dnsdist: Document that permissions on external files need to be fixed

author Remi Gacogne <remi.gacogne@powerdns.com>

Thu, 16 Apr 2020 08:02:15 +0000 (10:02 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Thu, 16 Apr 2020 08:02:15 +0000 (10:02 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Thu, 16 Apr 2020 08:02:15 +0000 (10:02 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Thu, 16 Apr 2020 08:02:15 +0000 (10:02 +0200)
diff --git a/pdns/dnsdistdist/docs/upgrade_guide.rst b/pdns/dnsdistdist/docs/upgrade_guide.rst

index b5e62f02ab91e2c33cae001f9d4ce5fad977f0ea..21cc34f779fedde27e82d166be4ef78c378ca621 100644 (file)
--- a/pdns/dnsdistdist/docs/upgrade_guide.rst
+++ b/pdns/dnsdistdist/docs/upgrade_guide.rst
@@ -15,6 +15,9 @@ This could mean that dnsdist can no longer read its own configuration, or other
  
  Packages provided on `the PowerDNS Repository <https://repo.powerdns.com>`__ will ``chown`` directories created by them accordingly in the post-installation steps.
  
+This might not be sufficient if the dnsdist configuration refers to files outside of the /etc/dnsdist directory, like DoT or DoH certificates and private keys.
+Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal.
+
  1.3.x to 1.4.0
  --------------
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 16 Apr 2020 08:02:15 +0000 (10:02 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 16 Apr 2020 08:02:15 +0000 (10:02 +0200)