From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 16 Apr 2020 08:02:15 +0000 (+0200)
Subject: dnsdist: Document that permissions on external files need to be fixed
X-Git-Tag: rec-4.4.0-alpha1~8^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f92998b395086b8223a95ccdbcdf77749b55cd82;p=thirdparty%2Fpdns.git

dnsdist: Document that permissions on external files need to be fixed
---

diff --git a/pdns/dnsdistdist/docs/upgrade_guide.rst b/pdns/dnsdistdist/docs/upgrade_guide.rst
index b5e62f02ab..21cc34f779 100644
--- a/pdns/dnsdistdist/docs/upgrade_guide.rst
+++ b/pdns/dnsdistdist/docs/upgrade_guide.rst
@@ -15,6 +15,9 @@ This could mean that dnsdist can no longer read its own configuration, or other
 
 Packages provided on `the PowerDNS Repository <https://repo.powerdns.com>`__ will ``chown`` directories created by them accordingly in the post-installation steps.
 
+This might not be sufficient if the dnsdist configuration refers to files outside of the /etc/dnsdist directory, like DoT or DoH certificates and private keys.
+Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal.
+
 1.3.x to 1.4.0
 --------------