From e41eaa4bda3874485a368a4f741d1f2fd88b3691 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Tue, 19 Jun 2018 15:00:07 +0200
Subject: [PATCH] doc: warn about NTAs outside zone cuts

We just ran into that in the val_ta_sentinel_insecure.rpl test.
---
 daemon/README.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/daemon/README.rst b/daemon/README.rst
index 1244b69b0..3ed2b8f41 100644
--- a/daemon/README.rst
+++ b/daemon/README.rst
@@ -596,6 +596,9 @@ Trust anchors and DNSSEC
       [1] => bad.boy
       [2] => example.com
 
+   .. warning:: If you set NTA on a name that is not a zone cut,
+      it may not always affect names not separated from the NTA by a zone cut.
+
 .. function:: trust_anchors.add(rr_string)
 
    :param string rr_string: DS/DNSKEY records in presentation format (e.g. ``. 3600 IN DS 19036 8 2 49AAC11...``)
-- 
2.47.2