- RFC 7958 is now out, updated docs for unbound-anchor.

git-svn-id: file:///svn/unbound/trunk@3839 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index ae122903bc2204ea781066540cfde9ea36cfe9e7..33587cda51d4cf21aed7f60187f943f39793d9d9 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,4 +1,7 @@
-29 August 2016: Ralph
+1 September 2016: Wouter
+       - RFC 7958 is now out, updated docs for unbound-anchor.
+
+29 August 2016: Wouter
        - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
          Siewior.
        - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.

diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 3d743a734c3cb3157117f39a419ae9570bd7ed03..5f17b614cb2495fb2009722add2f1b027190263b 100644 (file)
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -16,6 +16,8 @@
 .SH "DESCRIPTION"
 .B Unbound\-anchor
 performs setup or update of the root trust anchor for DNSSEC validation.
+The program fetches the trust anchor with the method from RFC7958 when
+regular RFC5011 update fails to bring it up to date.
 It can be run (as root) from the commandline, or run as part of startup
 scripts.  Before you start the \fIunbound\fR(8) DNS server.
 .P
@@ -39,8 +41,8 @@ update certificate files.
 .P
 It tests if the root anchor file works, and if not, and an update is possible,
 attempts to update the root anchor using the root update certificate.
-It performs a https fetch of root-anchors.xml and checks the results, if
-all checks are successful, it updates the root anchor file.  Otherwise
+It performs a https fetch of root-anchors.xml and checks the results (RFC7958), 
+if all checks are successful, it updates the root anchor file.  Otherwise
 the root anchor file is unchanged.  It performs RFC5011 tracking if the
 DNSSEC information available via the DNS makes that possible.
 .P

diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
index b3bba6c249b7e8e302bfb819ba43c3181e1bfc7d..756fcf7f089f7d8c55c196aba90c719bbdce494e 100644 (file)
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@@ -37,7 +37,8 @@
  * \file
  *
  * This file checks to see that the current 5011 keys work to prime the
- * current root anchor.  If not a certificate is used to update the anchor.
+ * current root anchor.  If not a certificate is used to update the anchor,
+ * with RFC7958 https xml fetch.
  *
  * This is a concept solution for distribution of the DNSSEC root
  * trust anchor.  It is a small tool, called "unbound-anchor", that
@@ -47,7 +48,7 @@
  * Management-Abstract:
  *    * first run: fill root.key file with hardcoded DS record.
  *    * mostly: use RFC5011 tracking, quick . DNSKEY UDP query.
- *    * failover: use builtin certificate, do https and update.
+ *    * failover: use RFC7958 builtin certificate, do https and update.
  * Special considerations:
  *    * 30-days RFC5011 timer saves a lot of https traffic.
  *    * DNSKEY probe must be NOERROR, saves a lot of https traffic.
@@ -77,7 +78,7 @@
  * the file contains a list of normal DNSKEY/DS records, and uses that to
  * bootstrap 5011 (the KSK is made VALID).
  *
- * The certificate update is done by fetching root-anchors.xml and
+ * The certificate RFC7958 update is done by fetching root-anchors.xml and
  * root-anchors.p7s via SSL.  The HTTPS certificate can be logged but is
  * not validated (https for channel security; the security comes from the
  * certificate).  The 'data.iana.org' domain name A and AAAA are resolved