From: Daniel Kahn Gillmor Date: Sat, 17 Feb 2018 15:52:20 -0500 Subject: Update documentation of --keyfile-ro On Debian systems, we depend on the OS package management to update the dns root data. Make the documentation for running with this option less scary-sounding, as it is the default. --- doc/kresd.8.in | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/doc/kresd.8.in b/doc/kresd.8.in index 0fa8cc9..2a5485a 100644 --- a/doc/kresd.8.in +++ b/doc/kresd.8.in @@ -123,7 +123,7 @@ file at the default location (\fIconfig\fR). The syntax is described in \fIdaemon/README.md\fR. .TP .B \-k\fI keyfile\fR, \fB\-\-keyfile=\fI -(Recommended!) Automatically managed root trust anchors file. +Automatically managed root trust anchors file. Root trust anchors in this file are managed using standard RFC 5011 (Automated Updates of DNS Security Trust Anchors). Kresd needs write access to the directory containing the keyfile. @@ -134,9 +134,14 @@ The file contains DNSKEY/DS records in presentation format, and is compatible with Unbound and BIND 9 root key files. .TP .B \-K\fI keyfile\fR, \fB\-\-keyfile\-ro=\fI -(Discouraged) Static root trust anchors file. The file is not updated by kresd. Use of this option is discouraged because it will break your installation when the trust anchor key changes! +Static root trust anchors file. The file is not updated by +kresd. Please ensure that any running kresd instances are restarted if +the trust anchors change. (On Debian, kresd will be restarted +automatically when the dns-root-data package updates +/usr/share/dns/root.key, so nothing extra needs to be done unless you +diverge from the default here.) -Default: "@KEYFILE_DEFAULT@" (can be empty if your distribution did not provide one) +Default: "@KEYFILE_DEFAULT@" .TP .B \-m\fI path\fR, \fB\-\-moduledir=\fI Override the directory that is searched for modules. Default: @MODULEDIR@