration metric only supports the "headless_with_selector" service currently.
 
diff --git a/man/coredns-rewrite.7 b/man/coredns-rewrite.7
index b7afff2be..661136c9e 100644
--- a/man/coredns-rewrite.7
+++ b/man/coredns-rewrite.7
@@ -187,13 +187,6 @@ rather from \fB\fCservice.us-west-1.consul\fR.
 .nf
 $ dig @10.1.1.1 ftp\-us\-west\-1.coredns.rocks
 
-; <<>> DiG 9.8.3\-P1 <<>> @10.1.1.1 ftp\-us\-west\-1.coredns.rocks
-; (1 server found)
-;; global options: +cmd
-;; Got answer:
-;; \->>HEADER<<\- opcode: QUERY, status: NOERROR, id: 8619
-;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
-
 ;; QUESTION SECTION:
 ;ftp\-us\-west\-1.coredns.rocks. IN A
 
@@ -233,13 +226,6 @@ Now, the \fB\fCANSWER SECTION\fR matches the \fB\fCQUESTION SECTION\fR:
 .nf
 $ dig @10.1.1.1 ftp\-us\-west\-1.coredns.rocks
 
-; <<>> DiG 9.8.3\-P1 <<>> @10.1.1.1 ftp\-us\-west\-1.coredns.rocks
-; (1 server found)
-;; global options: +cmd
-;; Got answer:
-;; \->>HEADER<<\- opcode: QUERY, status: NOERROR, id: 8619
-;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
-
 ;; QUESTION SECTION:
 ;ftp\-us\-west\-1.coredns.rocks. IN A
 
diff --git a/man/coredns-route53.7 b/man/coredns-route53.7
index 276b6a7a0..71ef617bc 100644
--- a/man/coredns-route53.7
+++ b/man/coredns-route53.7
@@ -33,29 +33,23 @@ route53 [ZONE:HOSTED\_ZONE\_ID...] {
 domains (private vs. public hosted zone), CoreDNS does the lookup in the given order here.
 Therefore, for a non-existing resource record, SOA response will be from the rightmost zone.
 .IP \(bu 4
-\fBHOSTED\fIZONE\fPID\fP the ID of the hosted zone that contains the resource record sets to be
+\fBHOSTED_ZONE_ID\fP the ID of the hosted zone that contains the resource record sets to be
 accessed.
 .IP \(bu 4
-\fBAWS\fIACCESS\fPKEY_ID\fP and \fBAWS\fISECRET\fPACCESS_KEY\fP the AWS access key ID and secret access key
+\fBAWS_ACCESS_KEY_ID\fP and \fBAWS_SECRET_ACCESS_KEY\fP the AWS access key ID and secret access key
 to be used when query AWS (optional). If they are not provided, then coredns tries to access
 AWS credentials the same way as AWS CLI, e.g., environmental variables, AWS credentials file,
 instance profile credentials, etc.
 .IP \(bu 4
-\fB\fCcredentials\fR is used for reading the credential file and setting the profile name for a given
-zone.
-.IP \(bu 4
-\fBPROFILE\fP AWS account profile name. Defaults to \fB\fCdefault\fR.
-.IP \(bu 4
-\fBFILENAME\fP AWS credentials filename. Defaults to \fB\fC~/.aws/credentials\fR are used.
+\fB\fCcredentials\fR is used for reading the credential \fBFILENAME\fP and setting the \fBPROFILE\fP name for a given
+zone. \fBPROFILE\fP is the AWS account profile name. Defaults to \fB\fCdefault\fR. \fBFILENAME\fP is the
+AWS credentials filename, defaults to \fB\fC~/.aws/credentials\fR.
 .IP \(bu 4
 \fB\fCfallthrough\fR If zone matches and no record can be generated, pass request to the next plugin.
 If \fBZONES\fP is omitted, then fallthrough happens for all zones for which the plugin is
 authoritative. If specific zones are listed (for example \fB\fCin-addr.arpa\fR and \fB\fCip6.arpa\fR), then
 only queries for those zones will be subject to fallthrough.
 .IP \(bu 4
-\fBZONES\fP zones it should be authoritative for. If empty, the zones from the configuration
-block.
-.IP \(bu 4
 \fB\fCrefresh\fR can be used to control how long between record retrievals from Route 53. It requires
 a duration string as a parameter to specify the duration between update cycles. Each update
 cycle may result in many AWS API calls depending on how many domains use this plugin and how
diff --git a/man/coredns-secondary.7 b/man/coredns-secondary.7
index b1ce5afbc..373b889f3 100644
--- a/man/coredns-secondary.7
+++ b/man/coredns-secondary.7
@@ -9,7 +9,7 @@
 .PP
 With \fIsecondary\fP you can transfer (via AXFR) a zone from another server. The retrieved zone is
 \fInot committed\fP to disk (a violation of the RFC). This means restarting CoreDNS will cause it to
- retrieve all secondary zones.
+retrieve all secondary zones.
 
 .PP
 .RS
diff --git a/man/coredns-sign.7 b/man/coredns-sign.7
index 7d780b60b..8c37db1e3 100644
--- a/man/coredns-sign.7
+++ b/man/coredns-sign.7
@@ -13,7 +13,7 @@ signing process must be repeated before this expiration data is reached. Otherwi
 will go BAD (RFC 4035, Section 5.5). The \fIsign\fP plugin takes care of this.
 
 .PP
-Only NSEC is supported, \fIsign\fP does not support NSEC3.
+Only NSEC is supported, \fIsign\fP does \fInot\fP support NSEC3.
 
 .PP
 \fISign\fP works in conjunction with the \fIfile\fP and \fIauto\fP plugins; this plugin \fBsigns\fP the zones
@@ -21,7 +21,7 @@ files, \fIauto\fP and \fIfile\fP \fBserve\fP the zones \fIdata\fP.
 
 .PP
 For this plugin to work at least one Common Signing Key, (see coredns-keygen(1)) is needed. This key
-(or keys) will be used to sign the entire zone. \fISign\fP does not support the ZSK/KSK split, nor will
+(or keys) will be used to sign the entire zone. \fISign\fP does \fInot\fP support the ZSK/KSK split, nor will
 it do key or algorithm rollovers - it just signs.
 
 .PP
diff --git a/man/coredns-tls.7 b/man/coredns-tls.7
index ef72fb1d9..0ba8769f1 100644
--- a/man/coredns-tls.7
+++ b/man/coredns-tls.7
@@ -45,10 +45,11 @@ tls CERT KEY [CA] {
 .RE
 
 .PP
-If client\fIauth option is specified, it controls the client authentication policy.
+If client_auth option is specified, it controls the client authentication policy.
 The option value corresponds to the ClientAuthType values of the Go tls package
 \[la]https://golang.org/pkg/crypto/tls/#ClientAuthType\[ra]: NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.
-The default is "nocert".  Note that it makes no sense to specify parameter CA unless this option is set to verify\fPif\fIgiven or require\fPand_verify.
+The default is "nocert".  Note that it makes no sense to specify parameter CA unless this option is
+set to verify_if_given or require_and_verify.
 
 .SH "EXAMPLES"
 .PP
diff --git a/man/corefile.5 b/man/corefile.5
index bb6d183be..d8421f8c1 100644
--- a/man/corefile.5
+++ b/man/corefile.5
@@ -1,5 +1,5 @@
-.\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREFILE" 5 "April 2019" "CoreDNS" "CoreDNS"
+.\" Generated by Mmark Markdown Processer - mmark.miek.nl
+.TH "COREFILE" 5 "December 2019" "CoreDNS" "CoreDNS"
 
 .SH "NAME"
 .PP
@@ -67,6 +67,7 @@ If CoreDNS can’t find a Corefile to load it loads the following builtin one:
 .nf
 \&. {
     whoami
+    log
 }
 
 .fi
diff --git a/plugin/clouddns/README.md b/plugin/clouddns/README.md
index 9ae6d52e0..6ff4a2b24 100644
--- a/plugin/clouddns/README.md
+++ b/plugin/clouddns/README.md
@@ -28,22 +28,18 @@ clouddns [ZONE:PROJECT_ID:HOSTED_ZONE_NAME...] {
     domains (private vs. public hosted zone), CoreDNS does the lookup in the given order here.
     Therefore, for a non-existing resource record, SOA response will be from the rightmost zone.
 
-*   **PROJECT_ID** the project ID of the Google Cloud project.
+*   **PROJECT\_ID** the project ID of the Google Cloud project.
 
-*   **HOSTED_ZONE_NAME** the name of the hosted zone that contains the resource record sets to be
+*   **HOSTED\_ZONE\_NAME** the name of the hosted zone that contains the resource record sets to be
     accessed.
 
-*   `credentials` is used for reading the credential file.
-
-*   **FILENAME** GCP credentials file path (normally a .json file).
+*   `credentials` is used for reading the credential file from **FILENAME** (normally a .json file).
 
 *   `fallthrough` If zone matches and no record can be generated, pass request to the next plugin.
     If **[ZONES...]** is omitted, then fallthrough happens for all zones for which the plugin is
     authoritative. If specific zones are listed (for example `in-addr.arpa` and `ip6.arpa`), then
     only queries for those zones will be subject to fallthrough.
 
-*   **ZONES** zones it should be authoritative for. If empty, the zones from the configuration block
-
 ## Examples
 
 Enable clouddns with implicit GCP credentials and resolve CNAMEs via 10.0.0.1:
diff --git a/plugin/health/README.md b/plugin/health/README.md
index d4228d600..2142a7e0b 100644
--- a/plugin/health/README.md
+++ b/plugin/health/README.md
@@ -7,7 +7,7 @@
 ## Description
 
 Enabled process wide health endpoint. When CoreDNS is up and running this returns a 200 OK HTTP
-status code. The health is exported, by default, on port 8080/health .
+status code. The health is exported, by default, on port 8080/health.
 
 ## Syntax
 
diff --git a/plugin/kubernetes/README.md b/plugin/kubernetes/README.md
index fd3a60b17..c4f102755 100644
--- a/plugin/kubernetes/README.md
+++ b/plugin/kubernetes/README.md
@@ -244,4 +244,4 @@ If monitoring is enabled (via the *prometheus* plugin) then the following metric
 
 ## Bugs
 
-The duration metric only supports the "headless_with_selector" service currently.
+The duration metric only supports the "headless\_with\_selector" service currently.
diff --git a/plugin/rewrite/README.md b/plugin/rewrite/README.md
index a2e45e38a..601bf0447 100644
--- a/plugin/rewrite/README.md
+++ b/plugin/rewrite/README.md
@@ -114,13 +114,6 @@ rather from `service.us-west-1.consul`.
 ```
 $ dig @10.1.1.1 ftp-us-west-1.coredns.rocks
 
-; <<>> DiG 9.8.3-P1 <<>> @10.1.1.1 ftp-us-west-1.coredns.rocks
-; (1 server found)
-;; global options: +cmd
-;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8619
-;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
-
 ;; QUESTION SECTION:
 ;ftp-us-west-1.coredns.rocks. IN A
 
@@ -147,13 +140,6 @@ Now, the `ANSWER SECTION` matches the `QUESTION SECTION`:
 ```
 $ dig @10.1.1.1 ftp-us-west-1.coredns.rocks
 
-; <<>> DiG 9.8.3-P1 <<>> @10.1.1.1 ftp-us-west-1.coredns.rocks
-; (1 server found)
-;; global options: +cmd
-;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8619
-;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
-
 ;; QUESTION SECTION:
 ;ftp-us-west-1.coredns.rocks. IN A
 
diff --git a/plugin/route53/README.md b/plugin/route53/README.md
index c0e7dd2df..b859d56ce 100644
--- a/plugin/route53/README.md
+++ b/plugin/route53/README.md
@@ -26,29 +26,23 @@ route53 [ZONE:HOSTED_ZONE_ID...] {
     domains (private vs. public hosted zone), CoreDNS does the lookup in the given order here.
     Therefore, for a non-existing resource record, SOA response will be from the rightmost zone.
 
-*   **HOSTED_ZONE_ID** the ID of the hosted zone that contains the resource record sets to be
+*   **HOSTED\_ZONE\_ID** the ID of the hosted zone that contains the resource record sets to be
     accessed.
 
-*   **AWS_ACCESS_KEY_ID** and **AWS_SECRET_ACCESS_KEY** the AWS access key ID and secret access key
+*   **AWS\_ACCESS\_KEY\_ID** and **AWS\_SECRET\_ACCESS\_KEY** the AWS access key ID and secret access key
     to be used when query AWS (optional). If they are not provided, then coredns tries to access
     AWS credentials the same way as AWS CLI, e.g., environmental variables, AWS credentials file,
     instance profile credentials, etc.
 
-*   `credentials` is used for reading the credential file and setting the profile name for a given
-    zone.
-
-*   **PROFILE** AWS account profile name. Defaults to `default`.
-
-*   **FILENAME** AWS credentials filename. Defaults to `~/.aws/credentials` are used.
+*   `credentials` is used for reading the credential **FILENAME** and setting the **PROFILE** name for a given
+    zone. **PROFILE** is the AWS account profile name. Defaults to `default`. **FILENAME** is the
+    AWS credentials filename, defaults to `~/.aws/credentials`.
 
 *   `fallthrough` If zone matches and no record can be generated, pass request to the next plugin.
     If **ZONES** is omitted, then fallthrough happens for all zones for which the plugin is
     authoritative. If specific zones are listed (for example `in-addr.arpa` and `ip6.arpa`), then
     only queries for those zones will be subject to fallthrough.
 
-*   **ZONES** zones it should be authoritative for. If empty, the zones from the configuration
-    block.
-
 *   `refresh` can be used to control how long between record retrievals from Route 53. It requires
     a duration string as a parameter to specify the duration between update cycles. Each update
     cycle may result in many AWS API calls depending on how many domains use this plugin and how
diff --git a/plugin/secondary/README.md b/plugin/secondary/README.md
index e1697d674..00a9d6b88 100644
--- a/plugin/secondary/README.md
+++ b/plugin/secondary/README.md
@@ -8,7 +8,7 @@
 
 With *secondary* you can transfer (via AXFR) a zone from another server. The retrieved zone is
 *not committed* to disk (a violation of the RFC). This means restarting CoreDNS will cause it to
- retrieve all secondary zones.
+retrieve all secondary zones.
 
 ~~~
 secondary [ZONES...]
diff --git a/plugin/sign/README.md b/plugin/sign/README.md
index 90d687e59..6f528c49c 100644
--- a/plugin/sign/README.md
+++ b/plugin/sign/README.md
@@ -11,13 +11,13 @@ added. The signatures that sign the resource records sets have an expiration dat
 signing process must be repeated before this expiration data is reached. Otherwise the zone's data
 will go BAD (RFC 4035, Section 5.5). The *sign* plugin takes care of this.
 
-Only NSEC is supported, *sign* does not support NSEC3.
+Only NSEC is supported, *sign* does *not* support NSEC3.
 
 *Sign* works in conjunction with the *file* and *auto* plugins; this plugin **signs** the zones
 files, *auto* and *file* **serve** the zones *data*.
 
 For this plugin to work at least one Common Signing Key, (see coredns-keygen(1)) is needed. This key
-(or keys) will be used to sign the entire zone. *Sign* does not support the ZSK/KSK split, nor will
+(or keys) will be used to sign the entire zone. *Sign* does *not* support the ZSK/KSK split, nor will
 it do key or algorithm rollovers - it just signs.
 
 *Sign* will:
diff --git a/plugin/tls/README.md b/plugin/tls/README.md
index 40b395c6b..5ea8994c9 100644
--- a/plugin/tls/README.md
+++ b/plugin/tls/README.md
@@ -30,9 +30,10 @@ tls CERT KEY [CA] {
 }
 ~~~
 
-If client_auth option is specified, it controls the client authentication policy.
+If client\_auth option is specified, it controls the client authentication policy.
 The option value corresponds to the [ClientAuthType values of the Go tls package](https://golang.org/pkg/crypto/tls/#ClientAuthType): NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.
-The default is "nocert".  Note that it makes no sense to specify parameter CA unless this option is set to verify_if_given or require_and_verify.
+The default is "nocert".  Note that it makes no sense to specify parameter CA unless this option is
+set to verify\_if\_given or require\_and\_verify.
 
 ## Examples