From: Wouter Wijngaards Date: Thu, 31 Jan 2019 09:22:48 +0000 (+0000) Subject: - improve documentation for tls-service-key. X-Git-Tag: release-1.9.1rc1~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9b226bdea816ef07a4c745c16e0283bd811875a;p=thirdparty%2Funbound.git - improve documentation for tls-service-key. git-svn-id: file:///svn/unbound/trunk@5091 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index ea8bfe8ff..2c445b08b 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,7 @@ 31 January 2019: Wouter - Set ub_ctx_set_tls call signature in ltrace config file for libunbound in contrib/libunbound.so.conf. + - improve documentation for tls-service-key. 30 January 2019: Ralph - Fix case in which query timeout can result in marking delegation diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index cbb7b654b..71bc27f6a 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -458,14 +458,15 @@ Alternate syntax for \fBtls\-upstream\fR. If both are present in the config file the last is used. .TP .B tls\-service\-key: \fI -If enabled, the server provides TLS service on its TCP sockets. The clients -have to use tls\-upstream: yes. The file is the private key for the TLS -session. The public certificate is in the tls\-service\-pem file. Default -is "", turned off. Requires a restart (a reload is not enough) if changed, -because the private key is read while root permissions are held and before -chroot (if any). Normal DNS TCP service is not provided and gives errors, -this service is best run with a different \fBport:\fR config or \fI@port\fR -suffixes in the \fBinterface\fR config. +If enabled, the server provides TLS service on the TCP ports marked +implicitly or explicitly for TLS service with tls\-port. The file must +contain the private key for the TLS session, the public certificate is in +the tls\-service\-pem file and it must also be specified if tls\-service\-key +is specified. The default is "", turned off. Enabling or disabling +this service requires a restart (a reload is not enough), because the +key is read while root permissions are held and before chroot (if any). +The ports enabled implicitly or explicitly via \fBtls\-port:\fR do not provide +normal DNS TCP service. .TP .B ssl\-service\-key: \fI Alternate syntax for \fBtls\-service\-key\fR.