- Document interaction between the tls-upstream option in the server

  section and forward-tls-upstream option in the forward-zone sections.

git-svn-id: file:///svn/unbound/trunk@5027 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index a640c50f0a83b00c49568d7f482d1ff38353fe5d..602ae39c3f00121a10ffdff84b9eb32484ac14a9 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 7 January 2018: Wouter
        - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
          and server tcp fastopen is enabled at compile time.
+       - Document interaction between the tls-upstream option in the server
+         section and forward-tls-upstream option in the forward-zone sections.
 
 12 December 2018: Wouter
        - Fix for crash in dns64 module if response is null.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 0acce72ac73caa08dc7c95cb19b9d41754a3a0c8..c18616273addb6aee12d4655c4e78286542733df 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -440,6 +440,8 @@ TCP wireformat.  The other server must support this (see
 \fBtls\-service\-key\fR).
 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
 load CA certs, otherwise the connections cannot be authenticated.
+This option enables TLS for all of them, but if you do not set this you can
+configure TLS specifically for some forward zones with forward\-tls\-upstream.  And also with stub\-tls\-upstream.
 .TP
 .B ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config