diff options
Diffstat (limited to '')
-rw-r--r-- | distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch | 41 | ||||
-rw-r--r-- | distro/deb/patches/series | 1 |
2 files changed, 42 insertions, 0 deletions
diff --git a/distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch b/distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch new file mode 100644 index 0000000..53e6bb3 --- /dev/null +++ b/distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch @@ -0,0 +1,41 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Sat, 17 Feb 2018 15:52:20 -0500 +Subject: Update documentation of --keyfile-ro + +On Debian systems, we depend on the OS package management to update +the dns root data. Make the documentation for running with this +option less scary-sounding, as it is the default. +--- + doc/kresd.8.in | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/doc/kresd.8.in b/doc/kresd.8.in +index 266e9f0..6c5195b 100644 +--- a/doc/kresd.8.in ++++ b/doc/kresd.8.in +@@ -123,7 +123,7 @@ file at the default location (\fIconfig\fR). The syntax is + described in \fIdaemon/README.md\fR. + .TP + .B \-k\fI keyfile\fR, \fB\-\-keyfile=\fI<keyfile> +-(Recommended!) Automatically managed root trust anchors file. ++Automatically managed root trust anchors file. + Root trust anchors in this file are managed using standard RFC 5011 (Automated Updates of DNS Security Trust Anchors). + Kresd needs write access to the directory containing the keyfile. + +@@ -134,9 +134,14 @@ The file contains DNSKEY/DS records in presentation format, + and is compatible with Unbound and BIND 9 root key files. + .TP + .B \-K\fI keyfile\fR, \fB\-\-keyfile\-ro=\fI<keyfile> +-(Discouraged) Static root trust anchors file. The file is not updated by kresd. Use of this option is discouraged because it will break your installation when the trust anchor key changes! ++Static root trust anchors file. The file is not updated by ++kresd. Please ensure that any running kresd instances are restarted if ++the trust anchors change. (On Debian, kresd will be restarted ++automatically when the dns-root-data package updates ++/usr/share/dns/root.key, so nothing extra needs to be done unless you ++diverge from the default here.) + +-Default: "@KEYFILE_DEFAULT@" (can be empty if your distribution did not provide one) ++Default: "@KEYFILE_DEFAULT@" + .TP + .B \-m\fI path\fR, \fB\-\-moduledir=\fI<path> + Override the directory that is searched for modules. Default: @MODULEDIR@ diff --git a/distro/deb/patches/series b/distro/deb/patches/series new file mode 100644 index 0000000..5f6f9b5 --- /dev/null +++ b/distro/deb/patches/series @@ -0,0 +1 @@ +0001-Update-documentation-of-keyfile-ro.patch |