Add docs

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst
index b67cd00977566bdf926f5202bb4301b8fe67f847..6c40f242e124ccdc19fb905cf12c96198f8c31da 100644 (file)
--- a/pdns/recursordist/docs/upgrade.rst
+++ b/pdns/recursordist/docs/upgrade.rst
@@ -4,13 +4,15 @@ Upgrade Guide
 Before upgrading, it is advised to read the :doc:`changelog/index`.
 When upgrading several versions, please read **all** notes applying to the upgrade.
 
+
 5.4.0 to master
 ---------------
 
 Changed Settings
 ^^^^^^^^^^^^^^^^
-The :ref:`incoming-ws-config` YAML struct has been extended to be able to specify an encrypted PKCS12 file to configure TLS key and certificate chain.
+The :ref:`incoming-ws-config` YAML struct has been extended to be able to specify an encrypted PKCS12 file to configure TLS key and certificate chain for the embedded web server.
 
+The :ref:`outgoing-tls-configuration` YAML struct has been extended to be able to specify an TLS client certificate to be used for outgoing DoT connections.
 
 5.1.10, 5.2.8 and 5.3.5
 -----------------------

diff --git a/pdns/recursordist/rec-rust-lib/docs-new-preamble-in.rst b/pdns/recursordist/rec-rust-lib/docs-new-preamble-in.rst
index 526ac0fe155eb472f7bdf01e263b72fbd747eb91..433e4a8be70396361f0e00f669fbd8d15eb9f6e6 100644 (file)
--- a/pdns/recursordist/rec-rust-lib/docs-new-preamble-in.rst
+++ b/pdns/recursordist/rec-rust-lib/docs-new-preamble-in.rst
@@ -603,6 +603,8 @@ The ``pkcs12`` feature is only available starting with version 5.5.0 and if the
 
 At the moment it is not possible to list additional properties of the TLS listener.
 
+.. _outgoing-tls-configuration:
+
 OutgoingTLSConfiguration
 ^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -621,6 +623,15 @@ As of version 5.4.0, an outgoing TLS (DoT) configuration is defined as
    subject_address: The subject IP address passed in the SNI value of the TLS handshake, and against which to validate the certificate presented by the backend. Default is to use the remote IP address if no nameserver name is available.
    ciphers: The TLS ciphers to use. The exact format depends on the provider used. When the OpenSSL provider is used, ciphers for TLS 1.3 must be specified via ciphers_tls_13.
    ciphers_tls_13: The ciphers to use for TLS 1.3, when the OpenSSL provider is used. When the GnuTLS provider is used, ciphers applies regardless of the TLS protocol and this setting is not used.
+   # Version 5.5.0 adds the fields below and apply to the OpenSSL provider only
+   client_certificate: The pathname of a file containing a TLS client certificate (PEM or PKCS12 format).
+   client_certificate_key: The pathname of a file containing the key corresponding to the client certificate (PEM format).
+   client_certificate_password: The password to unlock the PKCS12 file.
+
+If both the ``client_certificate`` and the ``client_certificate_key`` fields are set, the values specify unencrypted PEM files.
+The ``client_certificate_password`` field is ignored in that case.
+
+If the ``client_certificate_key`` field is not set but the ``client_certificate`` and ``client_certificate_password`` fields are set, the listed file is assumed to be an encrypted PKCS12 (also known as pfx) file containing both a key and the certificate chain.
 
 A :ref:`setting-yaml-outgoing.tls_configurations` section contains a sequence of `OutgoingTLSConfiguration`_, for example: