From df53badfa2fb4be5b61f40e45a7c6b31d70672bf Mon Sep 17 00:00:00 2001
From: George Thessalonikefs <george@nlnetlabs.nl>
Date: Mon, 7 Jun 2021 16:02:41 +0200
Subject: [PATCH] - Fix #425: Document auth-zone supports communication with
 DNS primary   on nondefault port.

---
 doc/Changelog         |  2 ++
 doc/unbound.conf.5.in | 13 ++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/doc/Changelog b/doc/Changelog
index 2211086a7..ab75add77 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 7 June 2021: George
 	- Merge #448 from shoeper: Update unbound-control.8.in, fix
 	  rpz_disable typo.
+	- Fix #425: Document auth-zone supports communication with DNS
+	  primary on nondefault port.
 
 1 June 2021: George
 	- Fix test for zonemd-check option.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index b0ed3aa26..f3cca17a9 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1923,7 +1923,9 @@ Name of the authority zone.
 .B primary: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
 primaries can be specified.  They are all tried if one fails.
-With the "ip#name" notation a AXFR over TLS can be used.
+To use a nondefault port for DNS communication append '@' with the port number.
+You can append a '#' and a name, then AXFR over TLS can be used and the tls authentication certificates will be checked with that name.  If you combine
+the '@' and '#', the '@' comes first.
 If you point it at another Unbound instance, it would not work because
 that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
 the zonefile as a text file from a webserver that would work.
@@ -2500,6 +2502,15 @@ Name of the authority zone.
 .B primary: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
 primaries can be specified.  They are all tried if one fails.
+To use a nondefault port for DNS communication append '@' with the port number.
+You can append a '#' and a name, then AXFR over TLS can be used and the tls authentication certificates will be checked with that name.  If you combine
+the '@' and '#', the '@' comes first.
+If you point it at another Unbound instance, it would not work because
+that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
+the zonefile as a text file from a webserver that would work.
+If you specify the hostname, you cannot use the domain from the zonefile,
+because it may not have that when retrieving that data, instead use a plain
+IP address to avoid a circular dependency on retrieving that IP address.
 .TP
 .B master: \fI<IP address or host name>
 Alternate syntax for \fBprimary\fR.
-- 
2.39.5