Better ZONEMD documentation for ldns-verify-zone

diff --git a/examples/ldns-verify-zone.1.in b/examples/ldns-verify-zone.1.in
index beef1fc1c8a435a80c60b5c7ba5a9bd87f20fb77..244da8a07cb99094fc405c0bb19a4fb14a04d67d 100644 (file)
--- a/examples/ldns-verify-zone.1.in
+++ b/examples/ldns-verify-zone.1.in
@@ -13,6 +13,8 @@ RRSIG resource records are checked against the DNSKEY set at the zone apex.
 
 Each name is checked for an NSEC(3), if appropriate.
 
+If ZONEMD resource records are present, one of them needs to match the zone content.
+
 .SH OPTIONS
 .TP
 \fB-h\fR

diff --git a/examples/ldns-verify-zone.c b/examples/ldns-verify-zone.c
index 80a1be1461b36849a699688b24a170688371772b..c0287cf002123afbd15d14601f55b4a36aec4e3e 100644 (file)
--- a/examples/ldns-verify-zone.c
+++ b/examples/ldns-verify-zone.c
@@ -709,6 +709,8 @@ static void print_usage(FILE *out, const char *progname)
               "and verifies all signatures\n");
        fprintf(out, "It also checks the NSEC(3) chain, but it "
               "will error on opted-out delegations\n");
+       fprintf(out, "It also checks whether ZONEMDs are present, and if so, "
+              "needs one of them to match the zone's data.\n");
        fprintf(out, "\nOPTIONS:\n");
        fprintf(out, "\t-h\t\tshow this text\n");
        fprintf(out, "\t-a\t\tapex only, check only the zone apex\n");